@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:

Start with netstat. Is nginx listening?

netstat -tulpn

Edited for accuracy

I have a running nginx reverse proxy that I'm trying to use to manage the ssl certificates for a tomcat server.

I installed nginx and it works with http traffic. I then tried to generate a self-signed ssl cert.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

I created a strong Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Here is my nginx server block

server {
  listen 443;
  server_name tomcat.domain.com;
  access_log /var/log/nginx/tomcat-access.log;
  error_log /var/log/nginx/tomcat-error.log;

  location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://192.168.1.205:8080;
  }

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

}

server {
    client_max_body_size 40M;
    server_name tomcat.skynetli.com;
    listen 80;
#    rewrite        ^ https://$server_name$request_uri? permanent;
}

tomcat server.xml

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

The result is "Can't connect securely to this page"

Youtube Video

Youtube Video

https://www.instagram.com/tv/CEDBcJuA2JB/?igshid=awlz0i67myqf

Watch this guy apologize for hitting a grand slam

@jmoore said in What Are You Doing Right Now:

@wirestyle22 Ouch. It will get better, I hope!

only one direction it can go

So I helped my mother-in-law move today. This is a real thing that happened:

Pam: Hi I'm Pam. This is Ian and this is Laura. You can call us PIL (pronounced Pill)

<Ian and Laura die inside>

Movers: uh....ok

Mover #1: Hi I'm Andy

Pam: HI Andy. I'm, Pam. This is Ian and this is Laura.

Mover #2: Hi I'm Brian

Pam: Hi Brian. I'm Pam. This is Ian and this is Laura

8 hours of this behavior today. 8.

I am completely fucking dead inside. Going into a Zzzquil catatonic state that I hope I never wake up from. Hope your weekend is better than mine boys

looking through the configuration for why this is still not functioning correctly

show firewall

 all-ping enable
 broadcast-ping disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
     default-action drop
     description "WAN to internal"
     rule 10 {
         action accept
         description "Allow HTTPS to NGINX"
         destination {
             address 192.168.1.204
             port 443
         }
         log disable
         protocol tcp
         state {
             established disable
             invalid disable
             new enable
             related disable
         }
     }
     rule 20 {
         action accept
         description "Allow established/related"
         log disable
         protocol all
         state {
             established enable
             related enable
         }
     }
     rule 30 {
         action drop
         description "Drop invalid state"
         log disable
         protocol all
         state {
             invalid enable
         }
     }
 }
 name WAN_LOCAL {
     default-action drop
     description "WAN to router"
     rule 30 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 40 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
     rule 50 {
         action accept
         description "Inbound Traffic to WEB GUI"
         destination {
             port 8443
         }
         log disable
         protocol tcp_udp
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable

show service nat

show service nat
 rule 20 {
     description "Inbound HTTPS to NGINX"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth0
     inside-address {
         address 192.168.1.204
         port 443
     }
     log disable
     protocol tcp
     type destination
 }
 rule 1000 {
     description "NGINX Hairpin"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth1
     inside-address {
:
 rule 20 {
     description "Inbound HTTPS to NGINX"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth0
     inside-address {
         address 192.168.1.204
         port 443
     }
     log disable
     protocol tcp
     type destination
 }
 rule 1000 {
     description "NGINX Hairpin"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth1
     inside-address {
         address 192.168.1.100
         port 443
     }
     log disable
     protocol tcp
     type destination
 }
 rule 5000 {
     description "maquerade for WAN"
     log disable
     outbound-interface eth0
     protocol all
     type masquerade
 }
 rule 5011 {
     description "NGINX Hairpin"
     destination {
         address 192.168.1.204
         port 443
     }
     log disable
     outbound-interface eth1
     protocol tcp
     source {
         address 192.168.1.0/24
     }
     type masquerade
 }

@brandon220 Laura's family never cut the umbilical cord

mother in law is moving into a new house. she used to be an hour+ away from us. now she is 20 minutes away.

/wrists

@JaredBusch said in Hairpin NAT Issue:

@wirestyle22 said in Hairpin NAT Issue:

ran into this

commit
[ firewall name WAN_IN ]
Firewall config error: 'action' must be defined

You don't have a default firewall named WAN IN with an action already set up.

If you used different names, then you need to adjust.

thanks found it. it was one of the rules not having an action not the name

ran into this

commit
[ firewall name WAN_IN ]
Firewall config error: 'action' must be defined

@marcinozga said in NAS for Plex use... Again:

@wirestyle22 said in NAS for Plex use... Again:

@brandon220 said in NAS for Plex use... Again:

@DustinB3403 My wife ripped all the DVD and Blu-Ray discs. It is pretty much her "project". I just maintain it. I believe we have about 460 movies or so. I ripped all my music to flac files and have it on there as well. Works great for my needs.

Even if you buy the media the act of breaking the DRM is illegal, so there doesn't seem to be any legitimate way to do it outside of non-DRM content.. Netflix, Disney+, Hulu, Crunchyroll, etc are really not a replacement for Plex. I deleted my Plex server when we moved into the house and moved over to streaming services. It feels very limiting. I also hate having to search for content in multiple applications. If someone developed a website that shows you a single pane for all of your streaming services I bet a lot of people would use it.

I only mentioned paid streaming services as an alternative to usenet. If you have to pay to pirate media, you might just spend that money on legit services.

There's AppleTV and iOS app, WatchAid TV Show Planner, it tracks your TV shows and links directly to streaming services. Not perfect and not a complete solution as it doesn't support movies, but it's a start.

Yeah I just recently made the transition. Just letting people know my experience

@brandon220 said in NAS for Plex use... Again:

@DustinB3403 My wife ripped all the DVD and Blu-Ray discs. It is pretty much her "project". I just maintain it. I believe we have about 460 movies or so. I ripped all my music to flac files and have it on there as well. Works great for my needs.

Even if you buy the media the act of breaking the DRM is illegal, so there doesn't seem to be any legitimate way to do it outside of non-DRM content.. Netflix, Disney+, Hulu, Crunchyroll, etc are really not a replacement for Plex. I deleted my Plex server when we moved into the house and moved over to streaming services. It feels very limiting. I also hate having to search for content in multiple applications. If someone developed a website that shows you a single pane for all of your streaming services I bet a lot of people would use it.

Watching some Mr. Show sketches. I miss this show

Youtube Video

I'm not going to post the logs due to client identity for friends of mine that use it, but the packets are never reaching the nginx proxy. Router looks okay, but I will be checking my switch when I have a free minute.

@scottalanmiller said in Hairpin NAT Issue:

Check your web logs, is your web server seeing traffic from the hairpin?

@scottalanmiller said in Hairpin NAT Issue:

Turn on Rule Stats, plz.