SSL Termination + Nginx question

[bobberb]

Dear all,

Maybe I misunderstand how SSL termination is supposed to work, but, I assume I should to able to:

remote browser (https) --> nginx (termination by proxy_pass command) --> websockify --> novnc

However whenever I successfully reach the novnc.html and try to connect I get the error

10.252.252.253: SSL connection but '/home/bobberb/noVNC/self.pem' not found

Well, of course I didn't set a .pem, I expect my nginx instance to strip the TLS!

[CendioOssman]

That sounds like nginx is misconfigured. What does your configuration look like?

[bobberb]

server {
        listen 443 http2 ssl;
        server_name staging.site.org;
        ssl_protocols TLSv1.2;
        ssl_dhparam /etc/letsencrypt/live//dhparam.pem;
        ssl_certificate /etc/letsencrypt/live//fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live//privkey.pem;
        location /websockify {
          proxy_http_version 1.1;
          proxy_pass http://10.252.252.253:6080/;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          # VNC connection timeout
          proxy_read_timeout 61s;
          # Disable cache
          proxy_buffering off;
        }
        location /vncws/ {
          proxy_pass http://10.252.252.253:6080/;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        }
}

My apologies for the delay in reply and thanks for your time.

[CendioOssman]

Looks correct AFAICT. You sure you haven't configured your noVNC settings to bypass the proxy? What have you specified as the websocket server in the GUI?

[bobberb]

I cannot reach the vnc.html gui on HTTPS so I have no configured anything, it crashes to

noVNC encountered an error.

I try to access vnc_auto.html and the cli spits out

Warning: could not find self.pem
Using local websockify at /home/user/noVNC/utils/websockify/run
Starting webserver and WebSockets proxy on port 6080
WARNING: no 'numpy' module, HyBi protocol will be slower
WebSocket server settings:
  - Listen on :6080
  - Flash security policy server
  - Web server. Web root: /home/user/noVNC
  - No SSL/TLS support (no cert file)
  - proxying from :6080 to localhost:5900

Navigate to this URL:

    http://d5:6080/vnc.html?host=d5&port=6080

Press Ctrl-C to exit

ARCHER - - [23/Jan/2017 14:15:18] 10.252.252.254: Plain non-SSL (ws://) WebSocket connection
ARCHER - - [23/Jan/2017 14:15:19] 10.252.252.254: Version hybi-13, base64: 'False'
ARCHER - - [23/Jan/2017 14:15:21] connecting to: localhost:5900
ARCHER - - [23/Jan/2017 14:15:24] code 400, message Bad request syntax ('\x88\x8f\xb2\x96\xe9,\xb1~\xbdM\xc0\xf1\x8cX\x92\xf5\x85C\xc1\xf3\x8d')

[CendioOssman]

That seems to be a different error.

Could you enable debug in the noVNC settings and include the browser console output from a failed connection attempt?

[samhed]

Closing due to no response