8.3.0 upgrade to 8.3.1 https locked out

[realdreams]

On 8.3.0 I set web interface to https with non-default port number only and manually removed port 80 rewrite in nginx.conf.
After upgrading to 8.3.1 I noticed nginx.conf didn't have ssl configured. nginx is not even listening on any port other than 80 but port 80 redirects me to https://freenas/account/login/?next=/
I got locked out....

Code:

/etc/local/nginx# more nginx.conf
#
#    FreeNAS nginx configuration file
#

user www www;
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # reserve 1MB under the name 'proxied' to track uploads
    upload_progress proxied 1m;

    sendfile        on;
    #tcp_nopush     on;
    client_max_body_size 500m;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    #upload_store /var/tmp/firmware;
    client_body_temp_path /var/tmp/firmware;

    server {
        server_name  localhost;
        listen       0.0.0.0:80;
        #ssl_session_timeout  5m;
        #ssl_protocols  SSLv2 SSLv3 TLSv1;
        #ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;

        location / {
            include fastcgi_params;
            fastcgi_pass 127.0.0.1:9042;
            fastcgi_pass_header Authorization;
            fastcgi_intercept_errors off;
            fastcgi_read_timeout 10m;
            #fastcgi_temp_path /var/tmp/firmware;

            # track uploads in the 'proxied' zone
            # remember connections for 30s after they finished
            track_uploads proxied 30s;
        }

        location /progress {
            # report uploads tracked in the 'proxied' zone
            report_uploads proxied;
        }

        location /dojango {
            alias /usr/local/www/freenasUI/dojango;
        }

        location /static {
            alias /usr/local/www/freenasUI/freeadmin/static;
        }

        location /reporting/graphs {
            alias /var/db/graphs;
        }

        #FIXME: get version from freenasUI.settings
        location /dojango/dojo-media/release/1.8.3 {
            alias /usr/local/www/dojo;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

        include plugins.conf;
    }
}

The config is so different from 8.3.0 and I have no clue how the redirect is achieved.... So what can I do now? Thanks.

console says web interface is https://ip:80 This is kinda messed up.......

 

[HolyK]

I faced something similar when i was playing with FreeNAS in virtual environment. I was trying to figure out where the heck is problem for hour and at the end cleaning of browser cache/cookies "fixed" improper page redirection ;)

 

[realdreams]

Thanks I had that issue before. nginx rewrite uses http 301 permanent redirect, which is cached by the browser for forever...
This one is different, nginx wasn't even listening on https port.
I deleted nginx.conf (backed it up before I deleted it)
service ix-nginx start threw error "unable to load private key". It expects "----- Begin Private Key -----" Instead of "----- Begin RSA Private Key -----", everything between the header was the same.
I removed RSA in both headers and now ix-nginx could be started and nginx.conf is now populated with ssl configuration

I imported the wrong cert just before upgrading from 8.3.0 to 8.3.1 release. Supposingly 8.3.1 can take both header and can fall back to http if https fails, but it wasn't working for me...

 

[William Grzybowski]

If the configuration is what you pasted the first post I'm 100% sure this is an issue with your browser.

 

[realdreams]

I tested in IE10, Chrome 26 and Firefox 19 with cache cleaned... No luck, nginx was not even listening on 443.

What does this block do? It looks like some temp config during firmware upgrade.

Code:

location / {
            include fastcgi_params;
            fastcgi_pass 127.0.0.1:9042;
            fastcgi_pass_header Authorization;
            fastcgi_intercept_errors off;
            fastcgi_read_timeout 10m;
            #fastcgi_temp_path /var/tmp/firmware;

            # track uploads in the 'proxied' zone
            # remember connections for 30s after they finished
            track_uploads proxied 30s;
        }

after ix-nginx started the new nginx.conf looks the same as it was in 8.3.0 release

 

[William Grzybowski]

This looks exactly how it should, not a single letter less or more.

 

[realdreams]

This is the working nginx.conf
the old one didn't have ssl configured and didn't have the 80 redirect(which I commented). Can the redirect be permanently disabled? It's a security issue..
I don't quite get the web interface code, is it python based? I have no idea how the old config redirected me to https://freenas/account/login/?next=/. It can be that I got only 1 301 redirect but it is permanently cached causing redirect behavior on subsequent visits. Sometime it redirected me to https (inaccessible) and sometimes it just didn't load at all (not even redirect).

It would be nice to have nginx set cache-control along with 301 redirect if it does send one.

Code:

# more /etc/local/nginx/nginx.conf
#
#    FreeNAS nginx configuration file
#

user www www;
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # reserve 1MB under the name 'proxied' to track uploads
    upload_progress proxied 1m;

    sendfile        on;
    #tcp_nopush     on;
    client_max_body_size 500m;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    #upload_store /var/tmp/firmware;
    client_body_temp_path /var/tmp/firmware;

    server {
        server_name  localhost;
        listen       0.0.0.0:443 default_server ssl;

        ssl_certificate      /etc/ssl/freenas/nginx/nginx.crt;
        ssl_certificate_key  /etc/ssl/freenas/nginx/nginx.key;
        #ssl_session_timeout  5m;
        #ssl_protocols  SSLv2 SSLv3 TLSv1;
        #ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;

        location / {
            include fastcgi_params;
            fastcgi_pass 127.0.0.1:9042;
            fastcgi_pass_header Authorization;
            fastcgi_intercept_errors off;
            fastcgi_read_timeout 10m;
            #fastcgi_temp_path /var/tmp/firmware;

            # track uploads in the 'proxied' zone
            # remember connections for 30s after they finished
            track_uploads proxied 30s;
        }

        location /progress {
            # report uploads tracked in the 'proxied' zone
            report_uploads proxied;
        }

        location /dojango {
            alias /usr/local/www/freenasUI/dojango;
        }

        location /static {
            alias /usr/local/www/freenasUI/freeadmin/static;
        }

        location /reporting/graphs {
            alias /var/db/graphs;
        }

        #FIXME: get version from freenasUI.settings
        location /dojango/dojo-media/release/1.8.3 {
            alias /usr/local/www/dojo;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

        include plugins.conf;
    }
   # server {
        #listen 0.0.0.0:80;
        #server_name localhost;
        #rewrite ^ https://$server_addr:443$request_uri? permanent;
   # }
}

 

[William Grzybowski]

Security issue? Sorry, but you made me laugh.

Yes, the webinterface is written in python, using WSGI interface.