Re: [tryton] tryton-client SSL connection through nginx proxy-pass
570 views
Skip to first unread message
Robin Baumgartner
Sep 17, 2012, 4:10:08 PM9/17/12
to try...@googlegroups.com
On 09/17/2012 09:02 PM, Mark Hayden wrote:
> What kind of magic is the client performing when it decides to use HTTPS
> or HTTP?
As far as I know, the client tries to use HTTPS and if that fails it
falls back to HTTP. The fingerprint (if any) is saved in the known_hosts
file and can cause some trouble when experimenting (see below).
> Why does the magic fail when the proxy-pass server is in the
> way?
Nginx is not the problem. We are using the same architecture you describe.
> How can I force the Tryton client to NOT attempt insecure connections?
As far as I know you can't.
> But has anyone seen this kind of problem? Is there a special
> trick to make proxy-pass work with SSL the way it does without it?
Just a guess: Have you tried removing the corresponding line in
~/.config/tryton/2.4/known_hosts? When the fingerprint there does not
match the server's, it looks like you cannot connect and no meaningful
error is reported.
Regards,
Robin Baumgartner
> What kind of magic is the client performing when it decides to use HTTPS
> or HTTP?
As far as I know, the client tries to use HTTPS and if that fails it
falls back to HTTP. The fingerprint (if any) is saved in the known_hosts
file and can cause some trouble when experimenting (see below).
> Why does the magic fail when the proxy-pass server is in the
> way?
Nginx is not the problem. We are using the same architecture you describe.
> How can I force the Tryton client to NOT attempt insecure connections?
As far as I know you can't.
> But has anyone seen this kind of problem? Is there a special
> trick to make proxy-pass work with SSL the way it does without it?
Just a guess: Have you tried removing the corresponding line in
~/.config/tryton/2.4/known_hosts? When the fingerprint there does not
match the server's, it looks like you cannot connect and no meaningful
error is reported.
Regards,
Robin Baumgartner
Dominique Chabord
Sep 18, 2012, 3:48:18 AM9/18/12
to try...@googlegroups.com
Le 17/09/2012 21:02, Mark Hayden a �crit :
> 3. I can connect from the client to the server THROUGH AN NGINX SERVER
Sorry, I don't have the answer, but, out of curiosity, what is the
benefit of using nginx in between ?
regards
--
Dominique Chabord - SISalp
Cédric Krier
Sep 18, 2012, 4:14:19 AM9/18/12
to try...@googlegroups.com
On 17/09/12 15:57 -0700, Mark Hayden wrote:
> But the fingerprint thing and the negotiation process the client does cause
> me to think about the self signed certificate. Does the Tryton client
> check the certificate when negotiating SSL (I would think it does by
> default, though some googling suggests at least in the past it did not)?
> Perhaps SSL fails because I need to import a ca.crt to my client and trust
> it for SSL to be successful and not fall back to plain http?
It does certificate validation if you give him a Certification Authority
file in the configuration files, see
http://doc.tryton.org/2.4/tryton/doc/usage.html#configuration-file
--
Cédric Krier
B2CK SPRL
Rue de Rotterdam, 4
4000 Liège
Belgium
Tel: +32 472 54 46 59
Email/Jabber: cedric...@b2ck.com
Website: http://www.b2ck.com/
> But the fingerprint thing and the negotiation process the client does cause
> me to think about the self signed certificate. Does the Tryton client
> check the certificate when negotiating SSL (I would think it does by
> default, though some googling suggests at least in the past it did not)?
> Perhaps SSL fails because I need to import a ca.crt to my client and trust
> it for SSL to be successful and not fall back to plain http?
It does certificate validation if you give him a Certification Authority
file in the configuration files, see
http://doc.tryton.org/2.4/tryton/doc/usage.html#configuration-file
--
Cédric Krier
B2CK SPRL
Rue de Rotterdam, 4
4000 Liège
Belgium
Tel: +32 472 54 46 59
Email/Jabber: cedric...@b2ck.com
Website: http://www.b2ck.com/
Cédric Krier
Sep 18, 2012, 4:18:46 AM9/18/12
to try...@googlegroups.com
On 18/09/12 09:48 +0200, Dominique Chabord wrote:
tryton server.
But to be efficient, it requires probably some tuning. I made some test
with lighttpd as reverse-proxy and I discover it was to aggressif with
the "keep-alive" of the connect (it closes it after some seconds) which
make the communication between the client and the server slower.
