Disable SSL/TLS?

[ekollof]

Can SSL/TLS be disabled? Because my nginx already terminates SSL.

[skavanagh]

in the jetty directory edit the start.ini file

change

--module=https

to

--module=http

and change jetty.port=8443

to whatever you need it to be and restart.

On Fri, Feb 20, 2015 at 10:15 AM, Emiel Kollof notifications@github.com
wrote:

Can SSL/TLS be disabled? Because my nginx already terminates SSL.

—
Reply to this email directly or view it on GitHub
#51.

[ekollof]

Awesome, thanks!
On 20 Feb 2015 17:50, "Sean Kavanagh" notifications@github.com wrote:

in the jetty directory edit the start.ini file

change

--module=https

to

--module=http

and change jetty.port=8443

to whatever you need it to be and restart.

On Fri, Feb 20, 2015 at 10:15 AM, Emiel Kollof notifications@github.com
wrote:

Can SSL/TLS be disabled? Because my nginx already terminates SSL.

—
Reply to this email directly or view it on GitHub
#51.

—
Reply to this email directly or view it on GitHub
#51 (comment).

[skavanagh]

No problem. Glad it helped! 🤘

[yves-ledermann]

@ekollof
sorry to ask but can you tell me how to configure nginx as reverse proxy to keybox?
I have problems to get the websockets working...

[ba0f3]

location / {
                proxy_pass https://localhost:8443/;
                proxy_read_timeout 1800s;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
        }

Above snippet is my Nginx proxy config for Keybox, no need to disable ssl .

Note: Nginx proxy timeout is 60s by default, websocket will be terminated after that. increase proxy_read_timeout parameter as your need

[yves-ledermann]

@rgv151
Thank you verry much. Its working after i updated nginx to 1.6.2 (the debian wheezy nginx V1.2 does not support ws) and applied your config snippet...

[ausip]

I am also having trouble getting Keybox to work from behind an Nginx reverse proxy. I can access it via the local lan on the configured HTTP port of 8080, but when trying to access it from external via nginx, nginx is returning a 502 Bad Gateway error.

Any ideas?

[ausip]

I worked out my 502 Bad Gateway Error. It was pesky SELinux on the nginx box. Putting SELinux into permissive mode fixed the issue.

[skavanagh]

@ausip - Thanks for posting the fix!

[ekollof]

Putting SELinux in permissive mode is not a fix.

[skavanagh]

@ekollof - Yeah good point!

[giopas]

Hi,

has anyone made KeyBox working with an Apache reverse proxy?

I currently have the following VirtualHost set, but I have a visual glitch on the terminal.

As Sean told me, it is very likely that this is caused by the reverse-proxy blocking web sockets:

<VirtualHost *:80>
   ServerName sub.domain.com
   ProxyRequests Off
<Proxy *>
   Order deny,allow
   Allow from all
</Proxy>
<Location />
   Order allow,deny
   Allow from all
</Location>
   ProxyPass / http://localhost:58000/
   ProxyPreserveHost On
   ProxyStatus On
</VirtualHost>

I have tried with the below, but maybe I would need some advice on how to use them as I cannot get rid of the problem:

ProxyPass "/" "ws://localhost:58000/"
ProxyPass "/" "wss://localhost:58000/"

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:58000/$1 [P,L]

Thank you

[colandre]

I have a working configuration.
Here below the full VirtualHost configuration I have:
<VirtualHost *:443>
ServerName example.com

  ## Logging
  ErrorLog "/var/log/httpd/example_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/example_access_ssl.log" combined    


 ## SSL directives
  SSLEngine on
  SSLProxyEngine On
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyVerify none
  SSLProxyCheckPeerExpire off    

  SSLCertificateFile      "/etc/ssl/mycert.crt"
  SSLCertificateKeyFile   "/etc/ssl/mykey.key"
  SSLCACertificatePath    "/etc/pki/tls/certs"    

  ## Proxy rules
  ProxyRequests off
  ProxyPreserveHost On
  ProxyPass / https://localhost:8443/
  ProxyPassReverse / https://localhost:8443/    

  <LocationMatch "/admin/(terms.*)">
        ProxyPass wss://127.0.0.1:8443/admin/$1
        ProxyPassReverse wss://127.0.0.1:8443/admin/$1
  </LocationMatch>    

  RequestHeader set X-Forwarded-Proto "https" env=HTTPS    

</VirtualHost>

Jetty is running on port 8443 in https. I had problem with httpd 2.4.6 (last httpd updated when I tried on CentOS) in regard with an apache bug with web sockets. I had to install httpd 2.4.10.
Apache Bug Ref

I hope this helps

[giopas]

Hi colandre,

thanks for your reply.

