NGINX redirect



  • Hi all,

    I'm having an issue that is giving me an hard time to pin down.

    We have an webserver at the DMZ network with NAT 1:1.
    Recently we noticed a wordpress website on this server was misbehaving, when pinning down the issue we verified this:

    Execution of the wordpress crons fails.
    We then proceeded to run it manually. So we used the curl/wget call method (the same used when you disable the built-in WP Cron and put it on system crons) to test and we found out the following:

    Using the direct call:

    $ curl -v https://www.domain.com/wordpress/wp-cron.php?doing_wp_cron=1                                                                                       
    *   Trying 1.2.3.4...
    * TCP_NODELAY set
    * Connected to www.domain.com (1.2.3.4) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: unable to get local issuer certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html
    
    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.
    

    and doing it without the https returns yet another interesting error:

    $ curl -v www.domain.com/wordpress/                                                                                                                          
    *   Trying 1.2.3.4...
    * TCP_NODELAY set
    * Connected to www.isscloud.io (1.2.3.4) port 80 (#0)
    > GET /charlie/ HTTP/1.1
    > Host: www.isscloud.io
    > User-Agent: curl/7.61.1
    > Accept: */*
    >
    < HTTP/1.1 301 Moved Permanently
    < Server: nginx
    < Date: Wed, 14 Oct 2020 13:34:33 GMT
    < Content-Type: text/html
    < Content-Length: 162
    < Connection: keep-alive
    < Location: https://www.domain.com/wordpress/
    < X-Frame-Options: SAMEORIGIN
    <
    <html>
    <head><title>301 Moved Permanently</title></head>
    <body>
    <center><h1>301 Moved Permanently</h1></center>
    <hr><center>nginx</center>
    </body>
    </html>
    * Connection #0 to host www.domain.com left intact
    

    Now this last error is very disconcerting. For the sole reason that the web server is running apache and DOES NOT have nginx installed even. The only thing on the path that has nginx is the pfSense.

    If I use an SSL analysis tool like https://www.ssllabs.com/ssltest/index.html I get the following:
    Screenshot 2020-10-14 at 14.41.09.png

    And we see no issues with the SSL cert.

    Anyone has a clue where to look? thank you


  • LAYER 8 Global Moderator

    @maverickws said in NGINX redirect:

    Connected to www.domain.com (1.2.3.4) port 443 (#0)

    And what IP exactly is this 1.2.3.4? Is this your local servers IP, or pfsense wan IP?

    Its very hard to help users track down stuff when they obfuscate what IP they are talking to, without any mention of doing so, and how to tell call out differences in IPs they present.

    Clearly your not connecting to www.domain.com on 1.2.3.4 - so I take it what your running into is a problem with nat reflection, or lack of use of split domain to directly talk to your server while your local..



  • Hi @johnpoz thank you for your reply.

    I guess you're right. That was a public IP being obfuscated.

    Anyway I had split-dns for the domain, but that wasn't enough. I had to add an "Host Override" to the DNS resolver for the www, that fixed it.


  • LAYER 8 Global Moderator

    @maverickws said in NGINX redirect:

    Anyway I had split-dns for the domain, but that wasn't enough. I had to add an "Host Override" to the DNS resolver for the www, that fixed it.

    Not sure what you think you did with your split dns, but unless you setup a full redirect so wildcards pointed your local IP... Or you were using a domain override that pointed to something local that would resolve local IPs, and turned off rebind protection.

    Then yes you need a host override for any specific fqdn you might resolve.

    simple test to see if your split dns is working, is just resolve whatever fqdn your wanting go to - does it return what you want it to return, if not your "split dns" is not working ;)



  • @johnpoz said in NGINX redirect:

    Not sure what you think you did with your split dns, but unless you setup a full redirect so wildcards pointed your local IP... Or you were using a domain override that pointed to something local that would resolve local IPs, and turned off rebind protection.

    Ok... a little help here, what exactly do you mean by this?
    I have added Host override for domain "domain.com" alias hosts www / mail etc to the local IP.
    I have also added one "Domain override" for domain.com with the local IP of the DNS server. I wonder if this was needed, or if this is to when I have a DNS server working with views?


  • LAYER 8 Global Moderator

    When you add a domain override to some internal NS, that is going to return rfc1918 space - you will need to either turn off rebind protection completely or setup whatever domain you overrid as a private domain.. Or you not going to get any responses because of rebind protection.

    https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

    As to your host override.. It would need to be fully qualified.. If you put in www.example.com where www is the host and example.com is the domain, and then an alias for mail.example.com if you resolve ftp.example.com it wouldn't resolve to your override.

    You can not do wildcards in the gui, if you want a wildcard you need to do it in the options box on the resolver gui..

    server:
    local-zone: "example.com" redirect
    local-data: "example.com 86400 IN A 192.168.1.54"
    

    https://docs.netgate.com/pfsense/en/latest/services/dns/wildcards.html


Log in to reply