Boringproxy installation help

Kataflok · December 13, 2023, 8:16pm

I’m attempting to install BoringProxy on a small (BuyVM - 2core/2gb/20gb) KVM VPS.

rpm --eval ‘%{_arch}’
x86_64

I’ve tried it with the latest Ubuntu and the latest Rocky Linux. On both, I’ve installed from both executable as well as compiled it myself on the VPS in Go. In all cases, the result is the same.

On initial startup, Boringproxy gives the following errors:

./boringproxy-linux-x86_64 server
2023/12/10 08:21:53 Starting up
2023/12/10 08:21:53 failed reading boringproxy_db.json

No admin domain set. Select an option below:
Enter ‘1’ to input manually
Enter ‘2’ to configure through TakingNames.io
1

Enter admin domain:
*****.net
Your sites will be served over HTTPS automatically using an automated CA.
By continuing, you agree to the CA’s terms of service.
Please enter your email address to signify agreement and to be notified
in case of issues. You can leave it blank, but we don’t recommend it.
Email address: @.com
2023/12/10 22:00:42 Ready
2023-12-10T22:00:55Z 104.164.173.139 GET ****************.net /
2023-12-10T22:00:56Z 154.28.229.73 GET ****************.net /
2023-12-10T22:01:01Z 65.154.226.168 GET ****************.net /
2023-12-10T22:01:03Z 161.35.27.144 GET **********.net /
2023/12/10 22:01:03 http: TLS handshake error from 161.35.27.144:56208: no certificate available for '...’
2023/12/10 22:01:03 http: TLS handshake error from 161.35.27.144:56818: no certificate available for '...’
2023/12/10 22:01:04 http: TLS handshake error from 161.35.27.144:57204: no certificate available for '...’
2023/12/10 22:01:04 http: TLS handshake error from 161.35.27.144:57800: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])
2023/12/10 22:01:04 http: TLS handshake error from 161.35.27.144:58168: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])

I am not blocked by LetsEncrypt:

curl https://acme-v02.api.letsencrypt.org/directory
{
“gp7vMsgiTGc”: “Adding random entries to the directory - API Announcements - Let's Encrypt Community Support”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“renewalInfo”: “https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}

Wildcard domain is correctly set (The one “*.” is real):

.net IN A ... Edit | Delete
www..net IN A ... Edit | Delete
.***************.net IN A ... Edit | Delete

What is happening here and how do I fix it?

anders · December 13, 2023, 8:22pm

Hi @Kataflok. Generally errors like this are caused by a firewall or something blocking access to port 80/443. Please make 100% sure that those ports are open all the way from the internet to boringproxy and that boringproxy is running on those ports.

Kataflok · December 16, 2023, 12:02pm

Yes, eventually found it.

This line fixed everything:

sudo setsebool -P httpd_can_network_connect 1

Thanks!

Kataflok · January 11, 2024, 4:57am

Firstly, thanks again for your help!

So I am so close to this all working, but one final glitch remains:

The server is up and running: (I wrote this to help others - hopefully it details any errors that may be causing this)

https://www.reddit.com/r/selfhosted/comments/18jq8i5/the_boringproxy_guide_i_wish_someone_had_written/

I’ve installed this in Unraid:

https://github.com/kennyquast/Boringproxy-client_docker

It connects to the VPS, and the client name (Unraid-docker) appears in the server as a potential client name to add to a tunnel.

A tunnel has been set up with the below settings to test with an installed application (StackEdit.)

Domain: stackedit.*******.xyz
Server Tunnel Port:43141
Client: Unraid-docker
Target: 127.0.0.1:9000
TLS Termination: client
Allow External TCP: false
Owner: admin

StackEdit is definitely on port 9000:

stackedit started up-to-date bridge 172.17.0.4:8000/TCP192.168.1.160:9000

However, I am unable to open the tunnel.

The server side shows this:

cd /home/boringproxy; /usr/local/bin/boringproxy/boringproxy-linux-x86_64 server -admin-domain .xyz
2024/01/11 04:29:23 Starting up
2024/01/11 04:29:23 Successfully acquired certificate for admin domain (.xyz)
2024/01/11 04:29:23 Ready
2024-01-11T04:29:47Z ..*. POST **.xyz /api/clients/
2024-01-11T04:29:47Z ... GET **.xyz /api/tunnels
2024-01-11T04:29:49Z ... GET **.xyz /api/tunnels
2024-01-11T04:29:51Z ... GET **.xyz /api/tunnels
2024-01-11T04:29:53Z ... GET **.xyz /api/tunnels
2024-01-11T04:29:55Z ... GET **.xyz /api/tunnels
2024-01-11T04:29:57Z ... GET **.xyz /api/tunnels
2024-01-11T04:29:59Z ... GET **.xyz /api/tunnels
2024-01-11T04:30:01Z ... GET **.xyz /api/tunnels
2024-01-11T04:30:03Z ... GET **.xyz /api/tunnels
2024/01/11 04:30:04 http: TLS handshake error from 3.90.20.206:58588: no certificate available for [VPS IP ADDRESS]
2024-01-11T04:30:05Z ... GET **.xyz /api/tunnels
2024-01-11T04:30:07Z ... GET **.xyz /api/tunnels
2024-01-11T04:30:09Z ... GET *******.xyz /api/tunnels

(Note ..*. definitely is my home IP ADDRESS)

The UNRAID/Docker client shows this:

2024/01/11 04:33:00 SyncTunnels
2024/01/11 04:33:00 New tunnel stackedit..xyz
2024/01/11 04:33:00 BoreTunnel stackedit..xyz
2024/01/11 04:33:01 BoreTunnel error: Failed to dial: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

I’m so close I can taste it – what have I missed here?

Thanks!