I have modified the VirtualHost section as follows (I don't use ssl on KeyBox):

<VirtualHost *:80>
    ServerName sub.domain.com
    ProxyRequests Off
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>
<LocationMatch "/admin/(terms.*)">
    ProxyPass ws://127.0.0.1:58000/$1
    ProxyPassReverse ws://127.0.0.1:58000/$1
</LocationMatch>
    ProxyPass / http://localhost:58000/
    ProxyPassReverse / http://localhost:58000/
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyStatus On
</VirtualHost>

However I still have the same problem but I am unsure that this is related to the bug you are mentioning as I do not need a ssl pass-through...

Any other idea or guidance on my piece of instructions?

Thanks!

[colandre]

One thing that I find wrong in your configuration is the ws:// URI in the location match. You wrote:

    <LocationMatch "/admin/(terms.*)">
        ProxyPass ws://127.0.0.1:58000/$1
        ProxyPassReverse ws://127.0.0.1:58000/$1
    </LocationMatch>

You are missing /admin. I think it should be:

    <LocationMatch "/admin/(terms.*)">
        ProxyPass ws://127.0.0.1:58000/admin/$1
        ProxyPassReverse ws://127.0.0.1:58000/admin/$1
    </LocationMatch>

What do you think?

[giopas]

Grazie colandre,

I did modify it, but it did not solve the problem.

I actually found another, much worst problem: as far as I understood [1] to use mod_proxy_wstunnel extention of mod_proxy you need to run Apache > 2.4.5 but I am currently running Apache 2.2.31 on my QNAP.

I would therefore need to upgrade or patch Apache to use it [2].

Do you think this could indeed be the problem?

[1] http://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
[2] http://stackoverflow.com/questions/30443999/how-to-add-mod-proxy-wstunnel-to-apache2-2-2-on-raspberry-pi-backport-mod-proxy

[colandre]

I do not think that Apache 2.2.31 is the problem. I have found backporting and patches for mod_proxy_wstunnel for Apache 2.2.20, but I really don't know if your version is working.

It should be good to upgrade at least to Apache version 2.4.10 or greater.

[giopas]

sure, the problem is that such Apache version is running on a QNAP and I cannot patch it myself. I hope their support team can assist me on this. In any case, thank you for your support and advise!

[philippkayser]

Hi guys,

I'm using apache as reverse proxy and don't get it to work correct.

SSL on proxy is currently disabled. It will forward to use the ssl certificate from the keybox webserver.

<VirtualHost *:443>

ServerName ssh.domain.de
ServerAlias ssh
ServerAdmin root@localhost.local

SSLProxyEngine On
ProxyPass / https://192.168.100.6/
ProxyPassReverse / https://192.168.100.6/
<LocationMatch "/admin/(terms.*)">
ProxyPass ws://192.168.100.6/admin/$1
ProxyPassReverse ws://192.168.100.6/admin/$1

ProxyRequests Off
ProxyPreserveHost On
ProxyStatus On

SSLEngine off

SSLCertificateFile /etc/letsencrypt/live/ssh.domain.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ssh.domain.de/privkey.pem
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

Also i've tried this one:

<VirtualHost *:443>

ServerName ssh.domain.de
ServerAlias ssh
ServerAdmin root@localhost.local

SSLProxyEngine On
ProxyPass / https://192.168.100.6/
ProxyPassReverse / https://192.168.100.6/

ProxyRequests off
ProxyPreserveHost On

<LocationMatch "/admin/(terms.*)">
ProxyPass wss://192.168.100.6/admin/$1
ProxyPassReverse wss://192.168.100.6/admin/$1

RequestHeader set X-Forwarded-Proto "https" env=HTTPS

SSLEngine off

SSLCertificateFile /etc/letsencrypt/live/ssh.domain.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ssh.domain.de/privkey.pem
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

[philippkayser]

I've fixed it now. The second config from my last post was correct but i've forgot to enable apache proxy_wstunnel module with "a2enmod proxy_wstunnel"

Thanks!

[seyo-IV]

Hi, ist there a new Method how to do exactly that, i mean disabling ssl if nginx already handels that?
I tryied to change the module to http but i cant reach bastillion afterwards.

[Nutties93]

I am using nginx as reverse proxy, but sometimes I'm getting a 502 gateway error to my bastillion using hostname. However, when i try to access bastillion using the : i was able to access the bastillion login page. Anybody faced this issue before?