using nginx with vbrichclient websocket server for sll

[axisdj]

hello,

I am sorry to ask such a question since it has been answered vaguely, but after doing some research I cannot figure it out.

I need to use vbrichclient websocket functionality but adding ssl. I am extremely green at this so detailed help would be appreciated.

From what I understand now, I can use nginx web server running on PC as proxy to make my connection to the vbrichclient secure. But I have no clue how to do that.

thanks in advance

[SearchingDataOnly]

jpbro has provided a magic tool for Nginx with RC5/RC6:

VB6 FastCGI Web App Server Framework

[axisdj]

jpbro has provided a magic tool for Nginx with RC5/RC6:

VB6 FastCGI Web App Server Framework

Again I am totally green at this.

Can someone at least show a flow chart of what needs to happen I am completly in the dark here.

if nginx is a server what does fastCGI do?

Is there a SIMPLE way to just configure nginx to be an ssl proxy to the vbrichclient websocket?

[jpbro]

I assume you are using the RC6 CWebServer class as the listener for your VB6 app, is this correct?

If so, you can set it up to listen on the localhost at a non-standard port (e.g. 127.0.0.1:22223):

Code:

Private mo_MyWebServer As RC6.CWebServer

Private Sub Class_Initialize()
   Set mo_MyWebServer = New_C.WebServer.Listen(App.Path & "\htdocs\", "127.0.0.1", "22223")
End Sub

Then configure Nginx to act as a reverse proxy to your RC6 web server as follows. Note, I haven't had a chance to test out the config below, so there may be errors. This config assumes you are using a Let's Encrypt certificate on Linux, so make sure you are, otherwise change the ssl_certificate and ssl_certificate_key paths to point to your certificate location.

Code:

upstream backendrc6 {
        # This should point to your RC6 app IP & port
	server 127.0.0.1:22223;
}

server { 
        server_name myserver.mydomain.com fail_timeout=0;

        # Redirect HTTP to HTTPS
        listen 80; 
        listen [::]:80;
		
        return 301 https://myserver.mydomain.com$request_uri; 
}

server {
        # Listen on HTTPS Port 443 with a valid certificate for encrypted communications
        # We will pass all requests to our backend RC6 app over HTTP at 127.0.0.1:22223
        # Responding back through Nginx/HTTPS to the requester

        server_name myserver.mydomain.com;

        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate /etc/letsencrypt/live/myserver.mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/myserver.mydomain.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        location / {
                        # Redirect all requests to your RC6 app
			proxy_pass http://backendrc6;
			proxy_set_header        Host $host:$server_port;
			proxy_set_header        X-Real-IP $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header        X-Forwarded-Proto $scheme;
			proxy_redirect http:// https://;
        }
}

Make sure to change mysubdomain.mydomain.com to whatever you web-facing website address is.

Let me know if you have any questions or encounter any problems when trying the above.

[jpbro]

The Basic flow chart is:

Visitor's Browser <--> Internet <--> Your Nginx Web Server <--> Your RC6 CWebServer Listener <--> Your App Logic

[axisdj]

I assume you are using the RC6 CWebServer class as the listener for your VB6 app, is this correct?

If so, you can set it up to listen on the localhost at a non-standard port (e.g. 127.0.0.1:22223):

Code:

Private mo_MyWebServer As RC6.CWebServer

Private Sub Class_Initialize()
   Set mo_MyWebServer = New_C.WebServer.Listen(App.Path & "\htdocs\", "127.0.0.1", "22223")
End Sub

Then configure Nginx to act as a reverse proxy to your RC6 web server as follows. Note, I haven't had a chance to test out the config below, so there may be errors. This config assumes you are using a Let's Encrypt certificate on Linux, so make sure you are, otherwise change the ssl_certificate and ssl_certificate_key paths to point to your certificate location.

