Topic: [solved] LNBits won't start due to python error (Read 277 times)

Ok, ignore... I was stupid!

I'll call this thread solved.
Thanks @DaveF, @vv181 and @HCF

I guess you mean dest_port and src_dport. Either way, you can refer to the documentation below to see the details.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration?s=destination&s=port#options4:

For the full documentation of what the firewall means, you can see: Redirect and Port forwarding for IPv4 (DNAT)

Oh, yes, I got it.

I  will double check that my router config is forwarding the traffic to port 5001 and not 5000 by accident.

One more question. This one is not exactly related to the configuration itself but I'll ask it anyway.

You guys know what is the meaning of the following 2 lines in the configuration of my router? What means each one?

and


What means, for instance, if I use 2 different ports there?

Do note what @DaveF said:
Regarding that, What *I think* he explains is he taking the context of the correct firewall rule config. and it is furtherly explained well by HCP.

---

Anyway, sometimes I have a hard time to wording and explaining a technical term, so I hope you bear with me  

Yes, I understood it from @DaveF's post. It makes sense now when someone tells it like in plain text like @DaveF did. Technically, I still struggled to undderstand things the way @vv181 explained. But the 2 replies together, made it more clear, I think.

The thing is that there is little explanation on how to set things up if you don't want to use 3rd party applications like Caddy, because apparently, Caddy does part of this job for you automatically!

There isn't... it just perhaps wasn't explained very well.... and possibly the <---> isn't the best way to show things either.

Essentially you have "inbound" traffic flow that goes:
Internet ---> nginx (port 5001) ---> Hypercorn (Port 5000) ---> LNBits

Then the outbound flow that goes:
LNBits ---> Hypercorn ---> nginx ---> Internet


nginx is essentially receiving the inbound packets passing them to Hypercorn to do whatever it needs to do with them (pass to LNBits, dump, return webpage etc)... Hypercorn then passes it's response back to nginx, which then passes them back to wherever they need to be going on "The internet"™.

In theory there should never be any direct communication between nginx & LNBits.

Nginx should only talk to Hypercorn and LNBits should only talk to Hypercorn
Internet <--> nginx <--> Hypercorn <--> LNBits
5001 <--> 5001<-->5000 <--> 5000 <--> whatever / however hypercorn talks to LNBits

However, if you have your firewall set to pass traffic from the internet to Hypercorn (port 5000) this entire process falls apart. Since now I can see hypercorn in the world.

-Dave

After reading @DaveF post, I'm not sure I understand this. @DaveF says that internet is passing traffic to Nginx (encrypted) and then Nginx passes it to Hypercorn (unencrypted) and then, Hypercorn passes it back to Nginx again and finally Nginx passes it back to whatever application is listening on that port.

You say my router firewall is bypassing Nginx. I'm not sure I understand. Sorry.


@DaveF

From your post. Yes, the first part, I am aware. I mean, in a home network, all devices have their (what I call) internal IPs in some range like 192.168.1.1 up to 192.168.1.something. And each application in each device can listen in a port from (usually) >1024 up to 65534, since below 1024 there are default listening ports for pre-defined services such has ssh (21), ftp (22), http (80), https (443), etc, etc...

But regarding the traffic flow in this case, I was not expecting that Hypercorn passes back to Nginx unencrypted data. I thought it would be Internet -> Nginx -> Hypercorn -> LNBits instead of Internet -> Nginx -> Hypercorn -> Nginx -> LNBits.

Why there is this additional data forwarding from Hypercorn to Nginx.

Mildly OT, but basic networking simplified:

Every device on your network has an IP address. Lets use 192.168.1.100

On every address there 65,536 ports.

A program can use many ports i.e. a webserver by default listens on 80 (http) and 443 (https)
BUT only 1 program can use a port at a time. So once your webserver is using 80 nothing else can. Otherwise when another computer tries to talk to that computer on that port there would be no way of knowing which program it would be talking to.

So on 192.168.1.100 you could have a webserver listening on 80 & 443 a mail server on 25 & 587 & 110 & 143 and a FTP server on 20 & 21

As for hypercorn it's a web server. So it is giving on web pages on whatever port you tell it to. In this case 5000. nginx is also a webserver. With the configuration you have it is listening on 5001 which you have encrypted and then passing everything blindly back to hypercorn on port 5000 which is unencrypted. Hypercorn then gives the info to nginx which then passes it back out to whoever connected to it on port 5001.

This keeps hypercorn isolated from the rest of the internet. There are many how to guides on how to secure / harden nginx to only allow it to pass the traffic you want passed back to hypercorn (or wherever)

A bit more detail. You can stop reading if you don't care.
Tweaking nginx config can allow you to run several different webservers for different things and it will pass it pack as you tell it to in the config.
So if you can have:
my.website.com = A public IP address
my.otherwebsite.com = the same public IP address
and
this.otherwebsite.com = the same ip address again

You then in your firewall pass that public IP address back to the nginx server 192.168.1.100 80

And nginx will respond to them all on 192.168.1.100 port 80
but pass:
my.website.com to 192.168.1.100 port 5000
my.otherwebsite.com 192.168.1.100 port 5000
this.otherwebsite.com another site someplace else on the internet

Probably more in depth then you needed but now you know.
As for why nginx as the public side and not hypercorn. It's just because it's a much more developed product that does a lot more.

