AMP: HTTPS / SSL Reverse proxy doesn't stick on CentOS 8 after a reboot

  • 35 Views
  • Last Post 04 September 2020
  • Topic Is Solved
HardToPort posted this 03 September 2020

OS Name/Version:

[amp@arashis-server ADS01]$ cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core) 

Product Name/Version:

[amp@arashis-server ADS01]$ ampinstmgr --version
[Info] AMP Instance Manager v2.0.6 built 22/08/2020 23:12
[Info] Release spec: Release - built by CUBECODERS/buildbot on CCL-DEV

Problem Description:

Hello all, I followed the "Advanced Install" section at https://cubecoders.com/AMPInstall for CentOS, set up a Minecraft Server instance, and then realized that I also needed to setup HTTPS for security reasons.

I then followed "Reverse Proxy via NGINX" at https://github.com/CubeCoders/AMP/wiki/Setting-up-secure-HTTP-with-AMP, and everything seemed to work fine(could access AMP from localhost, over LAN, and over remote https address)... until I rebooted. After I rebooted, I only got the stub recovery page for AMP, and that was after I manually started the NGINX service for CentOS. I can still access AMP from my LAN, just not from the remote URL.

I am using my own headless server on my local network. (I can login with SFTP/SCP and SSH as root, and can access it from LAN). When I reboot the machine, I hit the restart button in Cockpit. https://cockpit-project.org/running

Steps to reproduce:

  1. Follow "Advanced Install" section for Centos
  2. Setup instances BEFORE setting up HTTPS
  3. Open ports in firewalld firewall-cmd --permanent --zone=public --add-port=80/tcp and so on.
  4. Run ampinstmgr setupnginx serverurl.com 8080 (of course I substituted my own URL)

Actions taken to resolve so far:

  • ampinstmgr stopall, edit AMPconfig.conf for both ADS and Minecraft instance
  • deleting NGINX config from /etc/nginx/conf.d (I don't remember specifically if I did all the steps below..)
    • ampinstmgr stopall
    • re-running ampinstmgr setupnginx serverurl.com 8080
    • ampinstmgr startall
  • setting NGINX to run on boot with systemd (systemctl enable nginx)

Configs:

Firewall:

[amp@arashis-server ~]$ firewall-cmd --list-ports
1337/tcp 19132/udp 8804/tcp 8080/tcp 80/tcp 443/tcp 2224/tcp 2223/tcp 1337/udp
  • Ports:
    • 8080 for troubleshooting
    • 80 and 443 for web access
    • 1337 and 19132 for Minecraft server
    • 8804 for Minecraft server plugin
    • 2223, 2224 for SFTP on AMP instances

ADS01:

################################
# Webserver
################################
# Webserver.Port - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.Port=8080
# Webserver.IPBinding - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.IPBinding=0.0.0.0
Webserver.SessionTimeout=5
Webserver.NoUI=False
Webserver.FilterEndpoints=False
Webserver.AllowedEndpointIPs=["127.0.0.1"]
Webserver.CertificatePath=
Webserver.CertificateSerial=
Webserver.CertificateDomain=
Webserver.CertificatePassword=
Webserver.EnableWebSockets=True
Webserver.EnablePluginWSStreams=False
Webserver.EnableFetchPostEndpoints=True
Webserver.APIRateLimit=1000
Webserver.UsingReverseProxy=True
Webserver.ReverseProxyHost=127.0.0.1

################################
# Login
################################
Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=
Login.LDAPAllowAuthOnAnyDomain=False
Login.LDAPAuthDomain=

Minecraft Server:

################################
# Webserver
################################
# Webserver.Port - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.Port=8081
# Webserver.IPBinding - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.IPBinding=127.0.0.1
Webserver.SessionTimeout=5
Webserver.NoUI=False
Webserver.FilterEndpoints=False
Webserver.AllowedEndpointIPs=["127.0.0.1"]
Webserver.CertificatePath=
Webserver.CertificateSerial=
Webserver.CertificateDomain=
Webserver.CertificatePassword=
Webserver.EnableWebSockets=True
Webserver.EnablePluginWSStreams=False
Webserver.EnableFetchPostEndpoints=True
Webserver.APIRateLimit=1000
Webserver.UsingReverseProxy=False
Webserver.ReverseProxyHost=127.0.0.1

################################
# Login
################################
Login.UseAuthServer=True
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=http://127.0.0.1:8080/
Login.LDAPAllowAuthOnAnyDomain=False
Login.LDAPAuthDomain=

Order By: Standard | Newest | Votes
HardToPort posted this 04 September 2020

Oh. My. Gosh. That fixed it! I just had to install setroubleshoot-server, which includes the needed policycoreutils-python-utils package, and then run semanage permissive -a httpd_t as root.

(I needed to install setroubleshoot-server because I installed a Minimal Install of CentOS, and I didn't select any SELinux packages..)

After all that, the page came up immediately! I hope other CentOS users find this post useful.

Mike posted this 04 September 2020

You might need to adjust your SELinux configuration to allow Nginx to talk to local services as CentOS has SELinux enabled out-of-the-box. See the following documentation: https://www.nginx.com/blog/using-nginx-plus-with-selinux/

Close