Caddy - Setting HTTPS on local domain - https

I would like to add HTTPS to my local domain, however we can't do this on localhost.
My website goes fine when I run with this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
But I would like to name this website or at least enable HTTPS on it. According to Caddy, you can't do this on localhost, but what if I have a domain name ?
I have tried using my own local address with this Caddyfile
192.168.100.26 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
All works fine but I still don't have HTTPS...
And when I try to add a random domain name for example
www.mycaddytest.com {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
I got the following error
Activating privacy features...2016/08/18 11:53:26 [www.mycaddytest.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up A for www.mycaddytest.com
Error Detail:
Validation for www.mycaddytest.com:80
Resolved to:
Used:
I know this error is dues to an unexisting domain name, but is there a way to deal with ?
Just getting HTTPS on localhost or ip address will be enough

Since Caddy 0.9 we can use the tls self_signed attribute.
Use this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / 192.168.100.82:9000
tls self_signed
}
And try https://localhost:2020

For caddy version 2.4.5, the accepted answer did not work me. What worked is shown below:
localhost:443 {
reverse_proxy 127.0.0.1:8080
tls internal
}

I know that answer is already accepted. But I had the same problem with Caddy v0.10.14 and it's a solution that helped me (but with real SSL certificate instead of self_signed):
Firstly, certificate & key pair must be in this directories: /etc/pki/tls/certs/ for certificate and /etc/pki/tls/private/ for key. So go to one of this directory with cd command
Then, create our own, self-signed certificate for HTTP2.0 testing with a single command, however. Just execute on your commandline to generate a SSL certificate + key pair:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout cert.key -out cert.crt
After that, move files to correct directories (see the first point)
Next, use this Caddyfile and try https://localhost:2020:
localhost:2020 {
bind {$ADDRESS}
root /var/www
gzip
tls your.address#example.com
tls /etc/pki/tls/certs/cert.crt /etc/pki/tls/private/cert.key
}

Also if you are running caddy in a docker container, you may need to import and trust the Root certificate.
docker ps
docker cp container_id:/config/caddy/pki/authorities/local/root.crt ~/Desktop
then the caddyfile, for laravel sail for example, could look something like this:
yourlocaldomain.dev{
tls internal
reverse_proxy laravel.test
}
more may be here https://gilbitron.me/blog/enabling-https-ssl-for-laravel-sail-using-caddy/

Related

Ubuntu18 firefox Add trust to a exsisting certificate

Im using ubuntu18 desktop and i have added the certificates i need to firefox 73.0:
/usr/share/ca-certificates/mozilla
and also added it to :
/etc/ca-certificates.conf
At the end of the file like :
mozilla/caname.crt
And run :
update-ca-certificate
now, i can see certificates are in firefox certificate list through the browser but does not have any trust box marked, so it doesnt work.
Is there a way from cli to force the trust flag on this certificates, maybe with certutil ?
I know there is a lot of ways to enter certificate to firefox using cli commands but none have worked for me, and now i was able to add the certificates using the commands above, but i need to add the trust.
Found this solution to add certificates to firefox on ubuntu :
https://github.com/mozilla/policy-templates/#proxy
Simply need to add this file to :
/usr/lib/firefox/distribution/
touch policies.json
In policies.json add:
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true,
"Install" [
"somecert1.crt",
"usr/local/share/ca-certificates/somecert1.crt"
]
}
}
}
The install part is first the name of the cert and then the path.
And restart firefox. if somthing doesnt work try resetting firefox as if you have set somthing before it can stuck it.
This method works good without certutil

