AMP: HTTPS / SSL Reverse proxy doesn't stick on CentOS 8 after a reboot

  • 35 Views
  • Last Post 04 September 2020
  • Topic Is Solved
HardToPort posted this 03 September 2020

OS Name/Version:

[amp@arashis-server ADS01]$ cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core) 

Product Name/Version:

[amp@arashis-server ADS01]$ ampinstmgr --version
[Info] AMP Instance Manager v2.0.6 built 22/08/2020 23:12
[Info] Release spec: Release - built by CUBECODERS/buildbot on CCL-DEV

Problem Description:

Hello all, I followed the "Advanced Install" section at https://cubecoders.com/AMPInstall for CentOS, set up a Minecraft Server instance, and then realized that I also needed to setup HTTPS for security reasons.

I then followed "Reverse Proxy via NGINX" at https://github.com/CubeCoders/AMP/wiki/Setting-up-secure-HTTP-with-AMP, and everything seemed to work fine(could access AMP from localhost, over LAN, and over remote https address)... until I rebooted. After I rebooted, I only got the stub recovery page for AMP, and that was after I manually started the NGINX service for CentOS. I can still access AMP from my LAN, just not from the remote URL.

I am using my own headless server on my local network. (I can login with SFTP/SCP and SSH as root, and can access it from LAN). When I reboot the machine, I hit the restart button in Cockpit. https://cockpit-project.org/running

Steps to reproduce:

  1. Follow "Advanced Install" section for Centos
  2. Setup instances BEFORE setting up HTTPS
  3. Open ports in firewalld firewall-cmd --permanent --zone=public --add-port=80/tcp and so on.
  4. Run ampinstmgr setupnginx serverurl.com 8080 (of course I substituted my own URL)

Actions taken to resolve so far:

  • ampinstmgr stopall, edit AMPconfig.conf for both ADS and Minecraft instance
  • deleting NGINX config from /etc/nginx/conf.d (I don't remember specifically if I did all the steps below..)
    • ampinstmgr stopall
    • re-running ampinstmgr setupnginx serverurl.com 8080
    • ampinstmgr startall
  • setting NGINX to run on boot with systemd (systemctl enable nginx)

Configs:

Firewall:

[amp@arashis-server ~]$ firewall-cmd --list-ports
1337/tcp 19132/udp 8804/tcp 8080/tcp 80/tcp 443/tcp 2224/tcp 2223/tcp 1337/udp
  • Ports:
    • 8080 for troubleshooting
    • 80 and 443 for web access
    • 1337 and 19132 for Minecraft server
    • 8804 for Minecraft server plugin
    • 2223, 2224 for SFTP on AMP instances

ADS01:

################################
# Webserver
################################
# Webserver.Port - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.Port=8080
# Webserver.IPBinding - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.IPBinding=0.0.0.0
Webserver.SessionTimeout=5
Webserver.NoUI=False
Webserver.FilterEndpoints=False
Webserver.AllowedEndpointIPs=["127.0.0.1"]
Webserver.CertificatePath=
Webserver.CertificateSerial=
Webserver.CertificateDomain=
Webserver.CertificatePassword=
Webserver.EnableWebSockets=True
Webserver.EnablePluginWSStreams=False
Webserver.EnableFetchPostEndpoints=True
Webserver.APIRateLimit=1000
Webserver.UsingReverseProxy=True
Webserver.ReverseProxyHost=127.0.0.1

################################
# Login
################################
Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=
Login.LDAPAllowAuthOnAnyDomain=False
Login.LDAPAuthDomain=

Minecraft Server:

################################
# Webserver
################################
# Webserver.Port - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.Port=8081
# Webserver.IPBinding - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.IPBinding=127.0.0.1
Webserver.SessionTimeout=5
Webserver.NoUI=False
Webserver.FilterEndpoints=False
Webserver.AllowedEndpointIPs=["127.0.0.1"]
Webserver.CertificatePath=
Webserver.CertificateSerial=
Webserver.CertificateDomain=
Webserver.CertificatePassword=
Webserver.EnableWebSockets=True
Webserver.EnablePluginWSStreams=False
Webserver.EnableFetchPostEndpoints=True
Webserver.APIRateLimit=1000
Webserver.UsingReverseProxy=False
Webserver.ReverseProxyHost=127.0.0.1

################################
# Login
################################
Login.UseAuthServer=True
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=http://127.0.0.1:8080/
Login.LDAPAllowAuthOnAnyDomain=False
Login.LDAPAuthDomain=

Order By: Standard | Newest | Votes
Mike posted this 04 September 2020

You might need to adjust your SELinux configuration to allow Nginx to talk to local services as CentOS has SELinux enabled out-of-the-box. See the following documentation: https://www.nginx.com/blog/using-nginx-plus-with-selinux/

HardToPort posted this 04 September 2020

Oh. My. Gosh. That fixed it! I just had to install setroubleshoot-server, which includes the needed policycoreutils-python-utils package, and then run semanage permissive -a httpd_t as root.

(I needed to install setroubleshoot-server because I installed a Minimal Install of CentOS, and I didn't select any SELinux packages..)

After all that, the page came up immediately! I hope other CentOS users find this post useful.

Close