I have VPS running Debian 9 with Keter serving single web application.
I've generated certificates using Create certificate button in Origin Certificates section of Crypto tab.
Then I've edited my keter.yaml:
stanzas:
- type: webapp
exec: ../dist/bin/dummy-name
args: []
hosts:
- dummy-domain.info
ssl:
key: /opt/keter/etc/cert/dummy-domain.info.key
certificate: /opt/keter/etc/cert/dummy-domain.info.pem
There are also a remark:
# Enable to force Keter to redirect to https
# Can be added to any stanza
# requires-secure: true
When I've uploaded new bundle it looks like that things does not work correct. My website can be visited via HTTP (works as expected), and HTTPS, but it cannot load generated CSS and JS files from static (links injected in document have http scheme).
What else should I do to make everything work using secure HTTPS connection?
There are unclear options for keter:
# for all stanzas
requires-secure: true
# stanza based
host: ....
secure: true
Also I have no idea which options should I use on CloudFlare too
SSL type now set to Flexible
Always Use HTTPS is OFF
OK, finally I've done following:
Application's keter.yml
stanzas:
- type: webapp
exec: ../dist/bin/dummy-name
args: []
hosts:
- dummy-domain.info
requires-secure: true
ssl:
key: /opt/keter/etc/cert/dummy-domain.info.key
certificate: /opt/keter/etc/cert/dummy-domain.info.pem
Keter configuration on server keter-config.yaml
root: ..
#
# # Keter can listen on multiple ports for incoming connections. These ports can
# # have HTTPS either enabled or disabled.
listeners:
# HTTP
- host: "*4" # Listen on all IPv4 hosts
port: 80 # Could be used to modify port
# HTTPS
- host: "*4"
port: 443
key: cert/dummy-domain.info.key
certificate: cert/dummy-domain.info.pem
CloudFlare config:
SSL type now set to Full
Always Use HTTPS is ON
Also I've restarted keter service
sudo service keter restart
Now everything work as expected.
Related
I setup an internal website on IIS 7.5 that can only be accessible by other computers on the network. The public has no access to my web server. It works only when I access it through HTTPS, but not HTTP. Why?
Note: All firewall settings on the machine where the web server is running are shut off.
Below is my port bindings for both HTTPS and HTTP.
Type: HTTP
IP address: 192.168.1.1
Port: 301
Host name: "Blank"
Type: HTTPS
IP address: 192.168.1.1
Port: 302
Host name: "Blank"
IIS Certificate: IIS Express Development Certificate
Web browser error for HTTP:
This site can’t provide a secure connection 192.168.1.1 sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
I am deploying a new mesh app with an Asp.Net API core container image. I am able to successfully deploy and access the API using http://[]:80. I used the Following configuration in gateway yaml file:
http:
- name: BenApiHTTP
port: 80
hosts:
- name: "*"
routes:
- name: benapi
match:
path:
value: "/benapiservice/"
rewrite: "/"
type: Prefix
destination:
applicationName: BenApplication
serviceName: BenApi
endpointName: BenApiListener
Now I want to use my own ssl certificate and wants to enable the same api using https i.e. on port 443. So my questions are:
How to upload the ssl certificate in mesh?
What Yaml updates I have to make in gateway.yaml ?
How to set the FQDN for the url ?
I have deployed a node.js app to Elastic Beanstalk. When I try to access the page via HTTP: everything works fine. when I try to access via HTTPS: I get a refused to connect error. I have followed the instructions on
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html
I created a .ebextensions folder and my https-instance-single.config looks like:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
I have uploaded and deployed the new zip file with these included and still the same thing. I can access via HTTP but not via HTTPS.
Any help would be greatly appreciated.
I would suggest you use LetsEncrypt for Elastic Beanstalk single instance. According to your current configuration, its only open port 443 to serve HTTPS but you are not pointing to certificate. This is the tutorial for LetsEncrypt SSL on Elastic Beanstalk:
https://www.tutcodex.com/ssl-on-single-instance-elastic-beanstalk-tutorial/
I have the guest's HTTPS port set to 443 on it's Apache 2 installation.
In Vagrantfile
I have vm.forwarded_port set to forward from 443 to 8443
I have vm.hostname set to actualdomain.org
I've also installed the vagrant plugin install vagrant-hostsupdater so that actualdomain.org is written to my hosts file, so it pulls up the developer environment and not the actual site when it is requested.
List item
I ran vagrant connect...
I ran vagrant share --https 443 --domain actualdomain.org but it reports the following:
==> default: Detecting network information for machine...
default: Local machine address: 192.168.xx.10
default: Local HTTPS port: 443
==> default: Checking authentication and authorization...
==> default: Creating Vagrant Share session...
There was an error returned by the Vagrant Cloud server. The
error message is shown below:
Domain cannot be used with this account
But if I run vagrant share without the --domain parameter, I end up with the following in my logs when I try to contact the site remotely:
Hostname XXXXX-YYY-ZZZZ provided via SNI and hostname XXXXX-YYY-ZZZZ.vagrantshare.com provided via HTTP are different
And in the browser I am returned an HTTP 400 Bad Request.
Is there any easy way around this? It seems to me that this didn't happen the last time I used vagrant, and it seems as though there was something added to TLS that causes it to balk about the SNI error since then.
I even tried adding a server alias that was the same as the XXXXX-YYY-ZZZ.vagrantshare.com, and it still is giving me an issue; does that mean that I have to rebuild the certificate everytime the hashicorp URL changes if I want to show it off to somebody via their browser?
My base case is that my Meteor App runs perfectly on Opsworks.
I do a Meteor build, tweak the files and all is good (without HTTPS/SSL). I am not using METEORUP. I just upload my tweaked build file and deploy on opsworks.
Also, I am using the out of the box Opsworks HAPROXY loadbalancer.
I then install the SSL certificates for my app and set Meteor to list on PORT=443 as per screenshot:
In the browser, I see:
503 Service Unavailable
No server is available to handle this request.
In the log files I see:
Mar 8 03:22:51 nodejs-app1 monit[2216]: 'node_web_app_buzzy' start: /bin/bash
Mar 8 03:23:51 nodejs-app1 monit[2216]: 'node_web_app_buzzy' failed, cannot ope
n a connection to INET[127.0.0.1:443/] via TCPSSL
Any ideas welcome
Your HAproxy configuration is expecting meteor/node to respond with SSL.
It should instead, terminate SSL and talking to node/meteor in plain HTTP. This is because, meteor doesn't do SSL ; it expects a server in front to handle it.
Solution:
Update the frontend https-in section to terminate ssl and redirect to the http backend
defaults
#... add this line to enable the `X-Forwarded-For` header
option forwardfor
# ...
# .... update this section ...
frontend https-in
mode tcp
# this bit causes HAProxy to talk TLS rather than just forward the connection
bind :443 ssl crt /path/to/your/certificate
reqadd X-Forwarded-Proto:\ https
# now direct it to your plain HTTP application
acl nodejs_application_buzzy_domain_buzzy hdr_end(host) -i buzzy
use_backend nodejs_app_servers if nodejs_application_buzzy_domain_buzzy