Dovecot pigeonhole sieve proxy with ldap

for an upcoming IMAP migration, I need to proxy my users.
I plan to use Nginx for proxying IMAP and POPS traffic and directing them according to a LDAP attribute (mailHost)
But Nginx can't proxy SIEVE.
Dovecot PigeonHole seems to be able to proxy SIEVE protocol.
I try to configure it to avoid LDAP authentication because there's already an authentication on IMAP stores.
That doesn't work for now.
Here's my conf following this doc:
Pasword DB extra fields
Dovecot proxies
/etc/dovecot/dovecot.conf:
protocols sieve
!include conf.d/*.conf
/etc/dovecot/conf.d/90-sieve.conf
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
!include auth-ldap.conf.ext
/etc/dovecot/conf.d/auth-ldap.conf
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
/etc/dovecot/dovecot-ldap.conf.ext
hosts = xxx.xxx.xxx.xxx
ldap_version = 3
base = ou=myOU, dc=domain, dc=example
pass_attrs = \
=user=%{ldap:user}, \
=password=, \
=proxy=y, \
=host=%{ldap:mailHost}
And here's the error in the log when I try to modify a sieve script using Horde Webmail:
dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, session=
I surely missed a setting somewhere.
For now, I haven't found yet.
Any help will be greatly appreciated
Thanks
OK, I've found the problem
To proxy password to IMAP backends:
/etc/dovecot/dovecot-ldap.conf.ext:
hosts = xxx.xxx.xxx.xxx
ldap_version = 3
base = ou=myOU, dc=domain, dc=example
pass_attrs = \
=user=%{ldap:user}, \
=password=, \
=proxy=y, \
=nopassword=y, \
=host=%{ldap:mailHost}
=port=2000
The doc says:
If you don’t want proxy itself to do authentication, you can configure it to succeed with any given password. You can do this by returning an empty password and nopassword field.
And port 2000 is needed because the IMAP backend still in production is running an old version of timsieved (cyrus sieve implementation)
Then, the backends are waiting for PLAIN authentication.
That's disabled by default in Dovecot, so activate it with:
/etc/dovecot/conf.d/10-auth.conf:
disable_plaintext_auth = no
auth_mechanisms = plain login
!include auth-ldap.conf.ext
This degrades the security, so I will limit access to port 2000 to the dovecot pigeon-hole proxy.

Enable HTTPS in Lighttpd

I would like to enable HTTPS in Lighttpd. I have a "key" file (created using openssl), along with the certificate and intermediate certificates generated by the SSL provider but I'm not sure how these files are usedin Lighttpd. It seems like the config file is expecting a file in "pem" format.
For completeness, I will also include the step for generating the keystore and CSR file.
CSR Generation
On the terminal, type (and enter your details).
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
HTTPS Configuration
1) You need to merge your keystore with the certificate returned by the issuer. This can be done in a text editor but I'd recommend doing it on the command line.
cat server.key domain_com.crt > domain.pem
2) To enable HTTPS in Lighttpd, open lighttpd.conf and enter the following
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "[path to domain.pem]"
ssl.ca-file = "[path to CA bundle containing root and intermediate certs]"
}
3) Make sure the server has the relevant permissions to read the certificate files.
4) Restart the Lighttpd service.