Code:

upstream backendrc6 {
        # This should point to your RC6 app IP & port
	server 127.0.0.1:22223;
}

server { 
        server_name myserver.mydomain.com fail_timeout=0;

        # Redirect HTTP to HTTPS
        listen 80; 
        listen [::]:80;
		
        return 301 https://myserver.mydomain.com$request_uri; 
}

server {
        # Listen on HTTPS Port 443 with a valid certificate for encrypted communications
        # We will pass all requests to our backend RC6 app over HTTP at 127.0.0.1:22223
        # Responding back through Nginx/HTTPS to the requester

        server_name myserver.mydomain.com;

        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate /etc/letsencrypt/live/myserver.mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/myserver.mydomain.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        location / {
                        # Redirect all requests to your RC6 app
			proxy_pass http://backendrc6;
			proxy_set_header        Host $host:$server_port;
			proxy_set_header        X-Real-IP $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header        X-Forwarded-Proto $scheme;
			proxy_redirect http:// https://;
        }
}

Make sure to change mysubdomain.mydomain.com to whatever you web-facing website address is.

Let me know if you have any questions or encounter any problems when trying the above.

Thank you!!! This is super helpful!

[jpbro]

Happy to help

I should mention one thing in case it wasn't clear - the communications between Nginx and your RC6 app are not encrypted (only the traffic to/from Nginx to the browser is encrypted). This means you should run Nginx on the same machine/VM or at least the same LAN as your RC6 app. Even though you could theoretically put them on different machines across the Internet, this would no longer be safe from eavesdropping unless you use a VPN or SSH tunnel between the two separated systems.

[axisdj]

Happy to help

I should mention one thing in case it wasn't clear - the communications between Nginx and your RC6 app are not encrypted (only the traffic to/from Nginx to the browser is encrypted). This means you should run Nginx on the same machine/VM or at least the same LAN as your RC6 app. Even though you could theoretically put them on different machines across the Internet, this would no longer be safe from eavesdropping unless you use a VPN or SSH tunnel between the two separated systems.

SO I do have a question. This will be used on a windows PC as server, so there is no domain name. Can I just use the public IP address, any hints on how to make this work.

I truly appreciate your help!

[jpbro]

You can use a public IP address provided it is a static IP address, but you will have to generate a self-signed certificate for it as AFAIK all SLL certificate providers require you to have a domain name.

Self-signed certificates won't be trusted by browsers by default, so anyone that visits your site will be greeted by one of those scary "get me out of here/back to safety" pages with a warning that the page is untrusted.

If the site is just for you or internal use by your company/group, then you can add your self-signed cert to the trusted certificates list on your computer and it will be fine (everything will be encrypted and you will know you can trust the certificate). If your site is for public use, then it will be difficult to expect visitors to trust your self-signed certificate and visit an IP address, so you would be well served to purchase a domain name.

If you want to create a self signed certificate, I would search for generate self-signed certificate windows to find tutorials.

[axisdj]

You can use a public IP address provided it is a static IP address, but you will have to generate a self-signed certificate for it as AFAIK all SLL certificate providers require you to have a domain name.

Self-signed certificates won't be trusted by browsers by default, so anyone that visits your site will be greeted by one of those scary "get me out of here/back to safety" pages with a warning that the page is untrusted.

If the site is just for you or internal use by your company/group, then you can add your self-signed cert to the trusted certificates list on your computer and it will be fine (everything will be encrypted and you will know you can trust the certificate). If your site is for public use, then it will be difficult to expect visitors to trust your self-signed certificate and visit an IP address, so you would be well served to purchase a domain name.

If you want to create a self signed certificate, I would search for generate self-signed certificate windows to find tutorials.

again... SUPER Helpful information... it is for internal use so this solution is perfect.

Thank you!

[jpbro]

One other note about these lines in the Nginx config:

Code:

        listen 80; 
        listen [::]:80;
		
        listen 443 ssl;
        listen [::]:443 ssl;

Since no IP is specified, Nginx will listen on all available IP addresses (including IPv6 addresses). You'll probably just want to listen on the server's static IPv4 address, so you can change the "listen" directives to the following (where 1.2.3.4 is your static IP address):

Code:

      listen 1.2.3.4:80;

      listen 1.2.3.4:443 ssl;