I have NGINX proxying https:443 to http://localhost:8081. I have set the
[WEB] section of sbbs.ini to use Port=8081.
[Web] Web (HTTP) Server
AutoStart=true
Interface=
Port=8081
TLSInterface=
TLSPort=444
When I browse to the web site it redirects fine but I cannot log in. I enter username and password and it just refreshes the page back to the main page and I am not logged in.
Here is my NGINX configuration:
I just cannot figure out how to get the fTelnet to work through NGINX. I've read a post by eChicken from his board but I am not getting how to direct traffic through NGINX for this.
you should have your server proxying https:443 to the TLSPort 444... not to the http post 8081...
are you running NGINX on your BBS machine? is that why you are having to use non-standard ports on the BBS side of the fence??
you should have your server proxying https:443 to the TLSPort 444...
not to the http post 8081...
Not necessarily. OP is probably redirecting 80 -> 443 within nginx,
and then reverse proxying 443 to 8081
so that nginx handles all of the HTTPS (and it's in the clear between nginx and the BBS).
are you running NGINX on your BBS machine? is that why you are having
to use non-standard ports on the BBS side of the fence??
I assumed so and it's not an unusual practice.
but now we're sending encrypted to 8081 that cannot read it?? thatdoesn't
seem right...
ewwwww, what??!? :shudder:
i know... i used to do the same thing with apache... it just complicates things somewhat...
Re: NGINX with Synchonet1123
By: Clifra to All on Tue Jun 25 2019 13:56:13
Here's the relevant part of mine, for what it's worth:
location / {
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Works for me.
It's pretty much the same as the above, but in its own server block and with different ports:
server {
listen 1124 ssl;
server_name your.server.name;
... various ssl things ...
location / {
proxy_pass http://localhost:1123;
... the same proxy_* options as above
}
}
In the above case, I have port 1124 open to the outside, and that's what fTelnet connects to. Meanwhile my websocket server is listening on port
(which does not need to be open externally). Nginx forwards stuff from 1124 to 1123.
---
echicken
electronic chicken bbs - bbs.electronicchicken.com
� Synchronet � electronic chicken bbs - bbs.electronicchicken.com
In the [web] section of modopts.ini I have this set.
websocket_telnet_port = 1123
websocket_rlogin_port = 1514
in services.ini I have this set.
[WS]
Port=1124
Options=NO_HOST_LOOKUP
Command=websocketservice.js
So 1123 should be forwarded to 1124 based on this:
server {
listen 1123 ssl;
...ssl and proxy settings...
location / {
proxy_pass http://localhost:1124/;
}
i think your problem is here... you cannot do TLS on your http 8081 port...
you should have your server proxying https:443 to the TLSPort 444... not tothe
http post 8081...be 80->443 on the outside but 8081->444 on the
what you want is http://yourserver -> https://yourserver which is going to
inside...
the same machine as the destination server, not such aewwwww, what??!? :shudder:
Supposing it's some hobbyist's BBS setup and the SSL reverse proxy is on
big deal. This isn't something you'd do in another environment, but whocares.
It's done all the time in web hosting - many load balancing devices have hardware dedicated to providing offloaded SSL/TLS. Hell, I think things like Cloudflare will do it for you as well, but then you're likely transiting plaintext data, which then gets back in to *shudder*territory.
I'm not sure what the current state of bring-your-own-cert is for the Synchronet webserver, or if Let's Encrypt is your only other option apart from self-signed. Maybe methods like this aren't needed now. I just setit
up this way some years ago because it was quick and easy.
i think your problem is here... you cannot do TLS on your http 8081
port...
His configs don't look like he's trying to do that. He's doing SSL offloading at NGINX, so SSL to Nginx, plain text internally.
apparently you and echicken were correct... i've never heard of such andcertainly never thought to attempt it... if you have a
secure session from end to end, this breaks it right in half... if youhave a bad actor hiding in your network they can easily
read this unencrypted traffic if they have a foothold in the machine...yeah, i don't think i'll be doing this any time soon...
too MitM for my tastes even though it prevents scanning and blocking ofunwanted/undesired traffic :/
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 285 |
Nodes: | 16 (2 / 14) |
Uptime: | 69:06:16 |
Calls: | 6,488 |
Calls today: | 1 |
Files: | 12,096 |
Messages: | 5,275,379 |