Nginx SSL HTTPS não funciona externamente mesmo firewall é aberto

1

O HTTP está funcionando bem no servidor e no cliente. HTTPs só funciona no servidor. O que eu poderia fazer para fazer os HTTPs funcionarem externamente?

Do servidor

OpenSSL : OpenSSL 1.0.2g  1 Mar 2016
Nginx   : nginx/1.10.3
OS      : Ubuntu 14.04.5 LTS
NodeJS  : v6.10.2

Eu tenho um servidor expresso nodejs em execução em 127.0.0.1:5000 ligado em 127.0.0.1 em meu servidor.

Eu configurei um proxy reverso para este servidor expresso nodejs. Aqui está o meu arquivo de configuração do nginx:

upstream nodejs {
    server 127.0.0.1:5000 fail_timeout=10s;
}

server {
    listen 80;
    listen 443 ssl;
    server_name domain.foo;

    ssl_certificate /etc/letsencrypt/live/domain.foo/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.foo/privkey.pem;

    location /.well-known {
       root /var/www/ssl-proof/default/;
    }

    location / {
        proxy_pass http://nodejs;
        proxy_read_timeout  90;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

Vamos criptografar está funcionando bem Eu fiz openssl s_client -connect domain.foo:443 do servidor e estou recebendo o certificado sem problemas. curl -k -vvv https://domain.foo também está funcionando bem.

Aqui está um ufw status no meu servidor

443/tcp                    ALLOW       Anywhere
22                         ALLOW       Anywhere
1194                       ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
Nginx HTTP                 ALLOW       Anywhere
Nginx HTTPS                ALLOW       Anywhere
5000                       ALLOW       Anywhere
443/tcp (v6)               ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
1194 (v6)                  ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)
Nginx HTTP (v6)            ALLOW       Anywhere (v6)
Nginx HTTPS (v6)           ALLOW       Anywhere (v6)

Do cliente

Aqui está um nmap do cliente para o servidor

rDNS record for X.X.X.X: domain.foo
Not shown: 996 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
5000/tcp closed upnp

Nmap done: 1 IP address (1 host up) scanned in 5.75 seconds

Quando tento executar openssl s_client -connect domain.foo:443 -debug -msg . Isso é o que eu recebo:

CONNECTED(00000003)
write to 0x19a5fc0 [0x19a6040] (315 bytes => 315 (0x13B))
0000 - 16 03 01 01 36 01 00 01-32 03 03 52 50 26 f0 79   ....6...2..RP&.y
0010 - 67 6c 18 e4 dc 90 e4 47-f0 66 62 9a 3b 66 84 8b   gl.....G.fb.;f..
0020 - 81 7e 6f ad cd 61 39 f8-de e4 e1 00 00 b4 c0 30   .~o..a9........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02   .<./...A........
00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d   ................
00d0 - c0 0d c0 03 00 0a 00 15-00 12 00 0f 00 0c 00 09   ................
00e0 - 00 ff 01 00 00 55 00 0b-00 04 03 00 01 02 00 0a   .....U..........
00f0 - 00 1c 00 1a 00 17 00 19-00 1c 00 1b 00 18 00 1a   ................
0100 - 00 16 00 0e 00 0d 00 0b-00 0c 00 09 00 0a 00 23   ...............#
0110 - 00 00 00 0d 00 20 00 1e-06 01 06 02 06 03 05 01   ..... ..........
0120 - 05 02 05 03 04 01 04 02-04 03 03 01 03 02 03 03   ................
0130 - 02 01 02 02 02 03 00 0f-00 01 01                  ...........
>>> TLS 1.2  [length 0005]
    16 03 01 01 36
>>> TLS 1.2 Handshake [length 0136], ClientHello
    01 00 01 32 03 03 52 50 26 f0 79 67 6c 18 e4 dc
    90 e4 47 f0 66 62 9a 3b 66 84 8b 81 7e 6f ad cd
    61 39 f8 de e4 e1 00 00 b4 c0 30 c0 2c c0 28 c0
    24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00
    6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00
    87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0
    05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0
    23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00
    40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00
    99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0
    2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00
    96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 c0
    12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00
    0a 00 15 00 12 00 0f 00 0c 00 09 00 ff 01 00 00
    55 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00
    17 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00
    0d 00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0d 00
    20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04
    01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02
    03 00 0f 00 01 01
read from 0x19a5fc0 [0x19ab5a0] (7 bytes => 0 (0x0))
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1493896114
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Aqui está o tcpdump -vvv port 443 no servidor da chamada anterior

tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
07:14:35.760888 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    domain.foo.htps > li470-25.client.foo.51928: Flags [S.], cksum 0x07a5 (correct), seq 3770024728, ack 3716645599, win 14480, options [mss 1460,sackOK,TS val 1825234083 ecr 129546331,nop,wscale 7], length 0
07:14:35.813457 IP (tos 0x0, ttl 52, id 14982, offset 0, flags [DF], proto TCP (6), length 52)
    li470-25.client.foo.51928 > domain.foo.htps: Flags [.], cksum 0x6e0d (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 129546346 ecr 1825234083], length 0
07:14:35.813698 IP (tos 0x0, ttl 52, id 14983, offset 0, flags [DF], proto TCP (6), length 367)
    li470-25.client.foo.51928 > domain.foo.htps: Flags [P.], cksum 0x22c2 (correct), seq 1:316, ack 1, win 229, options [nop,nop,TS val 129546346 ecr 1825234083], length 315
07:14:35.813717 IP (tos 0x0, ttl 64, id 57281, offset 0, flags [DF], proto TCP (6), length 52)
    domain.foo.htps > li470-25.client.foo.51928: Flags [.], cksum 0x6d08 (correct), seq 1, ack 316, win 122, options [nop,nop,TS val 1825234136 ecr 129546346], length 0
07:14:35.814087 IP (tos 0x0, ttl 64, id 57282, offset 0, flags [DF], proto TCP (6), length 52)
    domain.foo.htps > li470-25.client.foo.51928: Flags [F.], cksum 0x6d07 (correct), seq 1, ack 316, win 122, options [nop,nop,TS val 1825234136 ecr 129546346], length 0
07:14:35.866972 IP (tos 0x0, ttl 52, id 14984, offset 0, flags [DF], proto TCP (6), length 52)
    li470-25.client.foo.51928 > domain.foo.htps: Flags [F.], cksum 0x6c8b (correct), seq 316, ack 2, win 229, options [nop,nop,TS val 129546362 ecr 1825234136], length 0
07:14:35.867009 IP (tos 0x0, ttl 64, id 57283, offset 0, flags [DF], proto TCP (6), length 52)
    domain.foo.htps > li470-25.client.foo.51928: Flags [.], cksum 0x6cc1 (correct), seq 2, ack 317, win 122, options [nop,nop,TS val 1825234189 ecr 129546362], length 0

Quando tento executar curl -k -vvv https://domain.foo , é o que recebo:

* About to connect() to domain.foo port 443 (#0)
*   Trying X.X.X.X.. connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to domain.foo:443 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to domain.foo:443 

Quando acesso o https//domain.foo no navegador, acabei de receber um ERR_CONNECTION_CLOSED do chrome.

O que eu posso fazer para que os HTTPs funcionem externamente?

    
por bman 03.05.2017 / 19:13

0 respostas