Welcome to Centmin Mod Community
Register Now

Sysadmin Local Server Setup Help

Discussion in 'System Administration' started by Jimmy, Mar 25, 2018.

  1. Jimmy

    Jimmy Premium Member Premium Member

    1,365
    287
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +705
    Local Time:
    2:40 AM
    1.13.x
    MariaDB 10.1.x
    Getting hung up on an HSTS error when setting up my local testing server.

    Most all my scripts work fine using an IP address in my local testing environment.

    One script won't work using an IP only.

    1. I created a vhost in CMM called jr135.dev w/ self signed ssl.

    2. Modified the /etc/hosts file with:
    Code:
    10.0.0.135  jr135.dev
    3. I modified the vhost file:
    Code:
    server {
        listen  80;
        # listen []:80 ipv6only=off;
        server_name jr135.dev www.jr135.dev;
        return 301 https://jr135.dev$request_uri;
    
        # Error Logs via 80
        access_log /home/nginx/domains/jr135.dev/log/access_via80_135.log combined buffer=256k flush=5m;
        error_log /home/nginx/domains/jr135.dev/log/error_via80_135.log;
    }
    
    server {
        listen 443 ssl http2;
        # listen []:443 ssl http2 ipv6only=off;
        server_name  jr135.dev;
    
        # Will re-direct any SSL requests for www to non-www
        # https://centminmod.com/nginx_domain_dns_setup.html#httpsredirect
        if ($host = 'www.jr135.dev' ) {
            return 301 https://jr135.dev$request_uri;
        }
    
        ssl_dhparam /usr/local/nginx/conf/ssl/jr135.dev/dhparam.pem;
        ssl_certificate      /usr/local/nginx/conf/ssl/jr135.dev/jr135.dev.crt;
        ssl_certificate_key  /usr/local/nginx/conf/ssl/jr135.dev/jr135.dev.key;
        include /usr/local/nginx/conf/ssl_include.conf;
    
        # Cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
        # ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/blockchaintalk.org/origin.crt;
        # ssl_verify_client on;
    
        http2_max_field_size 16k;
        http2_max_header_size 32k;
    The problem I'm having is that every time I visit https://jr135.dev it gives me an error:
    Code:
    NET::ERR_CERT_AUTHORITY_INVALID
    Code:
    jr135.dev normally uses encryption to protect your information. When Google Chrome tried to connect to jr135.dev this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be jr135.dev, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
    
    You cannot visit jr135.dev right now because the website uses HSTS. 
    If anyone can shed some light on what is going wrong, let me know.
     
    Last edited: Mar 25, 2018
  2. Meirami

    Meirami Member

    97
    9
    8
    Dec 21, 2017
    Ratings:
    +31
    Local Time:
    9:40 AM
    There may be something old (hsts) information left in the browser cache. Try it incognito.
     
  3. Jimmy

    Jimmy Premium Member Premium Member

    1,365
    287
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +705
    Local Time:
    2:40 AM
    1.13.x
    MariaDB 10.1.x
    I tried with a few different browsers, still no luck.

    Good idea with the incognito window, I don't use that as much as I should - it's so darn easy to pop open one of those windows.
     
  4. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    4:40 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    HSTS forces HTTPS on domain and if you configure all subdomains and is cached in web browser. If set incorrectly, you can effectively DOS (denial of service) your own server/site for duration of set max-age i.e. 365 days - meaning visitors to your site won't be able to visit your site for up to 365 days unless they clear their browser HSTS cache. Only set HSTS if you know 100% for sure you will over ever use HTTPS for the domain and subdomains forever.. and I mean forever never going back to non-HTTPS.

    see SSL - How to clear HSTS browser cache | Centmin Mod Community :)
     
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,365
    287
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +705
    Local Time:
    2:40 AM
    1.13.x
    MariaDB 10.1.x
    @eva2000 useful information! Though, I tried several browsers. Everything returns an error.

    I shouldn't have to modify the server hosts file on the server right? I modified the hosts file on my computer - the one that connects to the server.
     
  6. Jimmy

    Jimmy Premium Member Premium Member

    1,365
    287
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +705
    Local Time:
    2:40 AM
    1.13.x
    MariaDB 10.1.x
    If I enter https://10.0.0.135, works great. Too bad using the IP won't work in the script.

    Screenshot from 2018-03-24 18-17-11.png
     
  7. Jimmy

    Jimmy Premium Member Premium Member

    1,365
    287
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +705
    Local Time:
    2:40 AM
    1.13.x
    MariaDB 10.1.x
    Did a test.

    1. Created 2 vhost sites. One called jamroom1 and the other called jamroom2.dev

    2. Disabled the non-ssl conf file with -bak extension (jamroom1.conf-bak & jamroom2.dev.conf-bak)

    3. Changed my computers hosts file to associated 10.0.0.135 w/ whatever domain from above I was testing. Did a network restart with each change.

    4. Added 10.0.0.135 to the :443 in both CMM stock vhost config files.

    Testing:

    A. jamroom1. Entered https://jamroom1 and everything worked great.
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #       listen   80;
    #       server_name jamroom1 www.jamroom1;
    #       return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 10.0.0.135:443 ssl http2;
      server_name jamroom1 www.jamroom1;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/jamroom1/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/jamroom1/jamroom1.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/jamroom1/jamroom1.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/jamroom1/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/jamroom1/jamroom1-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/jamroom1/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/jamroom1/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/jamroom1/autoprotect-jamroom1.conf;
      root /home/nginx/domains/jamroom1/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-jamroom1.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    Screenshot from 2018-03-24 19-01-18.png


    B. jamroom2.dev. Entered https://jamroom2.dev and got the HSTS error.

    I noticed on this one that if I enter https://10.0.0.135 the site works fine and shows me the jamroom2.dev CMM default page.

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #       listen   80;
    #       server_name jamroom2.dev www.jamroom2.dev;
    #       return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 10.0.0.135:443 ssl http2;
      server_name jamroom2.dev www.jamroom2.dev;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/jamroom2.dev/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/jamroom2.dev/jamroom2.dev.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/jamroom2.dev/jamroom2.dev.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/jamroom2.dev/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/jamroom2.dev/jamroom2.dev-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/jamroom2.dev/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/jamroom2.dev/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/jamroom2.dev/autoprotect-jamroom2.dev.conf;
      root /home/nginx/domains/jamroom2.dev/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-jamroom2.dev.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    Screenshot from 2018-03-24 19-04-08.png

    Tried the above on multiple browsers, yielded the same results.

    Note: 10.0.0.135 vhost file was removed from the server. There was an IP site setup on .135 but I removed the entire account before testing.

    Why would CMM be fine for jamroom1 but not for jamroom2.dev?
     
    Last edited: Mar 25, 2018
  8. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    4:40 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    have you previously used jamroom2.dev before on HTTPS / HSTS enabled vhost ? could still have it in browser cache. Tried visiting from another computer/mobile/tablet device on same local network to verify ?

    tried using jamroom2.com instead of .dev ? browser might see .dev as the domain so if you had HSTS on .dev as domain any subdomain *.dev would be HSTS linked.
     
  9. Jimmy

    Jimmy Premium Member Premium Member

    1,365
    287
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +705
    Local Time:
    2:40 AM
    1.13.x
    MariaDB 10.1.x
    1. No.

    2. Same on different machines.

    3. .com works.

    So, it appears to be the .dev which is causing the issue.
     
  10. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    4:40 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah just use valid domain extensions for dummy domains :)
     
    • Agree Agree x 1
..