search

allinurl / goaccess

GoAccess is a real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.
https://goaccess.io
MIT License
18.22k stars 1.1k forks source link

real time logging problem - wss #2314

Open t3539 opened 2 years ago

t3539 commented 2 years ago

I can get goaccess working locally and now I'm trying to get it working on production server.

I'm trying to setup goaccess with live reporting over wss

Firefox is giving error: Firefox can’t establish a connection to the server at wss://website.com:7890/.

and command line / server says:

==Using TLS/SSL==
 [PARSING /var/log/apache2/access.log] {76} @ {0/s}
WebSocket server ready to accept new client connections
Accepted: 12 123.45.67.89
SSL: SSL_accept -> SSL_ERROR_WANT_READ
SSL: incomplete, data available for reading
SSL: SSL_accept -> failed fatal error code: 1
SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
SSL: SSL_read -> SSL_ERROR_ZERO_RETURN
SSL: TLS/SSL connection has been closed
SSL: SSL_write -> SSL_ERROR_ZERO_RETURN
SSL: TLS/SSL connection has been closed
SSL: SSL_write -> SSL_ERROR_ZERO_RETURN
SSL: TLS/SSL connection has been closed
SSL: SSL_shutdown -> failed fatal error code: 1
SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Active: 0

I'm trying to use a certificate from letsencrypt that works fine over https. I'm assuming it should be possible because I see examples of other people in here using it

This is the command I'm working with:

goaccess --real-time-html -o /var/www/website.com/test_report.html --ssl-cert /home/basic/cert1.pem --ssl-key /home/basic/privkey1.pem --ws-url=wss://website.com:7890 /var/log/apache2/access.log

Lots of guides says I need to set --ssl-cert and --ssl-key without saying specifically what I need to set them to. I've also tried fullchain1. I've changed permissions to 777 incase. I've tried converting them to .key and .crt files. It's unclear to me what I needs to change.

allinurl commented 2 years ago

Looks like a certificate issue. The certificate and private key should be the same as the one you use to serve your website via https. e.g.,

ssl-cert /etc/letsencrypt/live/goaccess/fullchain.pem
ssl-key /etc/letsencrypt/live/goaccess/privkey.pem

Also, you don't have to pass --ws-url unless your goaccess instance is running on a different server than the one serving your website. Also, please make sure you are accessing the website via https://yourwebsite.com/report.html

Let me know if that helps.

t3539 commented 2 years ago

Hi allinurl, thanks for your reply. I've tried a few more things, mostly I wasn't expecting to them to make a difference. So far no luck

cat /etc/apache2/sites-enabled/website.com-ssl.conf : 

...
SSLCertificateFile /etc/letsencrypt/live/website.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/website.com/privkey.pem
...

Command run from home directory: goaccess --real-time-html -o /var/www/website.com/public/report.html --ssl-cert fullchain.pem --ssl-key privkey.pem /var/log/apache2/access.log

(/var/www/website.com/public/ is document root)

I've checked the port is open and accessible via port testers

I've removed every other file in document root, including .htaccess in case there was some weird redirect/sym link somehow messing things up (different server I know but I'm out of options...)

I've tried running Firefox in safe mode in case it was some odd setting I had enabled

Back to the certificate...

Tried fullchain.pem/privkey.pem without changing permission and with changing permissions to 777. Tried with files in default location and in working directory

SSL Labs doesn't report any problems with certificate, if that counts for anything...

My certificate is the result of: sudo certbot certonly --manual --preferred-challenges dns --key-type ecdsa --elliptic-curve secp384r1 --staple-ocsp --must-staple -d website.com -d www.website.com

Tried renewing with the RSA version, because, well, I'm out of options.

Maybe it's stapling? Although I'm reluctant to try renewing letsencrypt too many times in case I hit some rate limit/throttle thing

I assume it's not supposed to be run as root or anything...

I will keep thinking

allinurl commented 2 years ago

No need to run as root. BTW, does it work if you run goaccess without wss/https?

I'm not sure if it has something to do with the lets encrypt root cert of 2021, please take a look at this post and let me know if that helps.