Reply

HTTPS on an R6220 Router

cearlp
Tutor

HTTPS on an R6220 Router

Does the R6220 router have a configuration parameter that controls HTTPS traffic?

I have SSL certification installed on Linux OS but HTTPS traffic is filtered on port 443.

The DNS information resolves to the IP address ( assigned by Comcast ) of my router.

Can filtering be controlled by the router or is this a function controlled by Comcast?

 

 

Model: R6220|AC1200 Smart WiFi Router with External Antennas
Message 1 of 10
antinode
Guru

Re: HTTPS on an R6220 Router

> Does the R6220 router have a configuration parameter that controls
> HTTPS traffic?

 

   I don't know what that means.  Are you referring to something related
to port forwarding, or what?

 

> I have SSL certification installed on Linux OS but HTTPS traffic is
> filtered on port 443.

 

   Are you running some web server or other on your (unspecified) "Linux
OS" system?  Can you access it from a system on your LAN using the
server system's LAN IP address?  Can you access it from a system on your
LAN using the router's WAN/Internet IP address?

 

   What, exactly, does "HTTPS traffic is filtered on port 443" mean to
you?  As usual, showing actual actions (commands) with their actual
results (error messages, LED indicators, ...) can be more helpful than
vague descriptions or interpretations.


> The DNS information resolves to the IP address ( assigned by Comcast )
> of my router.

 

   _Which_ "The DNS information"?  What is "the IP address ( assigned by
Comcast ) of my router"?  ("a.b" out of "a.b.c.d" would be enough.)

 

> Can filtering be controlled by the router or is this a function
> controlled by Comcast?

 

   That might depend on what "filtering" means to you.  Does HTTP suffer
from the same problem (whatever it is) on port 80?  Have you asked
Comcast?  Do your Comcast terms of service allow you to run a server?

Message 2 of 10
cearlp
Tutor

Re: HTTPS on an R6220 Router

Sorry if my question was too vague. I have been running a server on my Comcast account for over a year with no problem.

I forward HTTP traffic on port 80 to a server on my LAN; everything works as expected. I am trying to use HTTPS as the Transport Protocol and have installed SSL on my server. The problem is if I try to connect to my server with https://domain-name the connecton is never made, the browser just sits there waiting. The only thing I can find out is that port 443 (used for HTTPS) seems to be blocked as if by a firewall.

On the Linux OS (Ubuntu 18.04) the port has been allowed and no firewall is running. So, I was wondering if there is some configuration on the R6220 that might be preventing HTPS traffic from being passed on.

Is this any clearer?

Message 3 of 10
antinode
Guru

Re: HTTPS on an R6220 Router

> [...] I am trying to use HTTPS as the Transport Protocol and have
> installed SSL on my server. [...]

 

   SSL is a protocol (perhaps an object library), not a web server.

 

      https://en.wikipedia.org/wiki/Transport_Layer_Security

 

> [...] The problem is if I try to connect to my server with
> https://domain-name the connecton is never made, the browser just sits
> there waiting. [...]

 

   I'd expect the web browser to time out after a while.

 

   Most likely, your (unspecified) web server supports HTTPS, but it's
optional, and you have not configured it.  I doubt that you needed to
install (manually) any SSL kit to make that work.


> Are you running some web server or other on your (unspecified) "Linux
> OS" system?  Can you access it from a system on your LAN using the
> server system's LAN IP address?  Can you access it from a system on your
> LAN using the router's WAN/Internet IP address?

 

   Not many answers to any of that.

 

   I suggest that you find the documentation on your (unspecified) web
server, and find out how to enable HTTPS support in it.

 

> Is this any clearer?

 

   Yup, but you're pointed in the wrong direction.  If both client and
server are on your own LAN (and you're not using a wireless "guest
network"), then the router wouldn't block any traffic using any port.


   For access from the outside world, you'll probably want a
port-forwarding rule for port 443 (like the one for port 80?), but that
won't help if your (unspecified) web server is not listening at port
443.  And that's almost certainly a problem in the web server
configuration.  (Unless you're running some ultra-simple web server
which doesn't support HTTPS, which seems unlikely.  But I (still) don't
know anything about your (unspecified) web server.)

