Forum OpenACS Development: Setup https

Request notifications

Collapse
Posted by Iuri Sampaio on
Hi there,

I set ns_openssl up on OACS although I am unable to access the site via https on the browser.

At first I thought the issue was whether nginx or the firewall was blocking port 8443. However I set https to port 8000 just for testing and the error remained

The scenario is:
I can access and log in the site through port 8000 with ns_openssl turned out.

Once I turn "ns_param nsopenssl" on, I can access the first page, which still is on port 8000, (http://cnauto.nipotech.com) but when I click on "log in" the site is forwarded to https on default port 8443 (https://cnauto.nipotech.com:8443/register/) and the the message "Website is offline" shows up.

"error.log" shows no errors, except for the harmless lines:

[08/Jul/2012:18:11:03][9963.3059129200][-default:0-] Warning: / has no doc(title) set.
[08/Jul/2012:18:11:04][9963.3055958896][-default:3-] Error: return: failed to redirect 'GET /global/file-not-found.html': exceeded recursion limit of 3
[08/Jul/2012:18:11:06][9963.3058072432][-default:1-] Warning: security::locations hostname 'cnauto.nipotech.com' from config.tcl does not match from util_current_location: 127.0.0.1
[08/Jul/2012:18:11:06][9963.3058072432][-default:1-] Notice: security::locations adding cnauto.nipotech.com since utl_current_location different than config.tcl.
[08/Jul/2012:18:26:35][9963.3059129200][-default:0-] Error: return: failed to redirect 'GET /global/file-not-found.html': exceeded recursion limit of 3
[08/Jul/2012:18:28:28][9963.3054902128][-default:4-] Warning: security::locations hostname 'cnauto.nipotech.com' from config.tcl does not match from util_current_location: 127.0.0.1
[08/Jul/2012:18:28:28][9963.3054902128][-default:4-] Notice: security::locations adding cnauto.nipotech.com since utl_current_location different than config.tcl.

nsopenssl configurations are properly set and logged on system startup:

[08/Jul/2012:18:04:21][9963.3074774720][-main-] Error: pidfile: failed to open pid file '/usr/lib/aolserver4/log/nspid.cnauto': 'No such file or directory'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: encoding: loaded: utf-8
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: fastpath[cnauto]: mapped GET /
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: fastpath[cnauto]: mapped HEAD /
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: fastpath[cnauto]: mapped POST /
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: adp[cnauto]: mapped GET /*.adp
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: adp[cnauto]: mapped HEAD /*.adp
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: adp[cnauto]: mapped POST /*.adp
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nssock.so'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nslog.so'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nslog: opened '/var/www/cnauto/log/cnauto.log'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nssha1.so'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nsopenssl-3.0/nsopenssl.so'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl: generating 512-bit temporary RSA key ...
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl: generating 1024-bit temporary RSA key ...
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): loading SSL context 'users'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'users' ciphers loaded successfully
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'users' using SSLv3 protocol
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'users' using TLSv1 protocol
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'users' certificate and key loaded successfully
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'users' CA file loaded successfully
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: users (nsopenssl): session cache is turned on for sslcontext 'cnauto'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'client' certificate and key loaded successfully
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): 'client' CA file loaded successfully
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: client (nsopenssl): session cache is turned on for sslcontext 'cnauto'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: default server SSL context: users
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: default client SSL context: client
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nsdb.so'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nspostgres.so'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: PostgreSQL loaded.
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: modload: loading '/usr/lib/aolserver4/lib/thread2.6.5/libthread2.6.5.so'
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: conf: [ns/server/cnauto]enabletclpages = 0
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: default thread pool: minthreads 5 maxthreads 10 idle 0 current 0 maxconns 100 queued 0 timeout 120 spread 20
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Notice: XOTcl version 1.6.6 loaded
[08/Jul/2012:18:04:21][9963.3074774720][-main-] Noti

...

