Example site? Password protected?

[kevin]

Checked with firefox and chrome - I don't have IE to test with, but I'd imagine it's down to cipher suite support/ssl protocol support for IE if that's the case.

You should be able to add support for IE by adding "SSLv3" and "MEDIUM" to ssl_protocols and ssl_ciphers, though we would recommend just ditching IE all together.

[kevin]

Here is a config that will work with IE as well (tested with IE 11 in Windows 7)

Code: Select all

server {
   listen 80;
   return 301 https://$host$request_uri;
}

server {
    error_page 502 /502.html;

    listen 443 ssl;
    server_name alarmdecoder-demo;

    ssl_certificate /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#    ssl_ciphers HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 4k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    location / {
        try_files $uri @alarmdecoder;
    }

    location @alarmdecoder {
        proxy_pass http://127.0.0.1:5000;
        include uwsgi_params;
        uwsgi_param UWSGI_SCHEME $scheme;
        uwsgi_param SERVER_SOFTWARE nginx/$nginx_version;

        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X_FORWARDED_PROTO https;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
   proxy_redirect http://localhost:5000 https://alarmdecoder-demo;
    }

    location /502.html {
        root /opt/alarmdecoder-webapp/ad2web/static;
    }

    location ~ \.(jpg|jpeg|png|css|js)$ {
    root /opt/alarmdecoder-webapp/ad2web;
    }
}



[Gordon]

OK I think I found my error.. I had made a back-up copy of the config file in the same directory, sites-enabled, instead of putting it in sites-available (or anywhere else!).. so nginx was no doubt reading both config files. Deleting (or moving instead, no doubt) the back-up file helped and it also stopped the “nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored” error message.

On my lan, alarmdecorder / nginx is on 192.168.1.98

https://192.168.1.98/keypad/ works fine on Chrome

however

https://192.168.1.98 resolves to http://alarmdecoder-demo/keypad/ and fails (Error code: ERR_NAME_NOT_RESOLVED)

I can live with that however I feel like it is a serviceable configuration but still has issues well beyond my knowledge level of nginx.

On IE, https://192.168.1.98/keypad/ resolves to http://alarmdecoder-demo/login?next=%2Fkeypad%2F and fails (still using the first config file you suggested) Can test the new config file if you like but I am good with the suggestion to ditch IE.. which I never use unless testing.

[kevin]

The alarmdecoder-demo errors are due to the fact that in my example I had provided a name of alarmdecoder-demo as well as a redirect to alarmdecoder-demo - you would want to replace those values with what it should really be - if you haven't changed your hostname etc, it would just be 'alarmdecoder' and not 'alarmdecoder-demo' - also, with regard to the IE stuff, please see my config from above - verified to work in IE11 for Windows 7.

So change "server_name alarmdecoder-demo;" to "server_name alarmdecoder;" and in the "proxy_redirect" make sure that is also not 'demo' - and you should be good to go.

[Maxburn]

Seems we aren't agreeing where to store the keys or what to name them, I followed the instructions earlier in the thread and wound up with keys with different names in a different folder than what that last config file is using.

Thanks for clarifying that necessary name change, I was working through the same problem as you were posting it.

[Gordon]

@ Kevin.. Oh now I am seeing how some of this works. I still had a problem with DNS lookup (there is none, I go by IP). The RasPi has its host name set to alarmdecoder but my windows laptop does not know that, so changing the variables you suggested as alarmdecoder to the IP seems to work fine. If it does not, I will fix the host name lookup. THANKS

@ maxburn .. Yes the SSL key /cert file names and paths are not consistent in this thread. I saw that when i pasted the code and got an error on nginx reload... but of course you can use whatever names and paths you wish.

[kevin]

Ya, sorry about inconsistency with the paths in my example(s) - that's what happens when you're testing on the fly changes You can literally use whatever you want there though as long as it's a path to a valid key and certificate


With regard to DNS lookup on windows if you download Bonjour for Windows, it will pick up the name properly as the Avahi daemon will broadcast! This only applies to windows, linux and osx seem to work with this out of the box.

[Maxburn]

In my case I am using a public DNS name and it appears to work fine this way. I have my router set to forward 80 and 443 to the ad2pi internally so it will upgrade http to https on the fly which was a nice touch. The SSL certificate warns that the names don't match but I'll work on that later.

Inside my home network I'm no longer able to get to the device via local IP but that's not a big deal as the public address works.

I think I'm still using the default device name, not sure what benefit it would be to change that. Unless it's linked to my problem with the SSL certificate names not matching.

[kevin]

Your SSL certificate would need to match the FQDN you are using, if you are using https://myalarm.example.com then you would want your cert's common name to be myalarm.example.com when setting up the cert/CSR if using a purchased SSL certificate. In which case you would also want the CA cert to be added to the config. You would also want to update the "server_name" and "proxy_redirect" items in the config to match the FQDN.

In a default case, for a FQDN you would use https://alarmdecoder and common name of alarmdecoder to avoid this mismatch while leaving the config entries defaulted as 'alarmdecoder' in the server_name and proxy_redirect fields.

[Gordon]

Well I still can’t get this to work from outside my LAN.. but seeing how it seems to be a problem with MY network configuration I am going to bail on it for and revert to the original config except use a “hidden” port for minimal security. Bonjour for Windows is something I would like to avoid if possible but when / if I have time I will try again. Thanks for the help.. I’m on the right track even if I don’t make it to the finish line.

BTW, A Quick and dirty way to end the css file errors in nginx error log:

Code: Select all

touch /opt/alarmdecoder-webapp/ad2web/static/css/user_custom.css

In addition, I added the “notice” log level option to the error logging in /var/log/nginx/error.log to increase verbosity:

Code: Select all

 error_log /var/log/nginx/error.log notice;


Even at this log level, I see no errors other than the “missing” css file error.