Message 4 of 10
cearlp
Tutor

Re: HTTPS on an R6220 Router

As I stated, the OS is Ubuntu 18.04. It has SSL (the Secure Sockets Layer) installed and activated which is needed for HTTPS, not HTTP.

I have a registered  Domain name and if I use it as a URL in any browser it goes out of my LAN , gets resolved to the Comcast WAN IP address of my router, which then forwards the data to my server on the LAN. Everything works except when I put the https:// in front ot the URL.

Testing with Qualys SSL Lab's SSL Server test indicares that port 443 is blocked probably by a firewall. 

I have no firewall running on the server.

Message 5 of 10
antinode
Guru

Re: HTTPS on an R6220 Router

> As I stated, the OS is Ubuntu 18.04. [...]

 

   Doesn't matter.  Please pay attention.  Please answer the questions.

 

   Which web server are you using?

 

> [...] It has SSL (the Secure Sockets Layer) installed and activated
> which is needed for HTTPS, not HTTP.

 

   I doubt that it matters, but what, exactly, does "activated" mean to
you?

 

   Any optional software which is needed by your (unspecified) web
server should be installed automatically by the Ubuntu package manager
which installed your (unspecified) web server.  Therefore:

 

> [...] I doubt that you needed to install (manually) any SSL kit to
> make that work.

 

   Still true.


> I have a registered Domain name and if I use it as a URL in any
> browser it goes out of my LAN , gets resolved to the Comcast WAN IP
> address of my router, which then forwards the data to my server on the
> LAN.

 

   I doubt that the router sends anything "out of my LAN".  When the
router sees its own WAN/Internet address as the destination, it should
know enough to handle the traffic itself.

 

   But none of that matters if your web server is not listening at port
443.

 

   I'll try one more time.

 

>    Are you running some web server or other on your (unspecified) "Linux
> OS" system?  Can you access it from a system on your LAN using the
> server system's LAN IP address?  Can you access it from a system on your
> LAN using the router's WAN/Internet IP address?


> [...] Everything works except when I put the https:// in front ot the
> URL.

 

   Which "Everything" works?  What, exactly, works?  Which "the URL"?

 

>    I suggest that you find the documentation on your (unspecified) web
> server, and find out how to enable HTTPS support in it.

 

   Still my advice.

 

> Testing with Qualys SSL Lab's SSL Server test indicares that port 443
> is blocked probably by a firewall.
> I have no firewall running on the server.

 

   What kind of "Testing", exactly?  "Testing" or "indicates" is not a
useful problem description.  It does not say what you did.  It does not
say what happened when you did it.  As usual, showing actual actions
(commands) with their actual results (error messages, LED indicators,
...) can be more helpful than vague descriptions or interpretations.


   But, again, I doubt that any of that "Testing" matters.  If you want
a test, then try this:

 

      netstat -an | grep 'LISTEN ' | grep -e '\.80 ' -e '\.443 '

 

   At least one of us does not understand the problem.  (I suspect that
it's you.)  It appears to me that you do not have an SSL problem; you
have a web server configuration problem.  Forget about SSL, and
concentrate on your (unspecified) web server and its configuration.

 

   If you'd reveal which web server you're using, then I could do your
Web search for you, and find one or more documents which explain how to
configure HTTPS in it.  Terms like, say:

 

      ubuntu  apache  https

 

might be good, but I still don't know which web server you're using, so
"Apache" might be wrong.

Message 6 of 10
cearlp
Tutor

Re: HTTPS on an R6220 Router


@antinode wrote:

> As I stated, the OS is Ubuntu 18.04. [...]

 

   Doesn't matter.  Please pay attention.  Please answer the questions.

 

   Which web server are you using?

DOESN'T REALLY MATTER WHICH WEBSERVER IS USED, THEY ALL HAVE TO BE CONFIGURED TO USE  SSL CODE IF THE WEBSERVER IS TO SEND DATA ENCRYPTED INSTEAD OF JUST PLAIN TEXT.

 

> [...] It has SSL (the Secure Sockets Layer) installed and activated
> which is needed for HTTPS, not HTTP.

 

   I doubt that it matters, but what, exactly, does "activated" mean to you?

