Passbolt timing out (Oracle cloud, iptables)

ubuntu@passbolt2:/usr/share/nginx$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
ubuntu@passbolt2:/usr/share/nginx$
1 Like

If there is still no response from your client browser, try getting a response with the command line on the server again:

Okay, now we’re getting the passbolt page.:

ubuntu@passbolt2:/usr/share/nginx$ curl -L https://passbolt.mydomain.co.uk
<!doctype html>
<html class="passbolt no-js version launching no-passboltplugin" lang="en">
<head>
    <meta charset="utf-8"/>
    <title>Passbolt | Open source password manager for teams</title>
    <!--

        ____                  __          ____
       / __ \____  _____ ____/ /_  ____  / / /_
      / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
     / ____/ /_/ (__  )__  ) /_/ / /_/ / / /_
    /_/    \__,_/____/____/_.___/\____/_/\__/

    Open source password manager for teams
    Copyright (c) Passbolt SA (https://www.passbolt.com)


    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as
    published by the Free Software Foundation, either version 3 of the
    License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program. If not, see http://www.gnu.org/licenses/.


    -->
    <meta name="description" content="Open source password manager for teams">
    <meta name="keywords" content="Passbolt, password manager, online password manager, open source password manager">
    <meta name="robots" content="noindex, nofollow">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="shortcut icon" type="image/x-icon" href="https://passbolt.mydomain.co.uk/favicon.ico" />
    <link rel="icon" href="https://passbolt.mydomain.co.uk/favicon_32.png" sizes="32x32" />
    <link rel="icon" href="https://passbolt.mydomain.co.uk/favicon_57.png" sizes="57x57" />
    <link rel="icon" href="https://passbolt.mydomain.co.uk/favicon_76.png" sizes="76x76" />
    <link rel="icon" href="https://passbolt.mydomain.co.uk/favicon_96.png" sizes="96x96" />
    <link rel="icon" href="https://passbolt.mydomain.co.uk/favicon_128.png" sizes="128x128" />
    <link rel="icon" href="https://passbolt.mydomain.co.uk/favicon_192.png" sizes="192x192" />
    <link rel="icon" href="https://passbolt.mydomain.co.uk/favicon_228.png" sizes="228x228" />
    <base href="https://passbolt.mydomain.co.uk/">
        <script src="https://passbolt.mydomain.co.uk/js/app/stylesheet.js?v=3.7.1" id="stylesheet-manager" data-file="api_authentication.min.css" cache-version="3.7.1"></script></head>
<body>
<!-- main -->
<div id="container" class="page ">
</div>
<script src="https://passbolt.mydomain.co.uk/js/app/api-vendors.js?v=3.7.1" cache-version="3.7.1"></script><script src="https://passbolt.mydomain.co.uk/js/app/api-triage.js?v=3.7.1" cache-version="3.7.1"></script></body>
</html>
1 Like

@unboostedvtak So if you still cannot access via the browser, I would look at the firewall settings or something like a fail2ban service that might be running and blocking your client ip due to too many failures, etc.

You could check the /var/log/ufw for errors, if you have ufw enabled.

Sometimes I run tcptrack -i <interfacename> to see what activity is coming in. But if there is no activity on the server at all, it appears there is something else in the network that has changed.

I’ve tried accessing it through a different IP, phone, over browser, on mobile data, and getting Address Unreachable.
Never used tcptrack before, it seems pretty neat.

I ran a tcpdump as well during that, and that’s what I’m getting…

Other public organizations are clearly hitting your NGINX logs with searches, so is there a rule somewhere that blocks internal network ip access? Or does your client machine have a block on returned responses maybe?

I should have clarified, the previous, is coming from the IP I am accessing from.
Same when I used my phone’s browser, from the IP of the phone.

It does look like the traffic is hitting the server.

That is what it looks like when something is getting blocked, in my opinion. When the traffic is getting through it looks like:
image

My only established state there is my SSH connection to the server, any other attempts at connecting I get the “SYN_SENT”

I’ll be honest, I’m now a bit out of my element here…

Interestingly enough though, if I leave the page open, this pops up periodically:
image

Local IP over what looks like an APIPA address over 80 established?

