@vgarciabnz ? Maybe you can help better? I believe there is a problem with the configuration on the server but the Github link makes me wonder.
1 Like
Hi @Bayzed,
the capture app trust on the default Android trust manager, which does not accept self-signed certificates. So I think the connection issue in the capture app is caused by this. You can check LetsEncrypt to get certificates for free.
About the redirection of port 8080, the service listening at that port is Tomcat so it has to be active and canât be redirected. You could redirect it to another one, but you would need to setup a different port for dhis anyway. If you want to force the connections to use https, you could do that in Tomcat if you want, but I think it is simpler to just hide the port 8080 behind a firewall or change Tomcat configuration to reject external connections.
Hope it helps
1 Like
Dear Jaime,
Wonderful cooperation, wishing your good luck.
Let me tryâŚ
Thanks⌠
Hi @vgarciabnz,
Thanks for come in.
- Well I will try with LetsEncrypt.
- I changed the port, its ok. I want to learn how to do the tomcat configuration, please show me the way, so that I can reject external connections.
Dear @jaime.bosque and @vgarciabnz,
I have tried with LetsEncrypt but still showing same error on android (on browser; OK). May be I need to create a folder inside my java, something called like TrustStore and put the certificates files there. and configure my server accordingly.
But I donât know how!!
Looking for suggestionâŚ
Do you see the information on the browser about a valid certificate when you access the URL? Like this:
Also, sorry about the self-signed certificate. I didnât know we didnât support self-signed certificates.
1 Like
Yeah Jaime, it shows me verified by LetsEncrypt
Thanking you again
That seems to be right. Could you share the server url with us by private message? And also it would be great to have some test credentials to try it.
@jaime.bosque and @vgarciabnz please find your message, I have sent you the url and credentials.
I have tried updating v 2.28 to v 2.33 but the problem still persist.
Please share your observation.
RegardsâŚ
Hello @Bayzed,
I have been checking your server and it seems to be not a problem with Android but with any HTTP request not coming from the browser. And to be honest I am not sure where that is coming from. May I ask you to regenerate the certificates and let us know once it is done?
Thanks.
1 Like
Dear @jaime.bosque,
Thanks for your support, I will regenerate the certificate and let you know. Will come to you soon.
Best wishesâŚ
Dear @jaime.bosque,
Hope your are doing well, I have regenerate the certificate but still same issue persist.
Appreciating your involvement.
Hello @Bayzed
I just tried to connect to the instance via the browser and there is a problem with your certificate. You have not properly generated the certificate:
I occasionally run the server and changed the address to ehddhis2.dhis2instance.com. See the attached.
Thanks againâŚ
There is a problem with your set up not related to Android at all⌠this is what I get:
I assume your nginx configuration is not right.
Dear @jaime.bosque and @vgarciabnz,
I really appreciate your support & contribution for this journey.
I added .pem files as chain and key in my nginx configuration, it works for me.
Best wishes for you all.
With RegardsâŚ
Bayzed
Wonderful. Good to hear!
1 Like
Hello @jaime.bosque @Bayzed I hope this text finds you well. Iâm having some challanges on securing my dhis2 instance, I have followed the steps on the dhis2 manual and also the recommendations posted on this thread. Kindly check out my server.xml file and advise accordingly
-->
<Connector scheme="https" proxyPort="443" />
<Connector port="8080" address="localhost" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
relaxedQueryChars="[]" />
<!-- A "Connector" using the shared thread pool-->
Kindly check out the NGINX.conf file
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
gzip on; # Enables compression, incl Web API content-types
gzip_types
âapplication/json;charset=utf-8â application/json
âapplication/javascript;charset=utf-8â application/javascript text/javascript
âapplication/xml;charset=utf-8â application/xml text/xml
âtext/css;charset=utf-8â text/css
âtext/plain;charset=utf-8â text/plain;
HTTP server - rewrite to force use of SSL
server {
listen 80;
rewrite ^ https://$request_uri? permanent;
}
HTTPS server
server {
listen 443 ssl;
client_max_body_size 10M;
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Proxy pass to servlet container
location / {
proxy_pass http://localhost:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_busy_buffers_size 256k;
proxy_cookie_path ~*^/(.*) "/$1; SameSite=Lax";
}
}
}
#mail {
# See sample authentication script at:
# Using a PHP Script on an Apache Server as the IMAP Auth Backend | NGINX
# auth_http localhost/auth.php;
# pop3_capabilities âTOPâ âUSERâ;
# imap_capabilities âIMAP4rev1â âUIDPLUSâ;
server {
listen localhost:110;
protocol pop3;
proxy on;
}
server {
listen localhost:143;
protocol imap;
proxy on;
}
#}