• NGINX with Synchonet

    From Clifra@1:103/705 to All on Tue Jun 25 13:56:13 2019
    ok, I am having a few issues with getting this to work.
    I am using echicken's webv4 but that is not related I am sure.

    I have NGINX proxying https:443 to http://localhost:8081. I have set the [WEB] section of sbbs.ini to use Port=8081.

    [Web] Web (HTTP) Server
    AutoStart=true
    Interface=
    Port=8081
    TLSInterface=
    TLSPort=444

    When I browse to the web site it redirects fine but I cannot log in. I enter username and password and it just refreshes the page back to the main page and I am not logged in.

    Here is my NGINX configuration:
    /etc/nginx/confd/sbbs.conf
    server {

    server_name daysofoldbbs.wilhartsolutions.com;

    location / {
    proxy_pass http://localhost:8081/;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/daysofoldbbs.wilhartsolutions.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/daysofoldbbs.wilhartsolutions.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    }
    server {
    if ($host = daysofoldbbs.wilhartsolutions.com) {
    return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name daysofoldbbs.wilhartsolutions.com;
    return 404; # managed by Certbot
    }


    2nd problem:
    I just cannot figure out how to get the fTelnet to work through NGINX. I've read a post by eChicken from his board but I am not getting how to direct traffic through NGINX for this.

    Appreciate the help.


    Clifra Jones
    Sysop, Days of Old BBS
    Hostname: daysofoldbbs.wilhartsolutions.com
    Protocols: Telnet, SSH (2222), HTTP

    ---
    þ Synchronet þ Days of Old BBS Telnet/SSH(2222)/Web daysofoldbbs.wilhartsolutions.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From mark lewis@1:3634/12.73 to Clifra on Tue Jun 25 16:32:02 2019

    On 2019 Jun 25 13:56:12, you wrote to All:

    I have NGINX proxying https:443 to http://localhost:8081. I have set the

    i think your problem is here... you cannot do TLS on your http 8081 port...

    [WEB] section of sbbs.ini to use Port=8081.

    [Web] Web (HTTP) Server
    AutoStart=true
    Interface=
    Port=8081
    TLSInterface=
    TLSPort=444

    you should have your server proxying https:443 to the TLSPort 444... not to the http post 8081...

    what you want is http://yourserver -> https://yourserver which is going to be 80->443 on the outside but 8081->444 on the inside...

    are you running NGINX on your BBS machine? is that why you are having to use non-standard ports on the BBS side of the fence??

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Don't buy furs... It takes 14 trees to make protest signs.
    ---
    * Origin: (1:3634/12.73)
  • From echicken@1:103/705 to Clifra on Tue Jun 25 18:12:11 2019
    Re: NGINX with Synchonet
    By: Clifra to All on Tue Jun 25 2019 13:56:13

    When I browse to the web site it redirects fine but I cannot log in. I enter username and password and it just refreshes the page back to the main page and I am not logged in.

    Here is my NGINX configuration:

    Here's the relevant part of mine, for what it's worth:

    location / {
    proxy_pass http://localhost:8080;
    proxy_read_timeout 90;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    }

    Works for me.

    I just cannot figure out how to get the fTelnet to work through NGINX. I've read a post by eChicken from his board but I am not getting how to direct traffic through NGINX for this.

    It's pretty much the same as the above, but in its own server block and with different ports:

    server {
    listen 1124 ssl;
    server_name your.server.name;
    ... various ssl things ...
    location / {
    proxy_pass http://localhost:1123;
    ... the same proxy_* options as above
    }
    }

    In the above case, I have port 1124 open to the outside, and that's what fTelnet connects to. Meanwhile my websocket server is listening on port 1123 (which does not need to be open externally). Nginx forwards stuff from 1124 to
    1123.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to mark lewis on Tue Jun 25 18:15:24 2019
    Re: NGINX with Synchonet
    By: mark lewis to Clifra on Tue Jun 25 2019 16:32:02

    you should have your server proxying https:443 to the TLSPort 444... not to the http post 8081...

    Not necessarily. OP is probably redirecting 80 -> 443 within nginx, and then reverse proxying 443 to 8081 so that nginx handles all of the HTTPS (and it's in the clear between nginx and the BBS).

    are you running NGINX on your BBS machine? is that why you are having to use non-standard ports on the BBS side of the fence??

    I assumed so and it's not an unusual practice.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From mark lewis@1:3634/12.73 to echicken on Tue Jun 25 19:42:52 2019

    On 2019 Jun 25 18:15:24, you wrote to me:

    you should have your server proxying https:443 to the TLSPort 444...
    not to the http post 8081...

