On 10/18/2015 10:25 PM, Frederick Chin wrote:
> EWB Server:-
> Port 80

You also need to listen on 127.0.0.1 0 - this part is VERY important.
so it sahould be
EWB Web Server : 127.0.0.1
Port : 80

> localhost/<app.html> => OK
> https://localhost/<app.html> => OK

Testing localhost is not really relevant - if i have physical session
access to the server itself i can just access file system files and
don't have to bother with the web server.


> EWB Server:-
> Port 8081

Again listen on 127.0.0.1 !!!


> localhost/<app.html> => Connection Refused

Of course - nothing is listening.

In this case you would need to test localhost:8081/<app.html>

> It looks like the second non-standard port setting is more secure.

What you should really be testing are

http://<dynamic dns>/<app.html>
http://<dynamic dns>:8081/<app.html>
and
https://<dynamic dns>/<app.html>

Only the last one should work.

Note that there is no difference in security here - one can do
everything over https link anyways so using SSL does not in any way
secure the web server.

What you are trying to secure is the communication between the browser
and the web server.


> When I attempt to use a smartphone to connect as follows:-
> https://<dynamic dns>/<app.html>
> I get a connection failed. A local ping of the dynamic DNS results in a valid public IP address. I'll need to research this further.
> In both https prefixes in the URL, Chrome complains the connection is not private and the https in the URL is crossed out in red. Should I worry about this?

What is the actual error - click on the crossed out padlock (or use the
advanced link in the chrome error).

I guess you used the certificate that came with stunnel? You cannot do
that and are likely seeing invalid identify and unknown certificate
authority.

Once you know what you final dns name is (and it cannot change in the
future or you invalidate the certificate) you need to obtain a proper
certificate.

You could make a self-signed cert which would work OK on PC browsers but
is PITA on mobile devices (especially apple ones as they do not by
default allow connection to untrusted certs).

If you do not own the domain (you <dynamic dns> for example) then you
will will not be able to obtain certificate yourself and have to rely on
them to do it for you - some support it and some do not.

For example :
http://www.dyndns.com/support/kb/sslcert.html


In general you're better off registering your own domain name.

There are few options for certificates:

StartSSL provides free ones:
https://www.startssl.com/

for little bit of money ($20/year) you can get a comodo cert and their
process is easier than startssl :
http://www.ksoftware.net/ssl_certs.html

Raul

Raul,

/*
You also need to listen on 127.0.0.1 0 - this part is VERY important.
so it sahould be
EWB Web Server : 127.0.0.1
Port : 80

...

Again listen on 127.0.0.1 !!!
*/

Yes, the EWB server is set to listen to 127.0.0.1.

/*
In this case you would need to test localhost:8081/<app.html>
*/

Works fine.

/*
What you should really be testing are

http://<dynamic dns>/<app.html>
http://<dynamic dns>:8081/<app.html>
and
https://<dynamic dns>/<app.html>

Only the last one should work.
*/

I tried all above and I still get a timeout error for the first one and "Connection Refused" for the second and third ones. Is it a firewall problem?

/*
What is the actual error - click on the crossed out padlock (or use the
advanced link in the chrome error).
*/

The identity of this web site has not been verified. Server's certificate is not trusted.

/*
I guess you used the certificate that came with stunnel? You cannot do
that and are likely seeing invalid identify and unknown certificate
authority.
*/

Yes. Newbie problem.

/*
Once you know what you final dns name is (and it cannot change in the
future or you invalidate the certificate) you need to obtain a proper
certificate.

You could make a self-signed cert which would work OK on PC browsers but
is PITA on mobile devices (especially apple ones as they do not by
default allow connection to untrusted certs).

If you do not own the domain (you <dynamic dns> for example) then you
will will not be able to obtain certificate yourself and have to rely on
them to do it for you - some support it and some do not.

For example :
http://www.dyndns.com/support/kb/sslcert.html


In general you're better off registering your own domain name.

There are few options for certificates:

StartSSL provides free ones:
https://www.startssl.com/

for little bit of money ($20/year) you can get a comodo cert and their
process is easier than startssl :
http://www.ksoftware.net/ssl_certs.html
*/

Thanks for your help. All the above will put me on the right path.

Frederick

On 10/19/2015 12:02 PM, Frederick Chin wrote:
> Yes, the EWB server is set to listen to 127.0.0.1.

Great - that's the part that makes it inaccessible from internet (so
only thru stunnel can you access the web server from internet).


> http://<dynamic dns>/<app.html>
> http://<dynamic dns>:8081/<app.html>
> and
> https://<dynamic dns>/<app.html>
>
> Only the last one should work.
> */
>
> I tried all above and I still get a timeout error for the first one and "Connection Refused" for the second and third ones. Is it a firewall problem?

Assuming your EWB web server is still setup on 8081 the 1st one would fail.

The 2nd one should fail also (from internet but work locally using
locahost).

The 3rd one is the only one that should work frpom internet.

Firewall is definitely a possibility - i'd start by checking stunnel
logs and see if you're seeing any connection coming in at all.
if not then it never made it to stunnel so local firewall would be my
next step and assuming you're behind a router or such make sure your
port forwarding (and firewall on router) are also properly configured
and allow traffic thru.


> Thanks for your help. All the above will put me on the right path.

Yes, there are lot of moving pieces with this but once you get first one
going i can tell you next one will be real easy if you do it again.

Raul