Related questions

Log TLS version and cipher name on upstream connection from a proxy (nginx or apache2)

2022-05-04 09:37 Jonas Mattsson imported from Stackoverflow

I have set up a proxy server which aims to encrypt the outgoing traffic from our application, with https, that it receives in plain http. there were 3 main reasons;

  • We want to offload the main application and it's server from this workload,
  • The main application server os don't support tls1.3
  • We we want to log the tls version and ciphers used in the transaction.

I've tried in both apache2 and nginx. It works just fine with both for the first two tasks (offloading and provide tls1.3). But I'm not able to log tls-information about the upstream transaction. Anyone know how to log this? It is mainly the TLS-version and cipher that are of interest.

here's my apache-config

<VirtualHost *:80>
    LogFormat "%t %>s %b \"%{X-Redirect-Url}i\" \"%{SSL_SERVER_VERSION}x\"" appproxy
    CustomLog "logs/app_access_log" appproxy
    ErrorLog "logs/app_error_log"
    
    SSLProxyEngine On
    SSLProxyCheckPeerCN on
    SSLProxyCheckPeerExpire on
    SSLProxyMachineCertificateFile application_client_cert.pem
    SSLProxyMachineCertificateChainFile truststore.pem

    RewriteEngine On
    RewriteRule ^(.*)$ %{HTTP:X-Redirect-Url} [NC,P]
    
    ProxyPass / "https://$1" 
    
</VirtualHost>
How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum

See also questions close to this topic

  • Having issues with multi virtual hosts with ssl

    In the first run my first virtual host was successfully running well with SSL however when I tried to do it on second one it is not working anymore First I edit apache httpd-xampp.conf and added this, So basically based on this article: Using Multiple SSL Certificates in Apache with One IP Address

    <VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/proteksyon"
    ServerAdmin admin@proteksyon.ph
    ServerName proteksyon.ph
    ServerAlias *.proteksyon.ph
    SSLEngine On
    SSLCertificateFile "crt/proteksyon.ph/server.crt"
    SSLCertificateKeyFile "crt/proteksyon.ph/server.key"
    <Directory "C:/xampp/htdocs/proteksyon">
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "C:/xampp/htdocs/proteksyon"
    ServerAdmin admin@proteksyon.ph
    ServerName proteksyon.ph
    ServerAlias *.proteksyon.ph
    SSLEngine On
    SSLCertificateFile "crt/proteksyon.ph/server.crt"
    SSLCertificateKeyFile "crt/proteksyon.ph/server.key"
    <Directory "C:/xampp/htdocs/proteksyon">
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/clique"
    ServerAdmin support@clique.me
    ServerName clique.me
    ServerAlias clique.me
    SSLEngine On
    SSLCertificateFile "crt/clique.me/server.crt"
    SSLCertificateKeyFile "crt/clique.me/server.key"
    <Directory "C:/xampp/htdocs/clique">
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "C:/xampp/htdocs/clique"
    ServerAdmin support@clique.me
    ServerName clique.me
    ServerAlias clique.me
    SSLEngine On
    SSLCertificateFile "crt/clique.me/server.crt"
    SSLCertificateKeyFile "crt/clique.me/server.key"
    <Directory "C:/xampp/htdocs/clique">
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

    And this is the inputs for my hosts file:

    127.0.0.1 clique.me
127.0.0.1 proteksyon.ph

    When accessing the proteksyon.ph everything is good and SSL is working fine it access the file of proteksyon and htdocs. When it comes to accessing/browsing the clique.me it throw this kind of error: enter image description here

  • HTTP authentication with PHP for specific pages

    I have been trying to fix one issue for the last two weeks but didn't find any solution to my problem. So, I am trying to add HTTP authentication with PHP 7.4.

    The main issue

    I have to add restrictions for specific URLs ( For example, https://example.com/photos ) with PHP, and I am using the below code. But the problem is I have to show logged-in users on other pages, too. For example, if I didn't log in, then anything to show, but if I am logged in need to show username and password on all pages, but again I have to restrict only specific pages.

    PHP Code:

    Header("WWW-Authenticate: Basic realm='Members Only' valid-user");
http_response_code(401);
echo "<script> window.location.replace( 'https://example.com/sign-up' ) </script>";
exit;

    .htaccess Code:

    AuthUserfile PATH_TO_THE_FILE/.htpasswd
AuthName "Members Only"
AuthType Basic
AuthBasicProvider file

    I hope someone will help me soon.

