Anope IRC Services

Anope Support => 2.0.x/1.9.x Support => Topic started by: Keiro on December 05, 2015, 08:14:52 PM

Title: m_httpd and authbind
Post by: Keiro on December 05, 2015, 08:14:52 PM
Hi,

So... instead of doing the usual port forward shenanigan, I decided that I'd try getting authbind to work with m_httpd/web cpanel so that Services can be secured via https.

Alternatively, would it be possible to use nginx as a reverse proxy to pass along connections to Anope in place of m_httpd? Or... what? Because I'd like to enable use of port 443 but I'm still having trouble trying to get authbind to work with Anope.

Of course... having Anope run with root works just fine... (yes, it drops to a normal user as soon as it's done binding to port 443.)... but as there's also web servers running HTTPS, I wanted to know if it was possible at all to run that setup.

The ideal setup would be to run nginx, passing connections to 127.0.0.1 for m_httpd on whatever port you feel is appropriate...  set up with the relevant SSL certificate so you can have Services stay secure whilst nginx handles the grunt work.

Right now, I've got authbind installed, but that's not quite working as I'm hoping.
Title: Re: m_httpd and authbind
Post by: Adam on December 05, 2015, 08:17:14 PM
I recommend setting up mod proxy/nginx/something to offload ssl and proxy everything that's why the extforward_ configuration of m_httpd is there.
Title: Re: m_httpd and authbind
Post by: Keiro on December 05, 2015, 08:36:06 PM
I recommend setting up mod proxy/nginx/something to offload ssl and proxy everything that's why the extforward_ configuration of m_httpd is there.

Hmm. So, as per your suggestion, I'm using nginx. However... I'm unable to get it working... I might be missing something but everything looks correct, here.

Code: [Select]
server {

    listen 443;
    server_name example.domain.com;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/services-irc.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://localhost:2700;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:2700 https://domain.com;
    }
  }

and for Anope, it's:

Code: [Select]
module
{
        name = "m_httpd"

        httpd
        {
                /* Name of this service. */
                name = "httpd/main"

                /* IP to listen on. */
                ip = "127.0.0.1"

                /* Port to listen on. */
                port = 2700

                /* Time before connections to this server are timed out. */
                timeout = 30

                /* Listen using SSL. Requires an SSL module. */
                ssl = yes

                /* If you are using a reverse proxy that sends one of the
                 * extforward_headers set below, set this to its IP.
                 * This allows services to obtain the real IP of users by
                 * reading the forwarded-for HTTP header.
                 */
                extforward_ip = "45.63.69.155"

                /* The header to look for. These probably work as is. */
                extforward_header = "X-Forwarded-For Forwarded-For"
        }
}
Title: Re: m_httpd and authbind
Post by: Adam on December 06, 2015, 12:31:54 AM
If proxy_pass http://localhost:2700 you cant have ssl=yes in anope. Also extforward_ip would probably be 127.0.0.1 or ::1 because you are connecting to localhost.
Title: Re: m_httpd and authbind
Post by: Keiro on December 06, 2015, 04:41:34 AM
If proxy_pass http://localhost:2700 you cant have ssl=yes in anope. Also extforward_ip would probably be 127.0.0.1 or ::1 because you are connecting to localhost.

Cue facepalming.

Also, so far... I'm unable to get it to work properly. I've updated modules.conf as per your comment re: ssl=yes for Anope. I'm still working on figuring out the perfect configuration.

My nginx config's now:

Code: [Select]
server {

    listen 443;
    server_name services.furryavalon.net;

    ssl_certificate           /etc/letsencrypt/live/services.furryavalon.net/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/services.furryavalon.net/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/services-wolf.access.log;

location / {
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   Host      $http_host;
    proxy_pass         http://127.0.0.1:2700;
    proxy_read_timeout 90;
}
}

As for Anope, it's:

Code: [Select]
module
{
        name = "m_httpd"

        httpd
        {
                /* Name of this service. */
                name = "httpd/main"

                /* IP to listen on. */
                ip = "127.0.0.1"

                /* Port to listen on. */
                port = 2700

                /* Time before connections to this server are timed out. */
                timeout = 30

                /* Listen using SSL. Requires an SSL module. */
                ssl = no

                /* If you are using a reverse proxy that sends one of the
                 * extforward_headers set below, set this to its IP.
                 * This allows services to obtain the real IP of users by
                 * reading the forwarded-for HTTP header.
                 */
                extforward_ip = "45.63.69.155"
                #extforward_ip = "127.0.0.1"
                /* The header to look for. These probably work as is. */
                extforward_header = "X-Forwarded-For Forwarded-For"
                #extforward_header = "X-Real-IP"
        }
}

With this setup, it's not working as it continues to throw out an incorrect SSL certificate. I'm going to try it the other way, with X-Real-IP. Also, I've tried switching around a couple of the commented blocks with no real effect other than still coming up with incorrect SSL certificates.
Title: Re: m_httpd and authbind
Post by: Keiro on December 06, 2015, 09:37:59 PM
Fixed the issue!

