maemo.org - Talk - View Single Post

	Halftux	2020-03-30 , 18:49
	Posts: 878 \| Thanked: 2,535 times \| Joined on Feb 2012 @ Germany	#68

I am really surprised how well it works with this reverse proxy and the good thing is that all http requests from any application will be redirected to https.
One problem is that links and other embedded things are linked to https or the browser tries to fetch them over https.
So nginx need to take care about that and will filter all supported mime types data to replace the https string when right configured.
So I guess this method has limits(for example the test from ssllabs.com redirect to port 8443), but also microb has limits. I will post my server section wich works good for me. If you facing some problem you could tweak the sub filter types and the sub filter to gain different results.

example: sub_filter_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

Tested with:

http://www.howsmyssl.com
http://wikipedia.org
http://fancyssl.hboeck.de
and some more ...
howsmyssl reports probably ok with no vulnerability.

Here the steps to give microb or other apps a new tls encryption feature.

Requirements: openssl1.1.0h
nginx 1.16.1 Depends: libc6 (>= 2.5.0-1), libgcc1 (>= 1:4.4.0), libpcre3 (>= 4.5), libssl1.1 (>= 1.1.0h), zlib1g (>= 1:1.2.1)

1. Install nginx deb from post 44. Check the for libpcre3 with dpkg --list | grep libpcre

2. setup a reverse proxy server in /etc/nginx/nginx.conf.
Which listen on port 80 and makes http requests to https ( with tls 1.2 support and new ciphers)

Code:

server {
    listen       80;
    server_name  localhost;

    location / {
        resolver 127.0.0.1;
        #proxy_pass https://$host:443;
        proxy_pass https://$host$request_uri;
        #proxy_set_header Host $http_host;
        proxy_set_header Accept-Encoding "";
        proxy_redirect https:// http://;
        sub_filter_once off;
        sub_filter_types *;
        sub_filter "https://" "http://";
        #sub_filter "https://$host" "http://$host";
    }
}

4. Change in connections settings the http proxy to 127.0.0.1 port 80. See the screenshot.

5. start nginx as root (located in /opt/nginx/).

Code:

sudo gainroot
cd /opt/nginx
./nginx

To stop nginx you could use "./nginx -s quit".
Another way could be to add a init.d script, as starting point you could use this.

With this configuration https requests will not be processed by the proxy(only http), this means that microb would initiate the connection with tls v1.0 without sub processing by nginx which could make it faster. To prevent this behavior you could add another proxy, a HTTPS-Proxy in the N900 settings with 127.0.0.1:443 and add a server into nginx.conf which listen on that port and makes a redirect to http which will then be handled from the other proxy on port 80.

Code:

server {
    listen 443;
    return 301 http://$host$request_uri;
}

Attached Images

__________________
N900: gpxsee, fahrplan, gpscon, genwall, qrcode, hextool, libjansson4, libevent-2.0-5, cnee, psi-plus, mihphoto, shc

Maemo flasher/rescue live image.
Fremantle Harmattan SDK VM

Last edited by Halftux; 2020-04-02 at 19:27.

Quote & Reply |

The Following 10 Users Say Thank You to Halftux For This Useful Post:
Boemien, freemangordon, juiceme, jurop88, Leonid666, Macros, Maemish, nonsuch, peterleinchen, proprog