SSL HAS TO BE ACTIVATED BY CONFIGURING IT ON THE LINUX OS.

THIS REQUIRES A CERTIFICATE ISSUED FROM CERTIFICATION AUTHORITY,

A PUBLIC AND PRIVATE KEY GENERATED AND ACTIVATED VIA THE WEBSERVER CONFIGURATION.

 

 

   Any optional software which is needed by your (unspecified) web
server should be installed automatically by the Ubuntu package manager
which installed your (unspecified) web server.  Therefore:

 

> [...] I doubt that you needed to install (manually) any SSL kit to
> make that work.

ALTHOUGH IT IS INCLUDED IN THE OS, IT STILL NEEDS TO BE ENABLED (ACTIVATED) TO BE USED BY THE WEBSERVER.

 

   Still true.


> I have a registered Domain name and if I use it as a URL in any
> browser it goes out of my LAN , gets resolved to the Comcast WAN IP
> address of my router, which then forwards the data to my server on the
> LAN.

 

   I doubt that the router sends anything "out of my LAN".  When the
router sees its own WAN/Internet address as the destination, it should
know enough to handle the traffic itself.

IF THE ROUTER ACCESSES A DNS SOMEWHERE ON THE INTERNIET TO RESOLVE THE DOMAIN NAME I CONSIDER THIS  SENDING SOMETHING OUT OF MY LAN.

 

   But none of that matters if your web server is not listening at port
443.

THE WEBSERVER IS LISTENING AT PORT 443.

BUT IN THE NETGEAR CONFIGURATION I ONLY SEE THE OPTIONS TO FORWARD PORT 20 FOR FTP AND PORT 80 FOR HTTP.

I WAS THINKING THAT I WOULD NEED TO BE ABLE TO CONFIGURE FORWARDING PORT 443 TO THE LAN IP ADDRESS OF THE DEVICE RUNNING THE WEBSERVER.

 

   I'll try one more time.

 

>    Are you running some web server or other on your (unspecified) "Linux
> OS" system?  Can you access it from a system on your LAN using the
> server system's LAN IP address?  Can you access it from a system on your
> LAN using the router's WAN/Internet IP address?

WHY DO YOU KEEP SAYING (unspecified) "Linux OS", IT IS UBUNTU 18.04.

AND YES, I CAN USE ANY BROWSER, TYPE IN THE LAN IP ADDRESS AND ACCESS THAT DEVICE FROM ANYWHERE ON THE LAN, BUT TYPING IN THE WAN IP ADDERESS NEVER REACHES IT.


> [...] Everything works except when I put the https:// in front ot the
> URL.

 

   Which "Everything" works?  What, exactly, works?  Which "the URL"?

IF I TYPE THE DOMAIN NAME BY ITSELF IN ANY BROWSER, EITHER ON OF OUTSIDE OF THE LAN, I CONNECT TO THE WEBSERVER.

IF I TYPE HTTPS://DOMAIN NAME I GET NOTHING.

 

>    I suggest that you find the documentation on your (unspecified) web
> server, and find out how to enable HTTPS support in it.

AS I STATED, I DID THAT AND ENCOUNTERED THE PROBLEM THAT PORT 443 LOOKED LIKE IT WAS BLOCKED.

 

 

 

   Still my advice.

 

> Testing with Qualys SSL Lab's SSL Server test indicares that port 443
> is blocked probably by a firewall.
> I have no firewall running on the server.

 

   What kind of "Testing", exactly?  "Testing" or "indicates" is not a
useful problem description.  It does not say what you did.  It does not
say what happened when you did it.  As usual, showing actual actions
(commands) with their actual results (error messages, LED indicators,
...) can be more helpful than vague descriptions or interpretations.

 

www.ssllabs.com HAS A TEST PROGRAM THATE YOU CAN ACCESS AND GIVE IT A DOMAIN NAME. 

IT CLAIMS TO PERFORM A DEEP ANALYSIS OF THE CONFIGURATION OF ANY SSL WEB SERVER ON THE PUBLIC INTERNET.

I RAN IT AND IT INDICATED IT APPEARS THAT PORT 443 WAS BLOCKED, PERHAPS BY A FIREWALL.

