https:// or http://

andy48 · Jun 19, 2024

I've been trying to set up Web Server access (using STunnel) and have nearly got there. My issue is that I can only get in using http:/80.193.abc.d:8xxx/login.htm and I feel I should be using https.

Where do I start looking!!? There are so many settings in both BI and my ASUS router that my head hurts.

andy48 · Jun 21, 2024

Does anyone have a link to a definitive tutorial for setting up secure Web Server access to BI using UI3, please?

TonyR · Jun 21, 2024

andy48 said:
Does anyone have a link to a definitive tutorial for setting up secure Web Server access to BI using UI3, please?

Below is a YT video that is 5 years old so I'm not sure how much it will help. BTW, in my search for info on stunnel to point you to it seems many veteran members point out that a VPN such as OpenVPN hosted on an Asus or Netgear router (server) is easier and quicker to configure (not the kind of VPN you pay for). Then you run the related VPN client on your away-from-home phone, PC, etc. A how-to link for that is below the YT stunnel video.

OpenVPN on a Asus router

Sept 2021 Turned off comments because of ads July 2021 Bought a new Asus router, an RT-AX86U. Loaded it right away with Merlin firmware, s...

randyshomeprojects.blogspot.com

andy48 · Jun 21, 2024

Many thanks. I'll give it a go.

andy48 · Jun 24, 2024

TonyR said:
a VPN such as OpenVPN hosted on an Asus or Netgear router (server) is easier and quicker to configure

Thanks, I've finally got it running using OpenVPN. I must have got in a tangle with my router settings. I did a factory reset and started again and got it set up very quickly with no issues.

TheWaterbug · Jul 11, 2024

I'm trying to get BI working through stunnel on one of my machines, and I'm almost there, but not quite. I followed the steps from the 5-year-old video TonyR linked above, and found that one missing step is fiddling with the Windows firewall. For some odd reason it enabled stunnel inbound for Public networks only, and not for Private or Domain. Once I checked those boxes for the four auto-generated inbound rules, I stopped getting startup errors from stunnel and started getting entries in the stunnel log when I direct Edge on the BI server to itself at

https://my-domain.dyndns.org:8080/ui3.htm

:

Code:

2024.07.11 16:54:15 LOG5[main]: stunnel 5.72 on x64-pc-mingw32-gnu platform
2024.07.11 16:54:15 LOG5[main]: Compiled/running with OpenSSL 3.2.1 30 Jan 2024
2024.07.11 16:54:16 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2024.07.11 16:54:16 LOG5[main]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf
2024.07.11 16:54:16 LOG5[main]: UTF-8 byte order mark detected
2024.07.11 16:54:16 LOG5[main]: FIPS mode disabled
2024.07.11 16:54:16 LOG5[main]: Configuration successful
2024.07.11 16:55:03 LOG5[0]: Service [blueiris] accepted connection from 192.168.1.1:1360
2024.07.11 16:55:03 LOG5[1]: Service [blueiris] accepted connection from 192.168.1.1:61399
2024.07.11 16:55:03 LOG3[1]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:03 LOG5[1]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:03 LOG3[0]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:03 LOG5[0]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:03 LOG5[2]: Service [blueiris] accepted connection from 192.168.1.1:9174
2024.07.11 16:55:05 LOG3[2]: s_connect: connect 127.0.0.1:81: Connection refused (WSAECONNREFUSED) (10061)
2024.07.11 16:55:05 LOG3[2]: No more addresses to connect
2024.07.11 16:55:05 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:06 LOG5[3]: Service [blueiris] accepted connection from 192.168.1.1:19541
2024.07.11 16:55:06 LOG3[3]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:06 LOG5[3]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:06 LOG5[4]: Service [blueiris] accepted connection from 192.168.1.1:31976
2024.07.11 16:55:06 LOG3[4]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:06 LOG5[4]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:06 LOG5[5]: Service [blueiris] accepted connection from 192.168.1.1:48903
2024.07.11 16:55:08 LOG3[5]: s_connect: connect 127.0.0.1:81: Connection refused (WSAECONNREFUSED) (10061)
2024.07.11 16:55:08 LOG3[5]: No more addresses to connect
2024.07.11 16:55:08 LOG5[5]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:13 LOG5[6]: Service [blueiris] accepted connection from 192.168.1.1:26875
2024.07.11 16:55:13 LOG3[6]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:13 LOG5[6]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:13 LOG5[7]: Service [blueiris] accepted connection from 192.168.1.1:7249
2024.07.11 16:55:13 LOG3[7]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:13 LOG5[7]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:13 LOG5[8]: Service [blueiris] accepted connection from 192.168.1.1:29332
2024.07.11 16:55:15 LOG3[8]: s_connect: connect 127.0.0.1:81: Connection refused (WSAECONNREFUSED) (10061)
2024.07.11 16:55:15 LOG3[8]: No more addresses to connect
2024.07.11 16:55:15 LOG5[8]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:46 LOG5[9]: Service [blueiris] accepted connection from 192.168.1.1:18470
2024.07.11 16:55:46 LOG5[10]: Service [blueiris] accepted connection from 192.168.1.1:24436
2024.07.11 16:55:46 LOG3[9]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:46 LOG5[9]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:46 LOG3[10]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 16:55:46 LOG5[10]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 16:55:46 LOG5[11]: Service [blueiris] accepted connection from 192.168.1.1:57629
2024.07.11 16:55:48 LOG3[11]: s_connect: connect 127.0.0.1:81: Connection refused (WSAECONNREFUSED) (10061)
2024.07.11 16:55:48 LOG3[11]: No more addresses to connect
2024.07.11 16:55:48 LOG5[11]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

