Question Additional port for SSL

[Bas Kierkels]

Hi guys,

We are building an app that includes messaging. Messaging works with websockets. The websockets needs a separate port: 5003.

The messaging part is working fine in non-SSL (http://ourdomain.com:5003). If we try SSL, then the connection is refused (https://ourdomain.com:5003).

We have been trying to add a virtual host that would bind to port 5003.

We cannot get that working: where can we create this additional virtual host?

We have tried several options.
Including adding:
<VirtualHost *:5003>
SSLEngine (and so on)
</VirtualHost>
to /var/www/vhosts/ourdomain.com/conf/vhost_ssl.conf and other files.

And of course:
- re-configuring the domain
- and restarting Apache and Nginx.

We seem to be missing where we can add this code.

Any help will be appreciated!

Thanks,
Bas

 

[mr-wolf]

When I run a web-enabled daemon like for example "syncthing" on a Plesk server I let it connect with plain http only on 127.0.0.1 on their default port.

I then use Nginx to proxy that connection for me.
This is as easy as adding an additional file in /etc/nginx/conf.d

The configuration files are parsed alphabetically. For that reason it's best to name it zz090_service.conf

Here's an example of an (edited) config

your messenger is listening as a plain http-server on port 5003
Your IP is 20.30.40.50
The hostname to connect is https://messenger.ourdomain.com

I don't know if you really want to listen with https on port 5003
Isn't it nicer to let it listen on port 443 like all the other https sites?

You only need to restart nginx (/etc/init.d/nginx restart)
If you let the suffix of the file end with "disabled" instead of ".conf", the file will not be used.

The hostname is the key.
If you connect to your server with that hostname, you will get proxied to your daemon.

cat /etc/nginx/conf.d/zz090_messenger.conf

server {
    listen 20.30.40.50:443 ssl;
    server_name messenger.ourdomain.com;

    ssl_certificate             /root/.ssh/wildcard.ourdomain.com.pem;
    ssl_certificate_key         /root/.ssh/wildcard.ourdomain.com.key;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS;


    ssl_dhparam /etc/dhparam/dhparam4096.pem;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains' always;

    client_max_body_size 128m;

    location / {
        proxy_pass http://127.0.0.1:5003;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}