-Dave

In simple terms the traffic *should* goes around like this:

Internet <> Router <> Nginx <> Hypercorn <> LNBits


The reason why it got problems was that:

1. You are using port 5000 as a virtual server(Listening port) while port 5000 are already being used by Hypercorn(LNBits). Just like what @DaveF mention above
As you've guessed. The reverse proxy directive is 5000 which it's the port brought up by Hypercorn(LNBits). So Nginx cant use port 5000, again.

2. Your initial router firewall configuration is bypassing Nginx, so, it directly connects into Hypercorn(LNBits)
The dest_port should be pointed into the Nginx listen port, so it will be able to acknowledge the SSL setting. Since initially, you are using the 5000 port, either you are accessing from a local network or from the domain, it would always communicate to the HTTP site of LNBits. Using the above scheme, the traffic flow is like: Internet <> Router <> Hypercorn <> LNBits.

To sum up, you are accessing LNBits, either from the domain or local^[Internet], then your router firewall rule is port forwarding :5001 into 192.168.151:5001(src port, dest_ip:dest_port)^[Router]. After that, the Nginx acknowledged what to do since the referred port are 5001, the one you set up, listen 5001 ssl...^[Nginx]. And then it passed to Hypercorn and lastly LNBits.

Ohhhh it is finally working, I guess!

Let me tell the setup I did... Jeezzz, when you don't know enough about networking, you get pretty messed up head aches!

So, nginx config file in /etc/nginx/conf.d/my.awesome.lnbits.site.ddns.net.conf is the following:



My LNBits .env files relevant line is:


My router firewall config rule for LNBits is:

I think this is all...


But now, I would love to understand what is behind the scenes and why I had this struggle with hypercorn (I have no idea what this software does)...
So, if anyone can tell me how the traffic goes around these settings and also taking into account this hypercorn thing, I would love to hear about it!
Because I can't use port 5000 and I'm not sure I understand why. I mean, I think I know why, but I don't understand it. I think I can't use port 5000 because I have it in nginx config file for the reverse proxy directive proxy_pass https://localhost:5000.

and I think @OP must change the destination port on the router config as below, right?

I believe it's because the site is still returning from the Hypercorn HTTP on port 5000, not from Nginx(5001).

Try to change the router config destination to 5001, then visit https://my.awesome.lnbits.site.ddns.net:50001. ^{*Edit: the domain port should be 5000 because the config source port is 5000}

Because nginx is now listening on 5001 not 5000


Try going to https://192.168.1.153:5001 (assuming that the IP of that machine has not changed) you should get an SSL error about the name not matching but you should be able to connect.

-Dave

Openssl doesn't care about file names. It only cares about its contents, so the names are irrelevant, I guess.
But the reason I changed the names, is because I've been using dummy names to keep some privacy such has server names, domains, folder structures, etc, but as I said, openssl doesn't care about file names, so the extension being .pem or .key or .crt is irrelevant!


Edited;

I just ran this check:


I guess this is not good either!

at some point you've also changed from using .crt/.key to using .pem...

Have you been experimenting with the way you were creating the ssl certs?

log files have nothing meaningful. Just the same errors I see with sudo journalctl -eu nginx.

And I tried my config file like this:

But I still can't connect to https://my.awesome.lnbits.site.ddns.net:5000.
I get the same error:

Comments below in red you have 2 web servers on the same port. That can't work. You can't have 2 services listen like that.
Change the listen port on nginx to 5001 or something else and restart it and try again.


You should also have some logging setup on nginx to see what else is going on:


-Dave

It is in my first post, but here it is:




Of course I used https:// before the IP address.
How would I make LNBits to listen for HTTPS traffic? Change listen 5000 ssl http2 default_server; to listen 443 ssl http2 default_server; ??




This is how I have my /etc/nginx/conf.d/my.awesome.lnbits.site.ddns.net.conf

However, I get this error when I try to access to https://my.awesome.lnbits.site.ddns.net:5000

I think your nginx.conf should be:

The Hypercorn didn't manage the SSL certs. So your Nginx passing a HTTPS request onto the Hypercorn. Try to change your Nginx conf as I suggested above, lets see if that works.

---

EDIT:
In addition, my suggestion above would probably work if you access it from my.awesome.lnbits.site.ddns.net. Since you set up the Nginx configuration only as a reverse proxy for that domain.

In another hand, the reason why it works on HTTP but not on HTTPS when you access it from the local network^{[192.168.1.153:5000]} is because the connection didn't managed by Nginx, it comes from Hypercorn. The Nginx has no configuration for a local connection, thus the error you get is because you are accessing an HTTP site(LNBits) using an HTTPS protocol, and the Hypercorn got no idea about any SSL certs, etc.

OSError: [Errno 98] Address already in use - This means you ran another service that is listening to the same port.


This means you are trying to connect to an HTTPS site using HTTP protocol (add "https://" at the beginning of the IP address).

Also you should try to get LNBits to listen for HTTPS traffic - you can't just add a certificate to a site and it magically understands HTTPS traffic.