192.168.1.1 is my router, where I have WAN port 8080 forwarded to my BI machine's 192.168.1.3:8080, and it appears that stunnel is forwarding traffic to BI.

But the browser isn't getting anything back:

Is this a TLS error? chrome:flags: TLS doesn't show the same options as in the setup video.

edit: posted too soon. I should add that I think I have BI set up correctly:

and plain ol' http works fine on port 81, either from inside the LAN at

http://192.168.1.3:81/ui3.htm

or from outside at

http://my-domain.dyndns.org:81/ui3.htm

.

TheWaterbug · Jul 11, 2024

More:

If I point Edge to:

https://192.168.1.3:8080/ui3.htm

then I get a warning about certificates (which I also got when using the WAN address, but forgot to screenshot):

and then clicked Advanced, and then Proceed, and I get the same "didn't send any data" error in Edge. Logs show:

Code:

2024.07.11 17:03:28 LOG5[18]: Service [blueiris] accepted connection from 192.168.1.3:64705
2024.07.11 17:03:28 LOG5[19]: Service [blueiris] accepted connection from 192.168.1.3:64706
2024.07.11 17:03:28 LOG3[18]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:28 LOG5[18]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:28 LOG3[19]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:28 LOG5[19]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:36 LOG5[20]: Service [blueiris] accepted connection from 192.168.1.3:64715
2024.07.11 17:03:36 LOG3[20]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:36 LOG5[20]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:36 LOG5[21]: Service [blueiris] accepted connection from 192.168.1.3:64716
2024.07.11 17:03:36 LOG5[22]: Service [blueiris] accepted connection from 192.168.1.3:64717
2024.07.11 17:03:36 LOG3[22]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:36 LOG5[22]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:36 LOG3[21]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:36 LOG5[21]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:36 LOG5[23]: Service [blueiris] accepted connection from 192.168.1.3:64718
2024.07.11 17:03:38 LOG3[23]: s_connect: connect 127.0.0.1:81: Connection refused (WSAECONNREFUSED) (10061)
2024.07.11 17:03:38 LOG3[23]: No more addresses to connect
2024.07.11 17:03:38 LOG5[23]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:39 LOG5[24]: Service [blueiris] accepted connection from 192.168.1.3:64721
2024.07.11 17:03:39 LOG3[24]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:39 LOG5[24]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:39 LOG5[25]: Service [blueiris] accepted connection from 192.168.1.3:64722
2024.07.11 17:03:39 LOG5[26]: Service [blueiris] accepted connection from 192.168.1.3:64723
2024.07.11 17:03:39 LOG3[25]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:39 LOG5[25]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:39 LOG3[26]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:39 LOG5[26]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:39 LOG5[27]: Service [blueiris] accepted connection from 192.168.1.3:64724
2024.07.11 17:03:41 LOG3[27]: s_connect: connect 127.0.0.1:81: Connection refused (WSAECONNREFUSED) (10061)
2024.07.11 17:03:41 LOG3[27]: No more addresses to connect
2024.07.11 17:03:41 LOG5[27]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:46 LOG5[28]: Service [blueiris] accepted connection from 192.168.1.3:64727
2024.07.11 17:03:46 LOG5[29]: Service [blueiris] accepted connection from 192.168.1.3:64728
2024.07.11 17:03:46 LOG3[28]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:46 LOG5[28]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:46 LOG3[29]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:46 LOG5[29]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:46 LOG5[30]: Service [blueiris] accepted connection from 192.168.1.3:64729
2024.07.11 17:03:46 LOG3[30]: SSL_accept: ssl/record/rec_layer_s3.c:865: error:0A000416:SSL routines::ssl/tls alert certificate unknown
2024.07.11 17:03:46 LOG5[30]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2024.07.11 17:03:46 LOG5[31]: Service [blueiris] accepted connection from 192.168.1.3:64730
2024.07.11 17:03:48 LOG3[31]: s_connect: connect 127.0.0.1:81: Connection refused (WSAECONNREFUSED) (10061)
2024.07.11 17:03:48 LOG3[31]: No more addresses to connect
2024.07.11 17:03:48 LOG5[31]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

TheWaterbug · Jul 11, 2024

More:

I had set the TLS flag options in Edge, not Chrome.