Bower calls blocked by corporate proxy

I'm trying to use Bower for a web app, but find myself hitting some sort of proxy issues:
D:\>bower search jquery
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 1.2s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 2.5s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 6.8s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 15.1s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 20.3s
bower ECONNRESET Request to https://bower.herokuapp.com/packages/search/jquery failed: tunneling socket could not be established, cause=Parse Error
Relevant points:
I can browse to https://bower.herokuapp.com/packages/search/jquery and it returns a full json response.
I can use git to clone, both using the git:// protocol and http(s).
I can use NPM directly without these issues
I've tried using Fiddler to determine what's being blocked, but it doesn't detect any calls from the Bower command. I can see calls from NPM commands in Fiddler.
I've searched the Bower issues list, seen similar issues, but they either have no solution or it doesn't seem quite the same as mine.
Any ideas?
Thanks #user3259967
This did the job.
I would like to add that if you are behind a proxy that needs to be authenticated, you can add the username/password to your .bowerrc file.
{
"directory": "library",
"registry": "http://bower.herokuapp.com",
"proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/",
"https-proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/"
}
NOTICE the use of http:// in https-proxy
The solution for me is this config .bowerrc
{
"directory": "vendor",
"registry": "http://bower.herokuapp.com",
"proxy": "http://<user>:<pwd>#proxy.host.br:8080",
"https-proxy": "http://<user>:<pwd>#proxy.host.br:8080",
"strict-ssl": false
}
Using the http protocol in https-proxy plus registry entry with http protocol.
Remember to change 8080 port number to whatever is yours proxy server port.
Are you behind a proxy?
Have you set up environment variables HTTP_PROXY and HTTPS_PROXY?
SET HTTP_PROXY=http://yourproxyserver:yourproxyport
SET HTTPS_PROXY=http://yourproxyserver:yourproxyport
Try changing the registry value in your .bowerrc:
{
"registry": "http://bower.herokuapp.com"
}
I did not have a .bowerrc file to configure my bower settings. I found the settings living in a file called defaults.js. found under "C:\...\bower\node_modules\bower-config\lib\util\defaults.js"
I hope this helps others:
var defaults = {
'cwd': process.cwd(),
'directory': 'bower_components',
'registry': 'http://bower.herokuapp.com',
'shorthand-resolver': 'git://github.com/{{owner}}/{{package}}.git',
'tmp': paths.tmp,
'proxy': '<<http://user:pass#proxy:port>>', // change proxy here or at the top
'https-proxy': '<<http://user:pass#proxy:port>>', // change proxy here or at the top
'timeout': 30000,
'ca': { search: [] },
'strict-ssl': false,
'user-agent': userAgent,
'color': true,
'interactive': null,
'storage': {
packages: path.join(paths.cache, 'packages'),
links: path.join(paths.data, 'links'),
completion: path.join(paths.data, 'completion'),
registry: path.join(paths.cache, 'registry'),
empty: path.join(paths.data, 'empty') // Empty dir, used in GIT_TEMPLATE_DIR among others
}
};
module.exports = defaults;
you can try suggest #thebignet into same issue on GitHub
Set proxy, https-proxy and strict-ssl configuration into .bowerrc File :
{
"proxy" : "http://<host>:<port>",
"https-proxy" : "http://<host>:<port>",
"strict-ssl" : false
}
But you must run Command from terminal:
git config --global url."https://".insteadOf git://
"strict-ssl": false
in .bowerrc did for me
For Win 7.
What worked for me , are below steps as suggested at this link - read #nanowizard answer.
In .bowerrc file, remove any http_proxy / https_proxy settings that
you might have done earlier. This is important.
So final content of this file should look like :-
{
"directory": "app/bower_components"
}
Set environment variables in your pc - http_proxy and https_proxy to your corporate firewall proxy. In case, your corporate proxy requires authentication and if your password contains special characters, convert it to hex form as suggested by this link. As in my case escaping of characters with '\' did not help. Also I had to restart my system.
Note :
http_proxy and https_proxy should contain same proxy address as shown below
http_proxy = http://<user>:<password>#<your company proxy>:<port>
https_proxy= http://<user>:<password>#<your company proxy>:<port> ->Note no 's' in http://...
I am behind corporate firewall and I have to specify domain name too.
None of these answers worked for me. Here is what I did -
Downloaded CNTLM from http://cntlm.sourceforge.net/
Obviously installed it.
Open up cntml.ini and change the following
Domain your_domain_name
Username your_domain_username
Password your_domain_passowrd
PassLM 1AD35398BE6565DDB5C4EF70C0593492 (uncomment this)
PassNT 77B9081511704EE852F94227CF48A793 (uncomment this too)
Proxy http://localhost:8888
Go to services.msc and start the CNTLM Authentication service.
Download Fiddler 4/2 (whatever they call it).
Install this too. This will run in http://localhost:8888
Now whatever program you’re running forward(proxy) it to http://locahost:3128 ( that’s what CNTLM is running.)
In this case specify http.proxy and https.proxy as http://localhost:8888
This will work for other client programs. Just specify proxy as http://localhost:8888
its work for me to change in .bowerrc file
{
"directory": "client/lib",
"registry": "http://bower.herokuapp.com",
"proxy":"http://192.168.1.205:3228",
"https-proxy":"http://192.168.1.205:3228"
}
where client/lib is installation directory where do you want to install
and http://192.168.1.205:3228 is your proxy ip with port. corporate proxy can be different according to oraganization.
In addition to setting the below proxy in .bowerrc:
{
"directory": "app/bower_components",
"proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"https-proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"http-proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"strict-ssl": false,
"registry": "http://bower.herokuapp.com"
}
I am required to run the following commands to fix the issue:
npm cache clean
bower cache clean
bower install
The registry used in the the other answers is now deprecated. Please update it!
{
"proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"https-proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"registry": "https://registry.bower.io"
}
{
"directory": "library",
"registry": "http://bower.herokuapp.com",
"proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/",
"https-proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/"
}
This code worked for me. I am using Win 7 and chrome and also git bash. Here few things need to be cleared. This takes me huge time to find the actual data regarding the user name, password, proxy IP and Port. I will describe it step by step so that every learners can easily grasp the message:
Create a file in the notepad named .bowerrc in the login folder; You can go there by typing at Start>Run>%UserProfile% and press OK.
Type above code in the .bowerrc file with the following changes:
Replace <USERNAME> with your internet connection user ID or login ID
Replace <PASSWORD> with your internet connection password or login password.
Replace <PROXY_IP> and <PROXY_PORT> with the working proxy IP address and its port number.
**Note: There should be no angle brackets.**
Proxy IP should be different than your own IP.
Before using any proxy IP and port you should check it is working by changing your proxy IP and port.
You can go through this link to know the details of proxy settings at description here
From this proxy settings you will get Proxy IP and Port.
Recheck all the input so that all are correct and save and close the file.
Open git bash and change directory to the project file and type command and hit enter, in my case, git bash command:
a#a-PC MINGW32 /d/conFusion
$ bower install
It worked like magic.
In case it helps someone, I had a 'bower blocked by group policy' error.
Solution was to make an exception in CryptoPrevent, a application installed on our company computers to prevent crypto lockers.
For info, in your .bowerrc file you can add a no-proxy attribute. I don't know since when it is supported but it works on bower 1.7.4 and it solve the issue of bower behind a corporate proxy with an internal repository
.bowerrc :
{
"directory": "bower_components",
"proxy": "http://yourProxy:yourPort",
"https-proxy":"http://yourProxy:yourPort",
"no-proxy":"myserver.mydomain.com"
}
Regards
Please make sure there are no special characters in your proxy password. Convert it to hex. It works for me.