> Le 17/09/2012 21:02, Mark Hayden a écrit :
>
> > 3. I can connect from the client to the server THROUGH AN NGINX SERVER
>
> Sorry, I don't have the answer, but, out of curiosity, what is the
> benefit of using nginx in between ?
The only benefit I see is to make load balancing between different
>
> > 3. I can connect from the client to the server THROUGH AN NGINX SERVER
>
> Sorry, I don't have the answer, but, out of curiosity, what is the
> benefit of using nginx in between ?
tryton server.
But to be efficient, it requires probably some tuning. I made some test
with lighttpd as reverse-proxy and I discover it was to aggressif with
the "keep-alive" of the connect (it closes it after some seconds) which
make the communication between the client and the server slower.
Robin Baumgartner
Sep 18, 2012, 4:54:30 AM9/18/12
to try...@googlegroups.com
----- Ursprüngliche Mail -----
> From my investgation it is quite clear that with nginx in the middle
> (with encryption on--it works without) the client's connection never
> makes it to the Tryton server in any way--it stops at the NGINX
> server with a 400 error, though it isn't clear what is happening to
> make SSL fail.
Here is our configuration for nginx, maybe it helps:
server {
listen 8000;
server_name <SERVER_NAME>;
ssl on;
ssl_certificate <PATH_TO_CERT>;
ssl_certificate_key <PATH_TO_KEY>;
location / {
proxy_pass http://<SERVER_IP>:8000;
}
}
> From my investgation it is quite clear that with nginx in the middle
> (with encryption on--it works without) the client's connection never
> makes it to the Tryton server in any way--it stops at the NGINX
> server with a 400 error, though it isn't clear what is happening to
> make SSL fail.
Here is our configuration for nginx, maybe it helps:
server {
listen 8000;
server_name <SERVER_NAME>;
ssl on;
ssl_certificate <PATH_TO_CERT>;
ssl_certificate_key <PATH_TO_KEY>;
location / {
proxy_pass http://<SERVER_IP>:8000;
}
}
Mark Hayden (local)
Sep 18, 2012, 4:59:02 PM9/18/12
to try...@googlegroups.com
On Tue, 2012-09-18 at 09:48 +0200, Dominique Chabord wrote:
Sorry, I don't have the answer, but, out of curiosity, what is the benefit of using nginx in between ? regards -- Dominique Chabord - SISalp --
Well there could be the potential for load balancing as a possibility, but the main reason is that eventually I will be having at least 3 VMs in openstack running independent installations of Tryton--one in each tenant, but my available public IP addresses are limited such that I do not have enough to spare one dedicated to each.
With NGINX or Apache or lighttpd or whatever in front, on a VM that has one public IP and access to each of the private VLANs, permits accessibility to all the Tryton installs thorugh one IP address using proxy-pass to connect up with the right host in the private networks.
I may eventually migrate towards a VPN-based solution--especially if this situation does not work, but then I have to put not only he tryton client on remote machines but also openVPN client and config and instructions on how to connect the VPN before opening Tryton. This is do-able but may intimidate some of the users.
Albert Cervera i Areny
Sep 18, 2012, 8:04:17 PM9/18/12
to try...@googlegroups.com
A Dimarts, 18 de setembre de 2012 22:59:02, Mark Hayden (local) va escriure:
> I may eventually migrate towards a VPN-based solution--especially if this
> situation does not work, but then I have to put not only he tryton client
> on remote machines but also openVPN client and config and instructions on
> how to connect the VPN before opening Tryton.� This is do-able but may
> intimidate some of the users.
Dominique Chabord
Sep 18, 2012, 8:11:23 PM9/18/12
to try...@googlegroups.com
Le 18/09/2012 22:59, Mark Hayden (local) a �crit :
>
> On Tue, 2012-09-18 at 09:48 +0200, Dominique Chabord wrote:
>>
>> Sorry, I don't have the answer, but, out of curiosity, what is the
>> benefit of using nginx in between ?
>>
>> regards
>>
>> --
>> Dominique Chabord - SISalp
>>
>> --
>
> Well there could be the potential for load balancing as a possibility,
> but the main reason is that eventually I will be having at least 3 VMs
> in openstack running independent installations of Tryton--one in each
> tenant, but my available public IP addresses are limited such that I do
> not have enough to spare one dedicated to each.
Thank you for explaining.
