We're using a 'Web Console' in an AlmaLinux OS (like RHEL) on port 9090, but getting a timeout error. Do we need to allow that port via the firewall?

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
Yes

Please share your search results url:
The search results are about unrelated things.

When you tested your domain, what were the results?
My domain is working other than this problem.

Describe the issue you are having:
We’re using a ‘Web Console’ (an SSH-like access that works in the browser) in an AlmaLinux OS (RHEL) on port 9090, but getting a timeout error. Do we need to allow that port via the firewall? If so, how?

What error message or number are you receiving?
Timeout error

What steps have you taken to resolve the issue?

  1. Tried adjusting permissions
  2. Tried adjusting settings in nginx

Was the site working with SSL prior to adding it to Cloudflare?
Yes, still is.

What are the steps to reproduce the error:

  1. Go to https://humortimes.com:9090 in Chrome browser

Have you tried from another browser and/or incognito mode?
Yes.

Please attach a screenshot of the error:
I don’t see how to attach a screenshot, but the full error message is:

This site can’t be reached

humortimes.com took too long to respond.
Try:

Instead of adding the port to the URL, you need to use an Origin Rule (and probably a subdomain) to reach that port.

Cloudflare does not listen on 9090, see Network ports · Cloudflare Fundamentals docs .

2 Likes

Thanks for the reply. I did look at that article you linked to before, but it only says you can “Change your subdomain to be gray-clouded, via your Cloudflare DNS app, to bypass the Cloudflare network and connect directly to your origin.” That seems to be saying the whole domain would bypass Cloudflare, so I wouldn’t be getting any of the advantages of using Cloudflare, which seems very counter-productive. Is there no way to bypass CF for just that port alone?

Can I create a DNS CNAME record with that port which is grey-clouded? Would that then apply only to that port?

I tried creating an Origin Rule, but that requires that you enter one thing and it gets changed to another. So, I tried one that says if “https://humortimes.com:9080” is requested, direct it to “https://humortimes.com:9090”. Is that the idea? Anyway, it’s not working, I get the same timeout error.

It seems like there ought to be a way to allow the use of that port.

There is, via Origin Rules.

No. You create a new subdomain, say example.humortimes.com, and then an Origin Rule with Hostname equals example.humortimes.com then override port.

You could also grey-cloud the new subdomain to bypass Cloudflare entirely if you prefer that.

1 Like

Do I need to create a CNAME for the subdomain too? I currently have a subdomain with a CNAME set up, not sure if it’s required for it though.

Also, why do you think it’s working now with the ip, eg, http://198.144.251.50:9090 (not the real one) but not with the SSL, https://198.144.251.50:9090?

Perhaps it needs to be set up in nginx? For example, added to the same server block with “listen xxx.xxx.xxx.xx:443”, or in a separate server block?

The subdomain needs to point to your server’s IP address. Whether you do that directly via an A record or indirectly via a CNAME record that points to another hostname on your server does not matter.

I don’t know your Nginx configuration, but you’ll need to configure different ports for http and https. But honestly, for SSH-like stuff, I’d just skip the HTTP configuration and only use HTTPS.
Also, if you use a different subdomain, there isn’t really a reason to use a different port at all, you can just use 443 for HTTPS.

1 Like

With cockpit (info here), which is the ‘Web Console’ I was referring to, they say you can login to the console through the domain name (or ip) paired with the 9090 port. Or, you can set up a subdomain, then configure it to work with the cockpit console. So, I’m trying the subdomain method, and have it set up as the instructions indicate. I also set up a proxied CNAME for the subdomain on Cloudflare. However, when I use that url, it ends up at my other subdomain, not connecting with cockpit. I tried grey-clouding it, but it warns against exposing the domain.

So, I’m not sure how to do it with Cloudflare. Any ideas?

Can you share your actual nginx config for cockpit (using the preformatted text option, ctrl+e). That sounds like the error is to be found there.

Here it is:

server {
    listen         80;
    listen         443 ssl;
    server_name    cockpit.humortimes.com;

    # SSL
    ssl_certificate_key /etc/ssl/private/www.humortimes.com.key;
    ssl_certificate /etc/ssl/certs/www.humortimes.com.pem;
    ssl_trusted_certificate /etc/ssl/certs/geochain.pem;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

Also, I found this on Nginx.org, which seems relevant:

A more sophisticated example in which a value of the “Connection” header field in a request to the proxied server depends on the presence of the “Upgrade” field in the client request header:

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        ...

        location /chat/ {
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

They’re separating out the proxy_set_header Connection "upgrade"; line with a variable used in the “map” section, but I really don’t know what it means, or if it is relevant to my situation.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.