  • htaccess how to prioritize RewriteCond

    We recently migrate our new website and we need to adjust htaccess to avoid 404 error with the search engine,

    The website was a Multilanguage site we decided to use session and cookie to manage multi language instead of string.

    We put together htaccess to make the changes

    I have my htaccess code below

    RewriteEngine On

RewriteRule ^([^/]+)/fr/?(.*)$ /$1/$2 [R=301,NE,L]
RewriteRule ^([^/]+)/en/?(.*)$ /$1/$2 [R=301,NE,L]
RewriteRule ^([^/]+)/es/?(.*)$ /$1/$2 [R=301,NE,L]
RewriteRule ^([^/]+)/pt/?(.*)$ /$1/$2 [R=301,NE,L]
RewriteRule ^([^/]+)/ar/?(.*)$ /$1/$2 [R=301,NE,L]

RewriteRule ^/?ar(.*)$ /$1 [L,R=301]
RewriteRule ^/?pt(.*)$ /$1 [L,R=301]
RewriteRule ^/?es(.*)$ /$1 [L,R=301]
RewriteRule ^/?fr(.*)$ /$1 [L,R=301]
RewriteRule ^/?en(.*)$ /$1 [L,R=301]

RewriteRule ^/?location(.*)/(.*).html$ /newlocation$1/$2.html$3 [R=301,NE,L]
RewriteRule ^/?ads/location(.*)/(.*).html$ /ads/newlocation$1/$2.html$3 [R=301,NE,L]

RewriteRule ^/?page(.*)/(.*).html$ /newpage$1/$2.html$3 [R=301,NE,L]
RewriteRule ^/?ads/page(.*)/(.*).html$ /ads/newpage$1/$2.html$3 [R=301,NE,L]

    this code above works great ! but when I add this code below,

    RewriteCond %{REQUEST_URI} !^/ads/
RewriteRule ^([^/]+)\.html?(.*)$ /ads/$1.html$2 [L,QSA]

    Nothing is working anymore. Is there anything wrong with this?

  • Nginx bulk URL redirect by include a separated file but not working as I want

    I am not very familiar with Nginx URL redirect. But I have followed some suggestions from Google search and unfortunately none of them meet my expectation.

    I need to redirect at least 100 old URLs to different new URLs. I already have another server.conf file under /etc/nginx/conf.d/ for some URL redirect and other settings. But I would like to create another nginx_redirect.txt file to store those 100 URLs redirect and keep away from server.conf. Furthermore, some of the old 100 URLs are also defined in server.conf file, but I was hoping the new nginx_rewrite.txt file can override the redirect URLs defined in server.conf file.

    I use multiple "include" in the nginx.conf as below:

    include /etc/nginx/conf.d/*.conf;
Server {
   ...
   include /etc/nginx/conf.d/nginx_rewrite.txt;
   ...
}

    The existing server.conf file for some URL redirect as below:

    server {
    ...
    location ~ ^/lp/old/ {
        rewrite ^(.*)$ https://currenturl.com/ permanent;
    }
}

    I create new nginx_redirect.txt and hope to override the redirect URL in server.conf.

    location ~ ^/lp/old/ {
    rewrite ^(.*)$ https://newurl.com/ permanent;
}

    I used below commands to ensure those .conf and .txt can be seen by Nginx.

    nginx -T
nginx -s reload

    However I found those old URLs defined in nginx_rewrite.txt didn't redirect to newurl.com/ but still to currenturl.com/. Even I set up some new URL in nginx_rewrite.txt, which is not defined in server.conf. Those new URL will show 404 instead of redirecting to other URL. Unless I defined those new URL in server.conf.

    My questions:

    1. Is my setting in nginx.conf, server.conf and nginx_rewrite.txt correct?
    2. Is there not possible to override URL in permanent redirect of .conf?
  • 502 BAD Gateway | ingress nginx with cert-manager

    I am using nginx ingress v1.1.3 in azure AKS v1.21. My traffic is getting terminated at nginx ingress for all other domains and it is working as expected.

    Recently I added cert-manager to manage certificate, but when implemented i am getting 502 for this particular ingress and same is working if i use my custom certificate.

