FreeBSD 13.1 - weird jail (nginx) problem

K

kalleboy

Greetings.
I manually created a jail and installed nginx within it, made related settings, when I lynx http://10.10.10.3 both inside the jail (that's the IP of that jail) and externally from the host, nginx's default web sample page appears. So, that's fine.

However, when I type it with httpS, it says; Alert!: Unable to make secure connection to remote host. Making HTTPS connection to 10.10.10.3. Retrying connection without TLS. lynx: Can't access startfile https://10.10.10.3/"
And it's not about nginx's SSL configuration (they're all set correctly), not about PF limit (checked, verified), also;

both sockstat -4 and netstat -anf inet outputs;

www nginx 93839 9 tcp4 10.10.10.3:443 *:* -

so obviously nginx listens on 443 port. Any idea? I'm losing my mind here.

And browsing a random SSL website, like typing lynx https://www.google.com within the jail is no problem as well. It opens.

Can anybody point me to the error or to a possible workaround?

Code: 
[root@me:~]# cat /etc/jail.conf
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
allow.mount;
allow.mount.devfs;
mount.devfs; #mount devfs
allow.raw_sockets; #allow ping-pong
allow.sysvipc; #postgres
allow.reserved_ports; #The jail root may bind to ports lower than 1024.
devfs_ruleset="4"; #devfs ruleset for this jail
allow.set_hostname="0";
persist;


www2 {
host.hostname = "www2";
path = "/jails/demojail";
ip4.addr = 10.10.10.3;
exec.consolelog = "/var/log/jail_www2_console.log";
mount.fstab = /jails/demojail/fstab;
}


rc.conf:

jail_enable="YES"
jail_list=""
cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 10.10.10.1 netmask 255.255.255.0"
ifconfig_lo1_alias1="inet 10.10.10.2 netmask 255.255.255.0"
ifconfig_lo1_alias2="inet 10.10.10.3 netmask 255.255.255.0"

[root@me:~]# ping 10.10.10.3
PING 10.10.10.3 (10.10.10.3): 56 data bytes
64 bytes from 10.10.10.3: icmp_seq=0 ttl=64 time=0.063 ms
64 bytes from 10.10.10.3: icmp_seq=1 ttl=64 time=0.110 ms


Thanks a lot.
 
(guessing, mostly on allow.set_hostname="0") nginx does listen, but does it have correct certificates? lynx does not seem to be the best tool to check here, try using the following command and check the certs:
Code: 
openssl s_client -connect 10.10.10.3:443
 
dsdqmhsx said:
(guessing, mostly on allow.set_hostname="0") nginx does listen, but does it have correct certificates? lynx does not seem to be the best tool to check here, try using the following command and check the certs:
Code: 
openssl s_client -connect 10.10.10.3:443
Click to expand...
Hello and thanks for your reply. I set allow.set_hostname to "1", didn't help. Nginx does has the correct certificates. Here's my Nginx config (within the jail):
Code: 
server {
listen 10.10.10.3:443 ssl http2 default_server;
server_name 10.10.10.3;

root /usr/local/www/web;

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;

ssl_session_cache    shared:SSL:1m;
ssl_session_timeout  5m;
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers  on;

}


Here's the output of the command within the jail itself:
Code: 
[root@www2:/]# openssl s_client -connect 10.10.10.3:443
CONNECTED(00000004)
34389172224:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1603:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Code: 
[root@www2:/]# ifconfig
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
        ether 96:00:01:41:c8:4e
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 10.10.10.3 netmask 0xffffff00
        groups: lo
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog
 
Last edited by a moderator:
Additionally;

Code: 
[root@www2:/]# telnet 10.10.10.3 443
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
GET /
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx</center>
</body>
</html>
Connection closed by foreign host.

[root@www2:/]# netstat -anf inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.10.10.3.443         *.*                    LISTEN
tcp4       0      0 10.10.10.3.80          *.*                    LISTEN
tcp4       0      0 10.10.10.3.3306        *.*                    LISTEN

[root@www2:/]# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      nginx      92590 7  tcp4   10.10.10.3:80         *:*
www      nginx      92590 8  tcp4   10.10.10.3:443        *:*
www      nginx      92480 7  tcp4   10.10.10.3:80         *:*
www      nginx      92480 8  tcp4   10.10.10.3:443        *:*
root     nginx      92175 7  tcp4   10.10.10.3:80         *:*
root     nginx      92175 8  tcp4   10.10.10.3:443        *:*
mysql    mariadbd   6516  24 tcp4   10.10.10.3:3306       *:*
 
kalleboy said:
[root@www2:/]# openssl s_client -connect 10.10.10.3:443
CONNECTED(00000004)
34389172224:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1603:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
Click to expand...
This certainly does not look good, compare with e.g. a connect to www.freebsd.org:443:
Code: 
CONNECTED(00000004)
---
Certificate chain
 0 s:CN = www.freebsd.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
...

So my advice is double-checking the certs configuration. Other than that sorry, I don't know anything about nginx or its configuration, so I doubt I can be of any help here.
 
I thought that too, therefore I already set: 10.10.10.2 for the CN when it asked. (self-generated SSL cert).
 
You must log in or register to reply here.
Back
Top