iOS app doesn't recognize SecuritySpy behind nginx
  • jms703
    The new iOS app won't connect to my instance of SecuritySpy. It comes back with an error that reads: "The server that responded is not SecuritySpy."

    I have installed nginx in front of SecuritySpy for the purpose of being able to control the TLS settings and to avoid running anything that depends on OpenSSL (using LibreSSL).

    This configuration works fine with the SpyGlass iOS app and with the webUI in iOS browsers.

    Can the iOS app be modified to connect even though it detects something else at the host name supplied?
  • BenBen
    This is an unusual configuration that we haven't tested. Is there an option in nginx to pass through all of the HTTP headers from SecuritySpy to the client? As long as the headers are transmitted intact, and you are using version 4.0.8 of SecuritySpy, there is no reason why this shouldn't work. If you are using 4.0.8 and still getting this error, it must be because nginx is modifying the HTTP headers on the way through for some reason.
  • jms703
    Yes, I know this is unusual. As you can see from my nginx configuration, I'm terminating TLS at nginx and then connecting to SecuritySpy (https on port 8001).

    server {
    listen 8001 ssl;
    server_name my.fqdn.net;
    location / {
    proxy_pass https://192.168.1.10:8001;
    proxy_buffering off;
    proxy_read_timeout 180;
    proxy_connect_timeout 90;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 8001;
    proxy_set_header Host $host;
    }
    }
  • jms703
    I'm running 4.0.8 on MacOS 10.11.6.
  • BenBen
    Try adding the following line to your configuration:

    proxy_pass_header Server;

    Does that do it?
  • jms703
    No, that doesn't fix it.

    One way I was able to get it to work was to both disable SSL in the nginx config and listen on 8000 instead. The iOS app seems to like this, but not having SSL is deal breaker.

    server {
    #listen 8001 ssl;
    listen 8000 ;
    server_name my.fqdn.net;
    location / {
    proxy_pass https://192.168.1.10:8001;
    proxy_buffering off;
    proxy_read_timeout 180;
    proxy_connect_timeout 90;
    proxy_redirect off;
    proxy_pass_header Server;
    proxy_pass_request_headers on;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 8001;
    proxy_set_header Host $host;
    }
    }

    I'll keep tinkering around to see what I can figure out. If that doesn't work, I'll have to expose the SecuritySpy system directly to the internet, something I've been trying to avoid.
  • BenBen
    After adding the proxy_pass_header, what was the error reported by the iOS app? Was it different from before?

    Are you sure the SSL certificate that you are using is valid?

    If the Server header is passed through from SecuritySpy, and the certificate is valid, then the iOS app should recognise the server as a valid SecuritySpy server.
  • jms703
    Error is the same.

    SSL certificate is valid.

    This works fine in Chrome, Firefox, and the Spyglass iOS app.

    (one more thing, the fact that i cant save a profile, even a non working profile, in the SecuritySpy iOS app makes it harder to troubleshoot since I have to reenter everything (hostname, port, username, password) every single time. would be nice to let you configure and save a profile regardless of success.)
  • martinorob
    Same errore here.

    This is my log;

    2016/12/15 14:00:11 [info] 7683#7683: *171981 client sent plain HTTP request to HTTPS port while reading client request headers, client: (ip of my client), server: test.myserver.com, request: "GET /++systemInfo HTTP/1.1", host: "test.myserver.com:443"

    imho i think that the iOS app make a request not via https but via http on https port (443).

    The error indicates that the iOS app tried to connect to http://example.com:443
    i.e., it's sending a HTTP request instead of HTTPS.
    What nginx is https://example.com:443 so it can pass username e password to the SS server in https and not in http!


    Please Ben, fix this! :)
  • jms703
    I got around this by not specifying a port or username/password. Just put in the host name and it connects, prompts for credentials, and you're good to go.
  • martinorob
    Hi @jms703
    can you write here your nginx config?
  • martinorob
    even without authentication the application respond "The server that responded is not SecuritySpy".

    Than is an ssl error.
    @jms703 do you confirm that you solve without an ssl connection?

    Thanks
  • martinorob
    @Ben Any news? My iOS app is unusable due to this problem. :(
  • jms703
    @martinorob

    Here is my nginx config:


    worker_processes 1;
    worker_rlimit_nofile 1024;
    events {
    worker_connections 800;
    }


    http {
    server_tokens off;
    include mime.types;
    default_type application/octet-stream;
    index index.html ;
    underscores_in_headers on ;

    ssl_certificate /etc/ssl/server.crt ;
    ssl_certificate_key /etc/ssl/private/server.key ;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    server {
    listen 80;
    server_name www.domain.com;
    root /var/www/htdocs;
    location /.well-known/acme-challenge {
    alias /var/www/letsencrypt;
    default_type text/plain;
    }
    location / {
    deny all;
    return 404;
    }
    }

    server {
    listen 443 ssl;
    server_name www.domain.com;
    root /var/www/htdocs;
    }

    server {
    listen 8001 ssl;
    server_name securityspy.domain.com;
    location / {
    proxy_buffering off;
    proxy_read_timeout 180;
    proxy_connect_timeout 90;
    proxy_redirect off;
    proxy_pass_header Server;
    proxy_pass_request_headers on;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 8001;
    proxy_pass https://10.1.3.20:8001;
    }
    }
    }

    The relevant part is the clause at the bottom. I listen on 8001 on the internet. SSL is enabled. The cert is a Let's Encrypt cert, so no warnings or issues with invalid certs.

    Also, I did not solve by disabling SSL. I solved by not specifying SSL in the iOS app. As you can see from my config, you cannot connect without SSL.
  • martinorob
    Thanks @jms703.

    Your config is different from mine only on the listen port.
    Your is 8001, mine is 443.

    Changing my port it works.

    So the problema is that the iOS app have trouble with 443 port.


    I hope in future iOS app release!

  • martinorob
    *even because with Spyglass works perfectly on port 443.
  • martinorob
    Solved!

    i have created a script that modify the server tag of my nginx server and than reload it.


    cat fixsecspy.sh

    line_old='server_tag "nginx";'
    line_new='server_tag "BBVS/4.0";'
    string=$(cat /etc/nginx/nginx.conf | grep server_tag)
    if [[ $string == *nginx* ]]; then
    echo "broken"
    sed -i "s%$line_old%$line_new%g" /etc/nginx/nginx.conf
    nginx -t && nginx -s reload
    else
    echo "ok"
    fi


    and run if every minute.


    Now your securitypsy app on iOS (and android) works if secspy sever is behind nginx!
    Hope I help someone!

    M.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories