Proper setup for port forwarding through Nginx?

[EricAndrechek]

Hi there! Just wanted to say I am loving your tweak!!

If I were to want to run this tweak on an old iOS device with a terrible battery laying around at home, and wanted to access my texts on my computer remotely, is there a way for me to port forward this over the internet? I have tried setting up Nginx on my home server to just proxy_pass my iOS WebMessage server, but it doesn't seem to be working. Thanks!

[sgtaziz]

It should work. Here is an example for setting it up with an SSL certificate:

server {

    listen 8180; # This can be any port available on your home server. Does not have to be the WM port.
    server_name webmessage.domain.com; # If you need to use a domain, set it here. 

    # Here you define your SSL certificates. 
    # I highly recommend setting this up if you're going to open the connection over the web.
    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    # Some more settings to setup SSL
    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {
      # Here you can set headers. Its usually good practice to allow the proxy to be as real as possible.
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # This is required to enable WebSockets to work
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      # This is where you will specify your WebMessage server.
      # If it doesn't work, you can try disabling SSL from WebMessage, and use nginx' SSL config.
      # If you disable SSL, make sure to change https to http.
      proxy_pass          https://192.168.1.10:8180;
      proxy_read_timeout  90;

      # This is not required, but can be helpful in some cases. Ensure http(s) matches your config above.
      proxy_redirect      https://192.168.1.10:8180 https://webmessage.domain.com;
    }
  }

I have not tested this, but feel free to try it out and let me know how it works. I'll keep this ticket open until we can get it figured out for you 👍

[sgtaziz]

@EricAndrechek Have you had the chance to test this? If it's all good, I'll go ahead and close this issue

[EricAndrechek]

Sorry for the late reply, I've been poking around at it and trying to get things working but without much success. Here is what I've got so far:

• The reason my initial Nginx config wasn't working was because I was binding to a port already in use :facepalm:
• Nginx fails to port forward if the iOS device has SSL enabled (so unfortunately this means the device is passing the password over local wifi in plaintext that is clearly visible through Wireshark)
• The biggest issue here: I cannot get the client to display/load/send any images or attachments (cached ones still display properly). In my Nginx logs I am seeing a 501 error:

  192.168.86.1 - - [06/Mar/2021:15:39:27 -0500] "GET /attachments?path=%2Fvar%2Fmobile%2FLibrary%2FSMS%2FAttachments%2F26%2F06%2F432B949F-A797-4C28-990E-926731361845%2FIMG_2066.JPG&type=image%2Fjpeg&auth=myPasswordForWebMessage&transcode=1 HTTP/1.1" 501 22 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) webmessage/0.6.0 Chrome/83.0.4103.122 Electron/9.4.0 Safari/537.36"

• Furthermore, the client is unable to send messages, but for some reason it can receive them.
• If I turn SSL off on the server, it does not change anything on the client side, nor in the transmission of data. (ie: somehow, when SSL is off on the server, the packets sending from the client to the server are still encrypted (or maybe just heavily obsfucated?). This means that if I turn off SSL on the client device, I can see the HTTP request to establish a TCP connection with the server over the public internet, including the password in plain text. If I turn SSL on the client on, it is instead a TLS connection HELLO message which is either encrypted or obsfucated? Regardless of whether I turn the Nginx server's SSL on or not, the two above observations hold true, which is strange, since I would expect SSL to have been dependent on the server's key. BTW this is all with the iOS device having SSL off. However, here's where things get interesting: regardless of whether or not server-side Ngninx SSL is on or not, the client device will only connect if it has SSL turned on.

So, to recap:

• SSL configuration in the server-side appears to have no bearing on the encryption of communication between the client and iOS server.
• The client is unable to connect to the server via Nginx if its SSL is off, although it will make requests with the password visible in an HTTP request (connection requests with a visible password over HTTP are to be expected if SSL is off client side, however these connection requests should be upgraded if the server has SSL turned on. Instead they are not and the connection fails).
• Regardless of the configuration setup, images/attachments are unable to sent and received from the client, and text messages (and tapbacks, etc) can only be received. The client fails to send ANY data to the server.
• This was all tested on 0.5.2 on the iOS tweak, and on both versions 0.5.2 and 0.6.0 on the client.

Let me know what other error messages or debug logs I can get to you!

[sgtaziz]

If you will be using SSL on your proxy, you really don't need SSL on the tweak itself. Though the authorization pass in the GET request can pose a security risk, which is something I overlooked.

For the root of the problem, I want to focus on the client device will only connect if it has SSL turned on. SSL on your tweak should be disabled if using a proxy is your goal, so I'm glad you got that down! As far as testing, I think it would be better to test through a browser (same IP/port into your browser, https/http respectively) If http does not work, then your SSL is on. This definitely has something to do with your nginx setup if that's the case, so would be ideal to check that.

For the 501 error, that is definitely an nginx-related issue again. Sounds like nginx isn't able to accept the blob data. Unfortunately it is currently difficult for me to setup a proxy to help test; however, I will try to update you as soon as I am able to give it a go!