But I also set them in Chrome, and then used Chrome, and got the same result and same log entries.

tech_junkie · Jul 11, 2024

TheWaterbug said:
I'm trying to get BI working through stunnel on one of my machines, and I'm almost there, but not quite. I followed the steps from the 5-year-old video TonyR linked above, and found that one missing step is fiddling with the Windows firewall. For some odd reason it enabled stunnel inbound for Public networks only, and not for Private or Domain. Once I checked those boxes for the four auto-generated inbound rules, I stopped getting startup errors from stunnel and started getting entries in the stunnel log when I direct Edge on the BI server to itself at

Just briefly looking at this, the certificate is invalid for public connections since "." is local host so its only going to be local or .local traffic allowed with the cert.
So I would try unplugging the computer's network connection, generate the Stunnel cert with the dyn dns web address, change certs, turn off the computer, plug in the network cable and turn on the server and see if its working now.
If Stunnel is not running a CA server, its going to give you a self signed warning.
If you want a public cert, you would have to purchase one either through me (Audiospecific | Website Hosting Services - Easy & Secure Hosting) or any other web hosting site that sells public TLS/SSL certificates

tech_junkie · Jul 11, 2024

Also, port 8080 should (ideally) only be exposed on the network (unless you are already running something on port 80 on the outside connection. Then I would have my name server set up as www.mywebsite.com on my port 80 server and security_cams.mywebsite.com point to 8080. For example)

tech_junkie · Jul 11, 2024

TheWaterbug said:
and plain ol' http works fine on port 81, either from inside the LAN at http://192.168.1.3:81/ui3.htm or from outside at
http://my-domain.dyndns.org:81/ui3.htm

I wouldn't advise http on things the user enters information. Nor expose it and would insert a redirect command in .htaccess so if someone went there by accident, they would be redirected to the https connection.

tech_junkie · Jul 11, 2024

TheWaterbug said:
https://my-domain.dyndns.org:8080/ui3.htm

Why are you using dyndns anyways?

TheWaterbug · Jul 12, 2024

tech_junkie said:
Just briefly looking at this, the certificate is invalid for public connections since "." is local host so its only going to be local or .local traffic allowed with the cert.
So I would try unplugging the computer's network connection, generate the Stunnel cert with the dyn dns web address, change certs, turn off the computer, plug in the network cable and turn on the server and see if its working now.
If Stunnel is not running a CA server, its going to give you a self signed warning.
If you want a public cert, you would have to purchase one either through me (Audiospecific | Website Hosting Services - Easy & Secure Hosting) or any other web hosting site that sells public TLS/SSL certificates

My pfsense box serves as its own certificate authority. Can I generate a certificate from that?

TheWaterbug · Jul 12, 2024

tech_junkie said:
Why are you using dyndns anyways?

This is my home, where I don't have a static IP, so my WAN IP is subject to change any time. I'd rather not use ngrok, for various reasons.

I currently have WAN port 81 forwarded to 192.168.1.3:81, where BI runs, but that's on a separate network segment that's firewall off from my important stuff. All of my "things" are in that segment, and I assume that it's Wild West in there.

tech_junkie · Jul 12, 2024

TheWaterbug said:
My pfsense box serves as its own certificate authority. Can I generate a certificate from that?

Unfortunately its a special type for VPN only and its still a type of self signed system, but at least you do have control over the revocations, but they already got into the system by then.
The difference is web browsers would have the CA address because its a known 'public trust server' so even if you set up a CA for certificate stapling (the two party check of the certificate before the browser goes to the https site to prevent man in the middle attacks) and expose it to the outside, you would additionally have to put the CA's web address in the client's web browser's CA authority list.

tech_junkie · Jul 12, 2024

TheWaterbug said:
This is my home, where I don't have a static IP, so my WAN IP is subject to change any time. I'd rather not use ngrok, for various reasons.

I currently have WAN port 81 forwarded to 192.168.1.3:81, where BI runs, but that's on a separate network segment that's firewall off from my important stuff. All of my "things" are in that segment, and I assume that it's Wild West in there.

I wouldn't do any 'virtual tunneling'

I'm just wondering if leasing an IP address, then splitting the WAN so your BI machine is on a static while your router and existing network stays DHCP WAN with its own IP would be more cost effective than paying no-ip for their services.
Plus that would eliminate any chances of anyone accessing your network since it would be on a different outside connection.

Search

Search

https:// or http://

andy48

n3wb

andy48

n3wb

TonyR

OpenVPN on a Asus router

andy48

n3wb

andy48

n3wb

TheWaterbug

Known around here

TheWaterbug

Known around here

TheWaterbug

Known around here

tech_junkie

Getting comfortable

tech_junkie

Getting comfortable

tech_junkie

Getting comfortable

tech_junkie

Getting comfortable

TheWaterbug

Known around here

TheWaterbug

Known around here

tech_junkie

Getting comfortable

tech_junkie

Getting comfortable