    Not necessarily. OP is probably redirecting 80 -> 443 within nginx,

    ok... so we're clear and then bounced to encrypted...

    and then reverse proxying 443 to 8081

    but now we're sending encrypted to 8081 that cannot read it?? that doesn't seem right...

    so that nginx handles all of the HTTPS (and it's in the clear between nginx and the BBS).

    ewwwww, what??!? :shudder:

    are you running NGINX on your BBS machine? is that why you are having
    to use non-standard ports on the BBS side of the fence??

    I assumed so and it's not an unusual practice.

    i know... i used to do the same thing with apache... it just complicates things somewhat...

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... If you're a zombie you don't want to overschedule.
    ---
    * Origin: (1:3634/12.73)
  • From echicken@1:103/705 to mark lewis on Tue Jun 25 21:31:32 2019
    Re: NGINX with Synchonet
    By: mark lewis to echicken on Tue Jun 25 2019 19:42:52

    but now we're sending encrypted to 8081 that cannot read it?? that
    doesn't
    seem right...

    I'd have to go back and look at OP's config, but it looked like they were using
    proxy_pass to an http:// URL, so nginx is decrypting and passing to 8081 in the
    clear.

    ewwwww, what??!? :shudder:

    Supposing it's some hobbyist's BBS setup and the SSL reverse proxy is on the same machine as the destination server, not such a big deal. This isn't something you'd do in another environment, but who cares.

    i know... i used to do the same thing with apache... it just complicates things somewhat...

    Not really, just a matter of punching in the right port numbers here and there.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Clifra@1:103/705 to echicken on Wed Jun 26 13:04:38 2019
    Re: NGINX with Synchonet
    By: Clifra to All on Tue Jun 25 2019 13:56:13

    Here's the relevant part of mine, for what it's worth:

    location / {
    proxy_pass http://localhost:8080;
    proxy_read_timeout 90;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    }

    Works for me.

    It's pretty much the same as the above, but in its own server block and with different ports:

    server {
    listen 1124 ssl;
    server_name your.server.name;
    ... various ssl things ...
    location / {
    proxy_pass http://localhost:1123;
    ... the same proxy_* options as above
    }
    }

    In the above case, I have port 1124 open to the outside, and that's what fTelnet connects to. Meanwhile my websocket server is listening on port
    1123
    (which does not need to be open externally). Nginx forwards stuff from 1124 to 1123.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    � Synchronet � electronic chicken bbs - bbs.electronicchicken.com



    Ok, using you example this fixed the logon problem so that is working fine now.
    I still am having no luck with fTelnet.

    In the [web] section of modopts.ini I have this set.
    websocket_telnet_port = 1123
    websocket_rlogin_port = 1514

    I kept 1123 as that is set on my firewall

    in services.ini I have this set.
    [WS]
    Port=1124
    Options=NO_HOST_LOOKUP
    Command=websocketservice.js


    So 1123 should be forwarded to 1124 based on this:
    server {
    listen 1123 ssl;
    ...ssl and proxy settings...
    location / {
    proxy_pass http://localhost:1124/;

    }


    Clifra Jones
    Sysop, Days of Old BBS
    Hostname: daysofoldbbs.wilhartsolutions.com
    Protocols: Telnet, SSH (2222), HTTP

    ---
    þ Synchronet þ Days of Old BBS Telnet/SSH(2222)/Web daysofoldbbs.wilhartsolutions.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to Clifra on Wed Jun 26 15:07:13 2019
    Re: NGINX with Synchonet
    By: Clifra to echicken on Wed Jun 26 2019 13:04:38

    In the [web] section of modopts.ini I have this set.
    websocket_telnet_port = 1123
    websocket_rlogin_port = 1514

    I don't think these keys are valid anymore. You can delete them.

    in services.ini I have this set.
    [WS]
    Port=1124
    Options=NO_HOST_LOOKUP
    Command=websocketservice.js


    So 1123 should be forwarded to 1124 based on this:
    server {
    listen 1123 ssl;
    ...ssl and proxy settings...
    location / {
    proxy_pass http://localhost:1124/;
    }

    Try adding this to the [web] section of modopts.ini:

    wssp = 1123

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Va7aqd@1:103/705 to mark lewis on Wed Jun 26 13:22:20 2019
    Re: NGINX with Synchonet
    By: mark lewis to Clifra on Tue Jun 25 2019 04:32 pm

    i think your problem is here... you cannot do TLS on your http 8081 port...

    His configs don't look like he's trying to do that. He's doing SSL offloading at NGINX, so SSL to Nginx, plain text internally.

    you should have your server proxying https:443 to the TLSPort 444... not to
    the
    http post 8081...
    what you want is http://yourserver -> https://yourserver which is going to
    be 80->443 on the outside but 8081->444 on the
    inside...

