@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpn
Edited for accuracy
@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpn
Edited for accuracy
I have a running nginx reverse proxy that I'm trying to use to manage the ssl certificates for a tomcat server.
I installed nginx and it works with http traffic. I then tried to generate a self-signed ssl cert.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
I created a strong Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Here is my nginx server block
server {
listen 443;
server_name tomcat.domain.com;
access_log /var/log/nginx/tomcat-access.log;
error_log /var/log/nginx/tomcat-error.log;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.1.205:8080;
}
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
}
server {
client_max_body_size 40M;
server_name tomcat.skynetli.com;
listen 80;
# rewrite ^ https://$server_name$request_uri? permanent;
}
tomcat server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
The result is "Can't connect securely to this page"
https://www.instagram.com/tv/CEDBcJuA2JB/?igshid=awlz0i67myqf
Watch this guy apologize for hitting a grand slam
@jmoore said in What Are You Doing Right Now:
@wirestyle22 Ouch. It will get better, I hope!
only one direction it can go
So I helped my mother-in-law move today. This is a real thing that happened:
Pam: Hi I'm Pam. This is Ian and this is Laura. You can call us PIL (pronounced Pill)
<Ian and Laura die inside>
Movers: uh....ok
Mover #1: Hi I'm Andy
Pam: HI Andy. I'm, Pam. This is Ian and this is Laura.
Mover #2: Hi I'm Brian
Pam: Hi Brian. I'm Pam. This is Ian and this is Laura
8 hours of this behavior today. 8.
I am completely fucking dead inside. Going into a Zzzquil catatonic state that I hope I never wake up from. Hope your weekend is better than mine boys
looking through the configuration for why this is still not functioning correctly
show firewall
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow HTTPS to NGINX"
destination {
address 192.168.1.204
port 443
}
log disable
protocol tcp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 20 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 30 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 50 {
action accept
description "Inbound Traffic to WEB GUI"
destination {
port 8443
}
log disable
protocol tcp_udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
show service nat
show service nat
rule 20 {
description "Inbound HTTPS to NGINX"
destination {
address public.ip
port 443
}
inbound-interface eth0
inside-address {
address 192.168.1.204
port 443
}
log disable
protocol tcp
type destination
}
rule 1000 {
description "NGINX Hairpin"
destination {
address public.ip
port 443
}
inbound-interface eth1
inside-address {
:
rule 20 {
description "Inbound HTTPS to NGINX"
destination {
address public.ip
port 443
}
inbound-interface eth0
inside-address {
address 192.168.1.204
port 443
}
log disable
protocol tcp
type destination
}
rule 1000 {
description "NGINX Hairpin"
destination {
address public.ip
port 443
}
inbound-interface eth1
inside-address {
address 192.168.1.100
port 443
}
log disable
protocol tcp
type destination
}
rule 5000 {
description "maquerade for WAN"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5011 {
description "NGINX Hairpin"
destination {
address 192.168.1.204
port 443
}
log disable
outbound-interface eth1
protocol tcp
source {
address 192.168.1.0/24
}
type masquerade
}
@brandon220 Laura's family never cut the umbilical cord
mother in law is moving into a new house. she used to be an hour+ away from us. now she is 20 minutes away.
/wrists
@JaredBusch said in Hairpin NAT Issue:
@wirestyle22 said in Hairpin NAT Issue:
ran into this
commit [ firewall name WAN_IN ] Firewall config error: 'action' must be defined
You don't have a default firewall named WAN IN with an action already set up.
If you used different names, then you need to adjust.
thanks found it. it was one of the rules not having an action not the name
ran into this
commit
[ firewall name WAN_IN ]
Firewall config error: 'action' must be defined
@marcinozga said in NAS for Plex use... Again:
@wirestyle22 said in NAS for Plex use... Again:
@brandon220 said in NAS for Plex use... Again:
@DustinB3403 My wife ripped all the DVD and Blu-Ray discs. It is pretty much her "project". I just maintain it. I believe we have about 460 movies or so. I ripped all my music to flac files and have it on there as well. Works great for my needs.
Even if you buy the media the act of breaking the DRM is illegal, so there doesn't seem to be any legitimate way to do it outside of non-DRM content.. Netflix, Disney+, Hulu, Crunchyroll, etc are really not a replacement for Plex. I deleted my Plex server when we moved into the house and moved over to streaming services. It feels very limiting. I also hate having to search for content in multiple applications. If someone developed a website that shows you a single pane for all of your streaming services I bet a lot of people would use it.
I only mentioned paid streaming services as an alternative to usenet. If you have to pay to pirate media, you might just spend that money on legit services.
There's AppleTV and iOS app, WatchAid TV Show Planner, it tracks your TV shows and links directly to streaming services. Not perfect and not a complete solution as it doesn't support movies, but it's a start.
Yeah I just recently made the transition. Just letting people know my experience
@brandon220 said in NAS for Plex use... Again:
@DustinB3403 My wife ripped all the DVD and Blu-Ray discs. It is pretty much her "project". I just maintain it. I believe we have about 460 movies or so. I ripped all my music to flac files and have it on there as well. Works great for my needs.
Even if you buy the media the act of breaking the DRM is illegal, so there doesn't seem to be any legitimate way to do it outside of non-DRM content.. Netflix, Disney+, Hulu, Crunchyroll, etc are really not a replacement for Plex. I deleted my Plex server when we moved into the house and moved over to streaming services. It feels very limiting. I also hate having to search for content in multiple applications. If someone developed a website that shows you a single pane for all of your streaming services I bet a lot of people would use it.
I'm not going to post the logs due to client identity for friends of mine that use it, but the packets are never reaching the nginx proxy. Router looks okay, but I will be checking my switch when I have a free minute.
@scottalanmiller said in Hairpin NAT Issue:
Check your web logs, is your web server seeing traffic from the hairpin?
@scottalanmiller said in Hairpin NAT Issue:
Turn on Rule Stats, plz.