Problem requesting a HTTPS with TCL

I'm trying to do the following request using TCL (OpenACS)
http::register https 443 tls::socket
set url "https://encrypted.google.com"
set token [http::geturl $url -timeout 30000]
set status [http::status $token]
set answer [http::data $token]
http::cleanup $token
http::unregister https
The problem is that when I read the $status variable I get "eof" and the $answer variable becomes empty. I tried enabling tls V.1
http::register https 443 [list tls::socket -tls1 1]
and it works only for the site https://www.galileo.edu, but not for https://encrypted.google.com.
The site what I'm trying to connect is https://graph.facebook.com/me/feed?access_token=...
but it doesn't work.
I used curl to retrieve the contents of the pages in HTTPS and it works, I have installed OpenSSL, so I can't see the problem, there is another way to do HTTPS connections with TCL?.
I can't see if this is a problem of coding (maybe I'm registered wrong the https protocol) or maybe It is a bad configuration of my server. Hope somebody helps!! Thanks!
Hmm, I can't reproduce that. Which patchlevel of Tcl are you using, and which version of the tls package?
I did this:
package require http
package require tls
# This is your code, cut-n-pasted with blank lines removed
http::register https 443 tls::socket
set url "https://encrypted.google.com"
set token [http::geturl $url -timeout 30000]
set status [http::status $token]
set answer [http::data $token]
http::cleanup $token
http::unregister https
puts $status
And it produces “ok” as output, with $status's contents looking likely too (but too long to paste here). This is with Tcl 8.5.2 (I know I need to upgrade), http 2.7 and tls 1.6.

Resources