nordic-institute/X-Road-development

X-ROAD refusing connections when trying to access a REST endpoint

Closed this issue · 1 comments

This is my first time using X-ROAD so this may be a just config error
I'm trying to set up an X-ROAD security server to form part of a larger network which I don't manage. I gone through the installation steps that appear in the installation guide, registered a REST endpoint and gave permissions to access it to a registered client. The set up is thus:

  • Security server connected to the X-ROAD with a valid anchor file and application certificates.
  • Private server in the security server's local network serving an API endpoint on port 60000 with GET and POST methods.
  • I'm also using a Wireguard VPN to manage this servers although this shouldn't matter.

When I try to query this test API internally and through the VPN I get the responses from the private server. Problem starts when I try to query through X-ROAD which just returns connection refused.
I've already troubleshooted the firewall in both the security and private servers
(Output of sudo ufw status verbose)

Security server:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
2222                       ALLOW IN    Anywhere
4000                       ALLOW IN    Anywhere
5577                       ALLOW IN    Anywhere
4001                       ALLOW IN    Anywhere
5500                       ALLOW IN    Anywhere
8000                       ALLOW IN    Anywhere
51825/udp                  ALLOW IN    Anywhere
Anywhere on wg0            ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
80/udp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)
2222 (v6)                  ALLOW IN    Anywhere (v6)
4000 (v6)                  ALLOW IN    Anywhere (v6)
5577 (v6)                  ALLOW IN    Anywhere (v6)
4001 (v6)                  ALLOW IN    Anywhere (v6)
5500 (v6)                  ALLOW IN    Anywhere (v6)
8000 (v6)                  ALLOW IN    Anywhere (v6)
51825/udp (v6)             ALLOW IN    Anywhere (v6)
Anywhere (v6) on wg0       ALLOW IN    Anywhere (v6)
Anywhere (v6) on eno1      ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
80/udp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

Private Server:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
3000/tcp                   ALLOW IN    Anywhere
3306                       ALLOW IN    172.16.11.82
3306                       ALLOW IN    Anywhere
3000                       ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
3306                       ALLOW IN    0.0.0.0
22/tcp                     ALLOW IN    170.210.83.114
51821/udp                  ALLOW IN    Anywhere
Anywhere on wg0            ALLOW IN    Anywhere
51822/udp                  ALLOW IN    Anywhere
60000/tcp                  ALLOW IN    Anywhere
60000/udp                  ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
3000/tcp (v6)              ALLOW IN    Anywhere (v6)
3306 (v6)                  ALLOW IN    Anywhere (v6)
3000 (v6)                  ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
51821/udp (v6)             ALLOW IN    Anywhere (v6)
Anywhere (v6) on wg0       ALLOW IN    Anywhere (v6)
51822/udp (v6)             ALLOW IN    Anywhere (v6)
60000/tcp (v6)             ALLOW IN    Anywhere (v6)
60000/udp (v6)             ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

(Output of sudo netstat -nlpt)
Security Server:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      7554/cupsd
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      593/systemd-resolve
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      826/postgres
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      773/sshd: /usr/sbin
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      21498/sshd: dptsvr@
tcp        0      0 0.0.0.0:7070            0.0.0.0:*               LISTEN      745/anydesk
tcp6       0      0 127.0.0.1:2552          :::*                    LISTEN      1124/java
tcp6       0      0 :::5500                 :::*                    LISTEN      1127/java
tcp6       0      0 127.0.0.1:443           :::*                    LISTEN      1127/java
tcp6       0      0 127.0.0.1:45455         :::*                    LISTEN      1125/java
tcp6       0      0 :::5577                 :::*                    LISTEN      1127/java
tcp6       0      0 127.0.0.1:80            :::*                    LISTEN      1127/java
tcp6       0      0 127.0.0.1:2081          :::*                    LISTEN      1125/java
tcp6       0      0 127.0.0.1:2080          :::*                    LISTEN      1125/java
tcp6       0      0 127.0.0.1:39713         :::*                    LISTEN      1126/java
tcp6       0      0 :::4000                 :::*                    LISTEN      1126/java
tcp6       0      0 ::1:6010                :::*                    LISTEN      21498/sshd: dptsvr@
tcp6       0      0 127.0.0.1:5567          :::*                    LISTEN      1127/java
tcp6       0      0 127.0.0.1:5566          :::*                    LISTEN      1127/java
tcp6       0      0 127.0.0.1:5559          :::*                    LISTEN      1128/java
tcp6       0      0 127.0.0.1:5558          :::*                    LISTEN      1128/java
tcp6       0      0 :::22                   :::*                    LISTEN      773/sshd: /usr/sbin
tcp6       0      0 ::1:631                 :::*                    LISTEN      7554/cupsd
tcp6       0      0 127.0.0.1:5675          :::*                    LISTEN      1123/java

Private Server:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:7071            0.0.0.0:*               LISTEN      867/anydesk
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      1673/docker-proxy
tcp        0      0 0.0.0.0:60000           0.0.0.0:*               LISTEN      18762/target/debug/
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      12407/cupsd
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      17544/sshd: eureadm
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      699/systemd-resolve
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1120/mysqld
tcp        0      0 0.0.0.0:33060           0.0.0.0:*               LISTEN      1120/mysqld
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      903/sshd: /usr/sbin
tcp6       0      0 :::3000                 :::*                    LISTEN      1682/docker-proxy
tcp6       0      0 ::1:6010                :::*                    LISTEN      17544/sshd: eureadm
tcp6       0      0 ::1:631                 :::*                    LISTEN      12407/cupsd
tcp6       0      0 :::22                   :::*                    LISTEN      903/sshd: /usr/sbin
tcp6       0      0 :::80                   :::*                    LISTEN      962/apache2

When using the iptables log on port 443 for example I get a log entry for the connection but the firewall doesn't register it and the xroad/proxy.log file doesn't update either.

How can I troubleshoot this?

This is a duplicate: nordic-institute/X-Road#1624