    As per above... I don't think that's what he's trying to do. Hopefully there's not a later post here that totally contradicts my guess. ;-)

    ---
    þ Synchronet þ VA7AQD's Tavern - bbs.isurf.ca
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Va7aqd@1:103/705 to echicken on Wed Jun 26 13:29:02 2019
    Re: NGINX with Synchonet
    By: echicken to mark lewis on Tue Jun 25 2019 09:31 pm

    ewwwww, what??!? :shudder:

    Supposing it's some hobbyist's BBS setup and the SSL reverse proxy is on
    the same machine as the destination server, not such a
    big deal. This isn't something you'd do in another environment, but who
    cares.

    It's done all the time in web hosting - many load balancing devices have hardware dedicated to providing offloaded SSL/TLS. Hell, I think things like Cloudflare will do it for you as well, but then you're likely transiting plaintext data, which then gets back in to *shudder* territory.

    ---
    þ Synchronet þ VA7AQD's Tavern - bbs.isurf.ca
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to Va7aqd on Wed Jun 26 18:18:54 2019
    Re: NGINX with Synchonet
    By: Va7aqd to echicken on Wed Jun 26 2019 13:29:02

    It's done all the time in web hosting - many load balancing devices have hardware dedicated to providing offloaded SSL/TLS. Hell, I think things like Cloudflare will do it for you as well, but then you're likely transiting plaintext data, which then gets back in to *shudder*
    territory.

    If this were some edge server communicating in the clear with other stuff behind it over a network, it'd be closer to *shudder* territory, but even then it kind of depends on the whole setup. Doesn't really seem like the case here.

    I'm not sure what the current state of bring-your-own-cert is for the Synchronet webserver, or if Let's Encrypt is your only other option apart from self-signed. Maybe methods like this aren't needed now. I just set it up this
    way some years ago because it was quick and easy.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to echicken on Wed Jun 26 15:48:54 2019
    Re: NGINX with Synchonet
    By: echicken to Va7aqd on Wed Jun 26 2019 06:18 pm

    I'm not sure what the current state of bring-your-own-cert is for the Synchronet webserver, or if Let's Encrypt is your only other option apart from self-signed. Maybe methods like this aren't needed now. I just set
    it
    up this way some years ago because it was quick and easy.

    I don't think "bring your own cert." is currently an option. Deuce would know best. {tm}

    digital man

    This Is Spinal Tap quote #5:
    Nigel Tufnel: Authorities said... best leave it... unsolved.
    Norco, CA WX: 76.1øF, 56.0% humidity, 10 mph NNE wind, 0.00 inches rain/24hrs --- SBBSecho 3.07-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From mark lewis@1:3634/12.73 to Va7aqd on Wed Jun 26 19:32:52 2019

    On 2019 Jun 26 13:22:20, you wrote to me:

    i think your problem is here... you cannot do TLS on your http 8081
    port...

    His configs don't look like he's trying to do that. He's doing SSL offloading at NGINX, so SSL to Nginx, plain text internally.

    apparently you and echicken were correct... i've never heard of such and certainly never thought to attempt it... if you have a secure session from end to end, this breaks it right in half... if you have a bad actor hiding in your network they can easily read this unencrypted traffic if they have a foothold in the machine... yeah, i don't think i'll be doing this any time soon... too MitM for my tastes even though it prevents scanning and blocking of unwanted/undesired traffic :/

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... The fact that no one understands you doesn't mean you're an artist.
    ---
    * Origin: (1:3634/12.73)
  • From Va7aqd@1:103/705 to mark lewis on Wed Jun 26 22:33:09 2019
    Re: NGINX with Synchonet
    By: mark lewis to Va7aqd on Wed Jun 26 2019 07:32 pm

    apparently you and echicken were correct... i've never heard of such and
    certainly never thought to attempt it... if you have a
    secure session from end to end, this breaks it right in half... if you
    have a bad actor hiding in your network they can easily
    read this unencrypted traffic if they have a foothold in the machine...
    yeah, i don't think i'll be doing this any time soon...
    too MitM for my tastes even though it prevents scanning and blocking of
    unwanted/undesired traffic :/

    It's not that big a deal if the traffic is within a self-contained environment. If you have a bad actor in the self-contained environment, then all bets are off anyway.

    ---
    þ Synchronet þ VA7AQD's Tavern - bbs.isurf.ca
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From CYBERLORD@1:124/5017 to Clifra on Mon Jul 1 21:47:58 2019
    By any chance does one have snippets of the errors.log and access.log from nginx?

    --- Mystic BBS v1.11 (Linux)
    * Origin: XM Core (1:124/5017)