iOS app doesn't recognize SecuritySpy behind nginx
The new iOS app won't connect to my instance of SecuritySpy. It comes back with an error that reads: "The server that responded is not SecuritySpy."
I have installed nginx in front of SecuritySpy for the purpose of being able to control the TLS settings and to avoid running anything that depends on OpenSSL (using LibreSSL).
This configuration works fine with the SpyGlass iOS app and with the webUI in iOS browsers.
Can the iOS app be modified to connect even though it detects something else at the host name supplied?
I have installed nginx in front of SecuritySpy for the purpose of being able to control the TLS settings and to avoid running anything that depends on OpenSSL (using LibreSSL).
This configuration works fine with the SpyGlass iOS app and with the webUI in iOS browsers.
Can the iOS app be modified to connect even though it detects something else at the host name supplied?
Comments
server {
listen 8001 ssl;
server_name my.fqdn.net;
location / {
proxy_pass https://192.168.1.10:8001;
proxy_buffering off;
proxy_read_timeout 180;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 8001;
proxy_set_header Host $host;
}
}
proxy_pass_header Server;
Does that do it?
One way I was able to get it to work was to both disable SSL in the nginx config and listen on 8000 instead. The iOS app seems to like this, but not having SSL is deal breaker.
server {
#listen 8001 ssl;
listen 8000 ;
server_name my.fqdn.net;
location / {
proxy_pass https://192.168.1.10:8001;
proxy_buffering off;
proxy_read_timeout 180;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_pass_header Server;
proxy_pass_request_headers on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 8001;
proxy_set_header Host $host;
}
}
I'll keep tinkering around to see what I can figure out. If that doesn't work, I'll have to expose the SecuritySpy system directly to the internet, something I've been trying to avoid.
Are you sure the SSL certificate that you are using is valid?
If the Server header is passed through from SecuritySpy, and the certificate is valid, then the iOS app should recognise the server as a valid SecuritySpy server.
SSL certificate is valid.
This works fine in Chrome, Firefox, and the Spyglass iOS app.
(one more thing, the fact that i cant save a profile, even a non working profile, in the SecuritySpy iOS app makes it harder to troubleshoot since I have to reenter everything (hostname, port, username, password) every single time. would be nice to let you configure and save a profile regardless of success.)
This is my log;
2016/12/15 14:00:11 [info] 7683#7683: *171981 client sent plain HTTP request to HTTPS port while reading client request headers, client: (ip of my client), server: test.myserver.com, request: "GET /++systemInfo HTTP/1.1", host: "test.myserver.com:443"
imho i think that the iOS app make a request not via https but via http on https port (443).
The error indicates that the iOS app tried to connect to http://example.com:443
i.e., it's sending a HTTP request instead of HTTPS.
What nginx is https://example.com:443 so it can pass username e password to the SS server in https and not in http!
Please Ben, fix this!
can you write here your nginx config?
Than is an ssl error.
@jms703 do you confirm that you solve without an ssl connection?
Thanks
Here is my nginx config:
worker_processes 1;
worker_rlimit_nofile 1024;
events {
worker_connections 800;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
index index.html ;
underscores_in_headers on ;
ssl_certificate /etc/ssl/server.crt ;
ssl_certificate_key /etc/ssl/private/server.key ;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name www.domain.com;
root /var/www/htdocs;
location /.well-known/acme-challenge {
alias /var/www/letsencrypt;
default_type text/plain;
}
location / {
deny all;
return 404;
}
}
server {
listen 443 ssl;
server_name www.domain.com;
root /var/www/htdocs;
}
server {
listen 8001 ssl;
server_name securityspy.domain.com;
location / {
proxy_buffering off;
proxy_read_timeout 180;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_pass_header Server;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 8001;
proxy_pass https://10.1.3.20:8001;
}
}
}
The relevant part is the clause at the bottom. I listen on 8001 on the internet. SSL is enabled. The cert is a Let's Encrypt cert, so no warnings or issues with invalid certs.
Also, I did not solve by disabling SSL. I solved by not specifying SSL in the iOS app. As you can see from my config, you cannot connect without SSL.
Your config is different from mine only on the listen port.
Your is 8001, mine is 443.
Changing my port it works.
So the problema is that the iOS app have trouble with 443 port.
I hope in future iOS app release!
i have created a script that modify the server tag of my nginx server and than reload it.
cat fixsecspy.sh
line_old='server_tag "nginx";'
line_new='server_tag "BBVS/4.0";'
string=$(cat /etc/nginx/nginx.conf | grep server_tag)
if [[ $string == *nginx* ]]; then
echo "broken"
sed -i "s%$line_old%$line_new%g" /etc/nginx/nginx.conf
nginx -t && nginx -s reload
else
echo "ok"
fi
and run if every minute.
Now your securitypsy app on iOS (and android) works if secspy sever is behind nginx!
Hope I help someone!
M.