[08/Jul/2012:18:04:33][9963.3074774720][-main-] Notice: driver: starting: nsopenssl
[08/Jul/2012:18:04:33][9963.3066149744][-sched-] Notice: sched: starting
[08/Jul/2012:18:04:33][9963.3052788592][-nsopenssl:driver-] Notice: starting
[08/Jul/2012:18:04:33][9963.3052788592][-nsopenssl:driver-] Notice: nsopenssl: listening on 127.0.0.1:8443
[08/Jul/2012:18:04:33][9963.3074774720][-main-] Notice: driver: starting: nssock
[08/Jul/2012:18:04:33][9963.3051731824][-nssock:driver-] Notice: starting
[08/Jul/2012:18:04:33][9963.3051731824][-nssock:driver-] Notice: nssock: listening on 127.0.0.1:8000
[08/Jul/2012:18:05:31][9963.3053845360][-sched:idle0-] Notice: starting
[08/Jul/

Any ideas what i could be missing?

Collapse
3: Re: Setup https (response to 1)
Posted by Iuri Sampaio on
Btw, i forgot to tell above...
I turned off proxy server (nginx) and disarmed the firewall.

AOLServer is alone at front.

Collapse
2: Re: Setup https (response to 1)
Posted by Torben Brosten on
Hi Iuri,

Make sure that the CertFile and KeyFile for the sslcontexts are pointing to a different set of files:

For example:

ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"

ns_param CertFile server.crt.pem
ns_param KeyFile server.key.pem

ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"

ns_param CertFile server.crt2.pem
ns_param KeyFile server.key2.pem

One set of files can be a copy of the other.

cheers,

Torben

Collapse
4: Re: Setup https (response to 2)
Posted by Iuri Sampaio on
Hi there,

I also found another thread regarding HTTPS issues:
http://openacs.org/forums/message-view?message_id=3853222

I applied them to my installation. Thanks for the tip Victor
.

Furthermore, It turned out that I sort of figured out what was causing the error on my HTTPS installation ( The site works on HTTP but when forwarded to the link
https://ezy.iurix.com:8443 it gets broken.

Surprisingly, within the file config.tcl, instead of the localhost address (127.0.0.1), if I set the parameter address as the external IP then HTTPS works.

set address 206.192.23.166
#set address 127.0.0.1

what would be the cause?

Btw, I am using NGINX proxy server

Collapse
5: Re: Setup https (response to 4)
Posted by Torben Brosten on
Iuri,

If you are using nginx proxy server to serve https url, then trying to access aolserver directly via port 8443 would not work, because aolserver is not configured to serve port 8443 via https port. Instead, https port is served by the proxy server (nginx), where nginx is listening on the https port at the external address --a typical configuration for a proxy server.

cheers,

Torben

Collapse
6: Re: Setup https (response to 5)
Posted by Iuri Sampaio on
Torben,

I am not using nginx server to serve https. See bellow the nginx config file for that instance.

server {
listen 206.192.23.166:80;
server_name ezy.iurix.com;

location / {

root /var/www/ezysource;
client_max_body_size 40M;

proxy_read_timeout 200;
proxy_connect_timeout 200;

proxy_pass http://127.0.0.1:8040;
proxy_set_header X-Forwarded-For $remote_addr;
}

The scenario I have now is:

1) The site works only through HTTPS. (I want it functioning for both HTTP and HTTPS. HTTPS must be used only to specific pages such as login, and etc. ( I am using ecommerce package.)

HTTP links are broken: "502 Bad Gateway"

I'm not sure but I think it isn't necessary to set up nginx to serve HTTPS. Is it?

Collapse
7: Re: Setup https (response to 6)
Posted by Iuri Sampaio on
Ok. So far I believe I fixed HTTP to work together with HTTPS access.

I was blind for small details. I had forgotten to amend proxy_pass parameter on nginx config file.

#proxy_pass http://127.0.0.1:8040;
proxy_pass http://206.192.23.166:8040;

Although, I still reluctant to accept the usage of external IP instead of local (127.0.0.1) within nginx configuration's file as well as aolserver's config.tcl.

But anyway, at least it works now I can't deny that.