I HAVE NO FIREWALL RUNNING ON THE LINUX OS.


   But, again, I doubt that any of that "Testing" matters.  If you want
a test, then try this:

 

      netstat -an | grep 'LISTEN ' | grep -e '\.80 ' -e '\.443 '

THE -e '\.80' -e '\.443' GIVES ME NOTHING, BUT THE grep 'LISTEN' GIVES ME

SEVERAL tcp     0   0 127.0.0.1:3306    0.0.0.0:*  LISTEN        LINES AND THEN

                tcp6   0   0 :::443                   :::*           LISTEN

                tcp6   0   0 :::80                     ::: *          LISTEN 

                tcp6   0   0 :::21                     :::*           LISTEN       AND A FEW MORE WITH OTHER PORTS LISTED.

 

   At least one of us does not understand the problem.  (I suspect that
it's you.)  It appears to me that you do not have an SSL problem; you
have a web server configuration problem.  Forget about SSL, and
concentrate on your (unspecified) web server and its configuration.

 

   If you'd reveal which web server you're using, then I could do your
Web search for you, and find one or more documents which explain how to
configure HTTPS in it.  Terms like, say:

 

      ubuntu  apache  https

YIOU NAILED IT ---- UBUNTU 18.04 WITH APACHE2 NOT NGINX AS THE WEBSERVER.

EITHER ONE IS A 'STANDARD' WEBSERVER APPLICATION FOR UBUNTU AND ARE VERY SIMILAR IN CONFIGURATION.

 

might be good, but I still don't know which web server you're using, so
"Apache" might be wrong.


 

Message 7 of 10
antinode
Guru

Re: HTTPS on an R6220 Router

> IF THE ROUTER ACCESSES A DNS SOMEWHERE ON THE INTERNIET TO RESOLVE THE
> DOMAIN NAME I CONSIDER THIS SENDING SOMETHING OUT OF MY LAN.

 

   Nothing to do with HTTPS, however.

 

> [...] BUT IN THE NETGEAR CONFIGURATION I ONLY SEE THE OPTIONS TO
> FORWARD PORT 20 FOR FTP AND PORT 80 FOR HTTP.
>
> I WAS THINKING THAT I WOULD NEED TO BE ABLE TO CONFIGURE FORWARDING PORT
> 443 TO THE LAN IP ADDRESS OF THE DEVICE RUNNING THE WEBSERVER.

 

   At last.  The actual problem.

 

   Where "IN THE NETGEAR CONFIGURATION" are you looking?  Try ADVANCED >
Advanced Setup > Port Forwarding / Port Triggering : Add Custom Service?

 

> [...] TYPING IN THE WAN IP ADDERESS NEVER REACHES IT.

 

   Assuming that "TYPING IN THE WAN IP ADDERESS" means specifying a URL
like "https://<WAN_IP_address>", a port-forwarding rule for port 443
should solve that problem.  If that service (HTTPS, 443) is not in the
list of predefined services, then you need to define it.  As it says in
the R6220 User Manual under "Set Up Port Forwarding to a Local Server":

 

      If the service that you want to add is not in the list, create
      a custom service. See Add a Custom Port Forwarding Service on page
      140.

 

   Visit http://netgear.com/support , put in your model number, and look
for Documentation.  Get the User Manual.  Read.

Message 8 of 10
cearlp
Tutor

Re: HTTPS on an R6220 Router

Thank you antinode for all your your time and comments.

I think you finally understand what I was trying to say to begin with...that I can configure a new service (https) in the NetGear configuration when it does not give that oprion in the drop down list of services to forward.

Message 9 of 10
antinode
Guru

Re: HTTPS on an R6220 Router

> [...] I think you finally understand [...]

 

   Look back at "Message 2":

 

> Are you running some web server or other on your (unspecified) "Linux
> OS" system? Can you access it from a system on your LAN using the
> server system's LAN IP address? Can you access it from a system on your
> LAN using the router's WAN/Internet IP address?

 

   Answers like, say, "Yes, Apache", "Yes", and "No" might have saved us
all much time and effort.

Message 10 of 10
Discussion stats
  • 9 replies
  • 787 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 6E