502 bad gateway (again) - This time Nginx "ssl" directive is deprecated

[Jacky Ang]

Guys, 

Need your help to solve this puzzle. I have done and follow exact instructions upgrade Wazuh 3.10 from Wazuh3.9 (am a good boy). Every steps is perfect that i though, when it goto final steps, login to the server, am able to login with my user name and password. But... but.... it show "502 bad Gateway. OMG!!!

I quickly check the group and follow part and parcel here and there i found nginx -t for test nginx status. I got this error:-

[root@wazuhmanager yum.repos.d]# nginx -t

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:10

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@wazuhmanager yum.repos.d]#

=======================================

I have check the nginx.error.log:-

2019/09/26 10:09:42 [error] 23485#23485: *22 no live upstreams while connecting to upstream, client: 10.81.234.6, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "http://localhost/favicon.ico", host: "192.168.0.100", referrer: "https://192.168.0.100/"

2019/09/26 18:28:10 [error] 31967#31967: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 10.81.234.6, server: , request: "GET / HTTP/1.1", upstream: "http://[::1]:5601/", host: "192.168.0.100"

2019/09/26 18:28:10 [error] 31967#31967: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 10.81.234.6, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:5601/", host: "192.168.0.100"

2019/09/26 18:28:10 [error] 31967#31967: *2 no live upstreams while connecting to upstream, client: 10.81.234.6, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "http://localhost/favicon.ico", host: "192.168.0.100"

========================================

I issue command to check port 5601 but return empty result:-

[root@wazuhmanager nginx]# netstat -tuna | grep 5601

[root@wazuhmanager nginx]#

I guess info is fairly sufficient to troubleshoot? Please Help.

Thank You

Regards,

Jacky Ang

[Jose Miguel Mallorquin]

Hi Jacky,

as you mention, you properly set installed and configured the Nginx tool to enable SSL and authentication for Kibana.

We create the TLS certificates (.pem and .key) if we don't have valid ones:

# mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem

Then, the /etc/nginx/conf.d/default.conf file is set to the following configuration:

server {
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 default_server;
    listen            [::]:443;
    ssl on;
    ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
    ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://localhost:5601/;
    }
}

It is necessary to restart the nginx service.

# systemctl restart nginx

Then, we create new credentials for the Kibana web page by using htpasswd:

# yum install httpd-tools

# htpasswd -c /etc/nginx/conf.d/kibana.htpasswd wazuh

On the other hand, the /etc/kibana/kibana.yml file is edited to set the following line:

server.host: "localhost"




as NGINX performs the port forwarding from the default 5601 to the secure 443.





After restarting the kibana service, the access to the Kibana WUI will be https://<kibana_server_IP>:443 and the web browser will ask us for the new credentials.




If SELinux is enabled, it can occur the "502 bad gateway" error. It will be necessary to allow NGINX to connect the Kibana port:

semanage port -a -t http_port_t -p tcp 5601


As you properly tested, although there is a Warning message related to the deprecated ssl directive, the NGINX configuration is OK:
# nginx -t

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:10

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

Finally, after enabling and configure everything, Kibana will not expose the port 5601 but the 80 and 443.

I hope this helps.

Best regards,
Jose M. 







[Jacky Ang]

Hi Jose,

I got it right now. Thank You for the adviced.

Regards,

Jacky Ang