    Here's my ingress configuration :

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: new-dns
  namespace: application-production
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "off"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
    cert-manager.io/cluster-issuer: "letsencrypt"
    nginx.ingress.kubernetes.io/connection-proxy-header: upgrade
    nginx.ingress.kubernetes.io/http2-push-preload: "true"
    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
    nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers: "true"
spec:
  tls:
  - hosts:
    - xxx-xxxxxx.com
    secretName: new-dns
  rules:
  - host: xxx-xxx.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: my-backend
            port:
              number: 8080

    Logs of nginx when configuration applied

    I0507 02:25:05.236731       7 admission.go:149] processed ingress via admission controller {testedIngressLength:11 testedIngressTime:0.076s renderingIngressLength:11 renderingIngressTime:0.001s admissionTime:1.2MBs testedConfigurationSize:0.077}
I0507 02:25:05.236761       7 main.go:100] "successfully validated configuration, accepting" ingress="application-production/anew-dns"
I0507 02:25:05.258742       7 store.go:427] "Found valid IngressClass" ingress="application-production/anew-dns" ingressclass="nginx"
I0507 02:25:05.259236       7 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"application-production", Name:"anew-dns", UID:"a95d83e7-51ad-472d-a5a2-5f4cc6352e81", APIVersion:"networking.k8s.io/v1", ResourceVersion:"137003252", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0507 02:25:05.260169       7 controller.go:159] "Configuration changes detected, backend reload required"
I0507 02:25:05.418604       7 controller.go:176] "Backend successfully reloaded"
I0507 02:25:05.418745       7 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-756f546d89-69xnq", UID:"bdc7b594-4070-465c-b7a9-afc846e3e7a9", APIVersion:"v1", ResourceVersion:"136713253", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
I0507 02:25:22.295245       7 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"application-production", Name:"anew-dns", UID:"a95d83e7-51ad-472d-a5a2-5f4cc6352e81", APIVersion:"networking.k8s.io/v1", ResourceVersion:"137003343", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync

    Error after sometime

    2022/05/07 02:03:44 [error] 12307#12307: *4399339 upstream prematurely closed connection while reading response header from upstream, client: xx.xx.xx.xx, server: xxxx.xxxx.xxx, request: "GET / HTTP/2.0", upstream: "http:/xx.xx.xx.xx:8080/", host: "xxxx.xxxx.xxxx"
  • Google Cloud Compute Engine http Connection Timeout

    I have setup a compute engine VM with 2vCPU and 2GB RAM.I have setup nginx server and setup the firewalls permissions as shown in the diagram. When I try to access the angular files hosted on the server using the external IP I get the error "The connection has timed out" and when I try to use curl on the terminal, it displays the error "curl: (28) Failed to connect to IP port 80 after 129163 ms: Connection timed out".enter image description here

    Both the Http and Https firewall rules are enabled enter image description here Whe I run the command

    sudo systemctl status apache2

    This is the result I get enter image description here

    netstat -tulpn | grep LISTEN

    enter image description here

    enter code here

    Any ideas on what the issue might be will be really helpful

  • How to check CRL https, url , revoked or not?

    Write a bash script to check whether the given certificate (sample cert.cer) is on the Certificate Revocation List (CRL) from the Certificate Authority (CA) by following the steps below : • Step 1: Extracting and printing out the CRL HTTP(S) of CA’s Server.

    • Step 2: Extracting and printing out CRL’s filename. • Step 3: Downloading the CRL from CA’s server (you can use the wget command). • Step 4: Extracting the list of serial numbers from the CRL. • Step 5: Extracting the serial number from the given certificate (sam- ple cert.cer).

    • Step 6: Checking whether the given certificate’s serial number (extract- ed in Step 5) is from the CA’s CRL (extracted in Step 4) or not. If “yes”, please print out “The given certificate is on the CRL, i.e., revoked by the CA”, otherwise please print out “The given certificate is not on the CRL, i.e., not revoked by the CA”.

  • How to prevent SNI from displaying incorrect web page over port 443?

    I have a server with ISPConfig 3 installed.

    When a new website is added to the server and is accessed via a browser with HTTPS, the website that is displayed is that of the first website (alphabetically).

    This appears to be due to SNI.

    How do I (with apache), ensure that a website is still served over HTTPS with an error even if no certificate is installed.

    Normally a site simply displays a warning but allows one to proceed to the website.