16 Dec 2022 01:26 AM - last edited on 19 Jun 2023 12:15 PM by Karolina_Linda
Hi,
We're installing Dynatrace Managed on customer premises but the Nginx service couldn't listen to port 443.
From the log, it seems forbidden. We could try to elevate Nginx user privileges but the concern here is the unknown implication (because it's in the internal steps of dynatrace-managed.sh script).
Right now also Nginx binds to port 8022 and in the Nginx.conf also nowhere to be found the port 443 configurations. Checked with "check" and "status" commands of dynatrace-managed.sh, all services are ok.
We have also pam_faillock(sudo_account):unknown option:unlock error during the installation. Not sure if this is related.
Please advise.
Solved! Go to Solution.
16 Dec 2022 08:56 AM
Hi @Ardhi ,
You're struggling to set it up because the "443" port is a "privileged port" in Linux operating systems (pam-related issues)
The TCP/IP port numbers below 1024 are unique because normal users can't run servers on them. This is a security feature in that if you connect to a service on one of these ports, you can be reasonably sure that you have the real thing and not a fake that some hacker has put up for you.
(source: https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html)
That's why by default, in Dynatrace Managed installation, Nginx listens on port :8022, and we have iptables (nftables) rules that redirect the traffic from :443 to :8022. We don't recommend changing that configuration.
If that's needed, then:
setcap 'cap_net_bind_service=+ep' /path/to/dynatrace-managed
And then anytime dynatrace-managed
is executed thereafter, it will have the CAP_NET_BIND_SERVICE
capability. setcap
Is in the Debian package libcap2-bin
.
Now for the caveats - You'll need at least a 2.6.24 kernel
Resources:
setcap
.Note: RHEL first added this in v6. Not sure when Ubuntu has added this.
19 Dec 2022 03:35 AM - edited 19 Dec 2022 06:19 AM
Hi @Radoslaw_Szulgo ,
Thank you for the answer,
I put the setcap command and reinstalled but still not listening to 443 ...
Just wondering, if is this the case (not listening to 443) when the server is blocked for outbound connection to Dynatrace? I just realized cannot connect to mcsvc.dynatrace.com from the server.
EDIT: can connect to outgoing mcsvc.dynatrace.com, so this is not an issue
19 Dec 2022 07:27 AM
@Ardhi The NGINX does not listen on the 443/tcp for the reasons above, but there is iptables redirect for that purpose:
# ss -alt '( sport = 443 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
# ss -alpt '( sport = :8022 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:8022 0.0.0.0:* users:(("nginx",pid=1510320,fd=7),("nginx",pid=1510319,fd=7),("nginx",pid=1510318,fd=7),("nginx",pid=1510317,fd=7),("nginx",pid=1510316,fd=7))
# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere ADDRTYPE match dst-type LOCAL tcp dpt:https redir ports 8022
19 Dec 2022 07:58 AM - edited 19 Dec 2022 08:24 AM
sorry can you elaborate? are you implying we don't have to listen to port 443?
here's attached
my ports
Because I cannot open https://<ip address> / port 443 of the server in the browser
EDIT: now I can access after stopping nftables (checking from CIS list), not sure if this is related
19 Dec 2022 08:34 AM
@Ardhi yes, in your case it seems perfectly fine.
First you should check if you can connect locally to the cluster on the node:
# curl -v https://localhost -k
If this works, then most likely there is a firewall or something else between your browser and the cluster node preventing connections.