> On Tue, 2012-09-18 at 09:48 +0200, Dominique Chabord wrote:
>>
>> Sorry, I don't have the answer, but, out of curiosity, what is the
>> benefit of using nginx in between ?
>>
>> regards
>>
>> --
>> Dominique Chabord - SISalp
>>
>> --
>
> Well there could be the potential for load balancing as a possibility,
> but the main reason is that eventually I will be having at least 3 VMs
> in openstack running independent installations of Tryton--one in each
> tenant, but my available public IP addresses are limited such that I do
> not have enough to spare one dedicated to each.
I run hundreds of tryton and openerp servers behind a single IP on tens
of VMs.
I assign ports to every service, then I redirect to the right VM in
iptables. It is simpler and more efficient in my case.
>
> With NGINX or Apache or lighttpd or whatever in front, on a VM that has
> one public IP and access to each of the private VLANs, permits
> accessibility to all the Tryton installs thorugh one IP address using
> proxy-pass to connect up with the right host in the private networks.
openerp only)
>
> I may eventually migrate towards a VPN-based solution--especially if
> this situation does not work, but then I have to put not only he tryton
> client on remote machines but also openVPN client and config and
> instructions on how to connect the VPN before opening Tryton. This is
> do-able but may intimidate some of the users.
This is safer indeed because the login page is not exposed to internet.
> I may eventually migrate towards a VPN-based solution--especially if
> this situation does not work, but then I have to put not only he tryton
> client on remote machines but also openVPN client and config and
> instructions on how to connect the VPN before opening Tryton. This is
> do-able but may intimidate some of the users.
I support ssh tunnelling too, windows users need a shortcut with putty
embarked.
Best regards
Mark Hayden (local)
Sep 22, 2012, 8:22:48 PM9/22/12
to try...@googlegroups.com
Just thought I'd follow up, even though it's been a few days. See below...
On Tue, 2012-09-18 at 10:54 +0200, Robin Baumgartner wrote:
Here is our configuration for nginx, maybe it helps:
Thanks for the reply--it was actually very helpful!
server {
listen 8000;
server_name <SERVER_NAME>;
ssl on;
ssl_certificate <PATH_TO_CERT>;
ssl_certificate_key <PATH_TO_KEY>;
location / {
proxy_pass http://<SERVER_IP>:8000;
}
}
Perhaps I just needed more sleep or a fresh look, because it never came to mind to do the most absolute minimal configuration like this! I had a "template" site config to do reverse proxy that had many more settings concerning keep-alive, timeouts, injecting extra headers and so forth. The template was modeled on the way it was done in countless examples shown on wikis and forums.
Though it worked in non-SSL it seems that those settings combined with SSL made Tryton not work (though I have not determined the root cause). Perhaps once I have this install fully set up I shall contribute a "recipe" to build my setup as documentation to the Tryton site. It has been noted that there are few who offer Tryton as a hosted service--perhaps if those of us do so (or aspire to) did a "Tryton Hosting Cookbook" it might spur some adoption of Tryton (if all goes well I might offer such a service in western Canada and US where I live)
Though it worked in non-SSL it seems that those settings combined with SSL made Tryton not work (though I have not determined the root cause). Perhaps once I have this install fully set up I shall contribute a "recipe" to build my setup as documentation to the Tryton site. It has been noted that there are few who offer Tryton as a hosted service--perhaps if those of us do so (or aspire to) did a "Tryton Hosting Cookbook" it might spur some adoption of Tryton (if all goes well I might offer such a service in western Canada and US where I live)
Dominique Chabord
Sep 23, 2012, 5:16:21 AM9/23/12
to try...@googlegroups.com
Hello,
good that you solved your problem
Le 23/09/2012 02:22, Mark Hayden (local) a �crit :
I shall contribute a
> "recipe" to build my setup as documentation to the Tryton site.
It will be useful, since I see you are not the only one who add an http
> "recipe" to build my setup as documentation to the Tryton site.
server layer to tryton server.
It has
> been noted that there are few who offer Tryton as a hosted
> service--perhaps if those of us do so (or aspire to) did a "Tryton
> Hosting Cookbook" it might spur some adoption of Tryton
graphical management page of the services.
Regarding multi-tenant servers, I've published a script that does it.
ans as far as NAT and SNAT are concerned, that's vanilla hosting which
depends on each server topology.
> (if all goes
> well I might offer such a service in western Canada and US where I live)
performance on my Europe based free hosting.
Regards
Reply all
Reply to author
Forward
0 new messages