Is there a management system handling this particular VM/server? Like cpanel or Virtualmin? Or, is this a plain-vanilla Ubuntu 22 install? It seems like there are overriding processes occurring.

It’s a VM up in Oracle cloud. Vanilla Ubuntu as far as I can tell. Never used Virtualmin or CPanel before, but have used Webmin, if it’s a similar thing I don’t see what’s stopping me from getting that put onto there.

No, we would prefer plain vanilla. @AnatomicJC any ideas?

1 Like

Server is running IPtables. It was working fine before I changed SMTP details, I don’t see the relation between the issues we’re having now from changing SMTP credentials :joy::sob:

Only rules I’ve explicitly added, on top of what Oracle pre-loads is to allow 80 and 443 in, it should allow everything out of itself by default from my understanding.
With the rules added, it was working. It all went wrong changing credentials…

When I ran nginx -t explicitly on the config file, it was looking for that config in /usr/share/nginx but it wasn’t in there, do you think that may have anything to do with it maybe? Missing copy or symlink maybe?

Typically, nginx.conf will reference the location of the other config files. You could check that: /etc/nginx/nginx.conf

The nginx test command is going to by default check the entire configuration - I think when you specified a file, you inadvertantly pointed it to a non-existing config file in the /etc/nginx folder. I think the issue is resolved regarding passbolt. Something is blocking external requests.

Check other logs. syslog, etc.

Pretty much the only thing in syslog is

ubuntu@passbolt2:/var/log$ tail -f /var/log/syslog
Sep 13 16:05:01 passbolt2 CRON[32298]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)
Sep 13 16:06:01 passbolt2 CRON[32315]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)
Sep 13 16:07:01 passbolt2 CRON[32333]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)
Sep 13 16:08:01 passbolt2 CRON[32350]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)
Sep 13 16:09:01 passbolt2 systemd[1]: Starting Clean php session files...
Sep 13 16:09:01 passbolt2 systemd[1]: phpsessionclean.service: Deactivated successfully.
Sep 13 16:09:01 passbolt2 systemd[1]: Finished Clean php session files.
Sep 13 16:09:01 passbolt2 CRON[32441]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 13 16:09:01 passbolt2 CRON[32442]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)
Sep 13 16:10:01 passbolt2 CRON[32484]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)
Sep 13 16:11:01 passbolt2 CRON[32502]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)
Sep 13 16:11:41 passbolt2 systemd[1]: Starting Cleanup of Temporary Directories...
Sep 13 16:11:41 passbolt2 systemd[1]: systemd-tmpfiles-clean.service: Deactivated successfully.
Sep 13 16:11:41 passbolt2 systemd[1]: Finished Cleanup of Temporary Directories.

I tried to access it again while running the tail command to see if it populated anything… Other than that in syslog looks like a cron job every minute or so.

Passbolt seems to be running according to curl now, which is good I guess.

I know you said you added rules to iptables, can we verify?

sudo iptables -L INPUT

image

No route to host” and ERR_CONNECTION_TIMED_OUT in the browser: each time I encountered this, it was a firewall issue. There is for sure a firewall rule who is blocking connection, a rule on the server, or somewhere else in your Oracle cloud network. :confused:

1 Like

This is what the output is:

ubuntu@passbolt2:~$ sudo iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     icmp --  anywhere             anywhere
ubuntu@passbolt2:~$

I can’t lie, I don’t see my 443 rule appearing on there…

Here’s a reference where they explain why they don’t use ufw. https://blogs.oracle.com/developers/post/enabling-network-traffic-to-ubuntu-images-in-oracle-cloud-infrastructure

Mentions iptables steps. I saw you saved the rules but maybe they don’t respect that netfilter command.

2 Likes

You two are ***ing legends.

Got it back up, thank you very much.

I’m guessing the netfilter save actually did nothing. – though, i have rebooted before, but hey, linux…

I’ve gone into the file for iptables, as suggested in the article you sent, manually entered it in, reloaded the iptables service, nothing, rebooted, it’s back up.

image

Odd that changing smtp details broke it in the first place, but I can confirm that is working with an app password too now.

Thank you!

2 Likes