Turns out it was this particular bit that was the issue.

Code: [Select]
server {

    listen 443;
    server_name services.furryavalon.net;

Adding the IP so that it shows as xxx.xx.xxx.xxx:443; correctly resolves the issue. I should've caught it earlier but at least it's resolved, now. Happy Keiro.
Title: Re: m_httpd and authbind
Post by: Keiro on December 07, 2015, 01:51:18 AM
I shouldn't have called it done so soon. :P

Adam, would you happen to know how I'd resolve the issue of nginx and Anope working together?

If I log into Anope via the web portal, I get this:

Code: [Select]
http://services.furryavalon.net/nickserv/info

Not Found

The requested URL /nickserv/info was not found on this server.

Also, not sure why it was in http. It shouldn't be.
Title: Re: m_httpd and authbind
Post by: Keiro on December 12, 2015, 02:12:58 AM
OK, so nginx's error logs indicate that for whatever reason, nginx is not redirecting to /nickserv and other such things after login. I'm still unable to get nginx to redirect to the webcpanel or m_httpd... or something because I have no idea what's going on in order to fix it.

Sample errors:

Code: [Select]
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:01:58:52 +0000] "GET /static/style.css HTTP/1.1" 200 1041 "https://services.furryavalon.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:01:58:52 +0000] "GET /static/logo.png HTTP/1.1" 200 19247 "https://services.furryavalon.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:01:58:52 +0000] "GET /static/cubes.png HTTP/1.1" 200 723 "https://services.furryavalon.net/static/style.css" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:01:58:56 +0000] "POST / HTTP/1.1" 302 0 "https://services.furryavalon.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:02:06:36 +0000] "GET / HTTP/1.1" 200 840 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:02:06:36 +0000] "GET /style.css HTTP/1.1" 404 14 "https://services.furryavalon.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:02:06:36 +0000] "GET /logo.png HTTP/1.1" 404 14 "https://services.furryavalon.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:02:06:37 +0000] "GET /favicon.ico HTTP/1.1" 200 3774 "https://services.furryavalon.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:02:06:44 +0000] "POST / HTTP/1.1" 302 0 "https://services.furryavalon.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
2001:470:7c:37e:c9d4:737f:5f66:9787 - - [12/Dec/2015:02:09:23 +0000] "GET / HTTP/1.1" 200 844 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"

Those IPs are mine. I'm not concerned about people finding those IPs.
Title: Re: m_httpd and authbind
Post by: Keiro on December 12, 2015, 03:49:59 AM
Finally got a working config with nginx. Also, if you want SSL to be enforced the entire way through the process, then you must have ssl = on in your modules.conf for m_httpd.

I noticed that after logging in, I would be redirected to http:// and not https://. Which required me to edit the config to enforce SSL all the way through.

This is what works for me:

Code: [Select]
server {
listen 45.63.69.155:80;
listen 45.63.69.155:443 ssl;
#listen 127.0.0.1:80;
server_name services.furryavalon.net www.services.furryavalon.net;
ssl_certificate        /etc/letsencrypt/live/services.furryavalon.net/fullchain.pem;
ssl_certificate_key    /etc/letsencrypt/live/services.furryavalon.net/privkey.pem;
location / {
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   Host      $http_host;
    proxy_pass         http://127.0.0.1:2700;
    }

    location /error/ {
        alias   /home/wolf/web/services.furryavalon.net/document_errors/;
    }

    location ~ /\.ht    {return 404;}
    location ~ /\.svn/  {return 404;}
    location ~ /\.git/  {return 404;}
    location ~ /\.hg/   {return 404;}
    location ~ /\.bzr/  {return 404;}
}
Title: Re: m_httpd and authbind
Post by: Peter Pan on March 23, 2016, 04:13:22 PM
Hello
Can you tell me step by step config webcpanel with nginx webserver, I have enable modules webcpanel, m_httpd and config in modules.conf, but i don't known config nginx with webcpanel to work. I have search document for this but nothing found. Can you help me, sorry my english, thank you!