Wayk Den for external access not working at all
I have been running around in circles for hours trying to get Wayk Den working externally from the server.
I'm able to log into Wayk Den using the http://localhost:4000 url and that all seems to be working good.
However, accessing Wayk Den with the External URL does nothing. Seems like 443 is just flat out refused from the server.
I only want a basic Wayk Den network configuration as described here, if that's all that's needed. However, at this stage I'm willing to try anything now.
Figure 1: Wayk Den Layer 4 deployment
https://github.com/Devolutions/WaykDen-ps/blob/master/docs/images/wayk_den_l4_deployment.png
I have done the following as prerequisites on the Server (twice now):
- Installed fresh Windows Server 2019 Standard VM
- Configured Static IP address, Subnet, Gateway, and DNS servers for Ethernet NIC (pretty standard for a server)
- Disabled IP v6 Protocol (standard for our environment)
- Joined to our domain (standard for our environment)
- Configured a A Record den.xyz.com on our DNS server to point to the static IP address of the server.
The A Record is resolvable on the server and my workstation pointing to the Wayk Den server as expected.
Installed Wayk Den using these exact instructions (copy and pasted commands): https://github.com/Devolutions/WaykDen-ps/#windows-server-2019
1) Installed all the required packages:
Install-PackageProvider -Name NuGet -Force Install-Module -Name PowerShellGet -Force Install-WindowsFeature -Name Containers -Restart Install-Module -Name DockerMsftProvider -Force Install-Package -Name docker -ProviderName DockerMsftProvider -Force
2) Started docker service:
Get-Service | Where-Object { $_.Name -Like 'docker' }
Start-Service -Name docker
3) Configured Wayk Den:
New-WaykDenConfig -Realm xyz.com -ExternalUrl https://den.xyz.com -ListenerUrl http://localhost:4000
4) Imported my Wildcard certificate:
Import-WaykDenCertificate -CertificateFile C:\Cert\wild.zyx.com.pfx -Password 123456
5) Started Wayk Den (Verbose output attached to post. I've removed all sensitive information):
Start-WaykDen -Verbose
6) Great, I can access Wayk Den locally on the server using the following http://localhost:4000 directly on the server over RDP.
Setup a new default administrator and can now see the dashboard. Fantastic.
7) Time to see if I can access it externally from my own workstation: https://den.xyz.com ...
Nothing. "Unable to connect" in Firefox.
8) Tried directly on the server over RDP...
Nothing. "Unable to connect" in Firefox.
9) Running the Curl command shows the following. I've noticed the den_router_uri and lucid_uri doesn't contain my external URL domain name, only the localhost?
The example in the documentation does?
PS C:\> curl http://localhost:4000/.well-known/configuration
StatusCode : 200
StatusDescription : OK
Content : {"den_router_uri":"http://localhost:4000/cow","lucid_uri":"http://localhost:4000/lucid","picky_uri":"http://localhost:4000/picky","realm":"xyz.com","wayk_client_id":"11111111Yb
QSS1T9pkCk...
RawContent : HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Length: 234
Content-Type: application/json
Date: Wed, 14 Oct 2020 05:14:45 GMT
Server: Saphir
{"den_router_uri":"http://localhost:4000/co...
Forms : {}
Headers : {[Access-Control-Allow-Origin, *], [Content-Length, 234], [Content-Type, application/json], [Date, Wed, 14 Oct 2020 05:14:45 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 234
I've also noticed that there are now 2 x Hyper-V NIC's installed on the server after setting up Wayk Den.
I normally leave these alone with other virtual environments. Do I need to do anything with these? (attached is the full NIC config ipconfig.exe /all).
Attached is the den-server log too I created using the following commands: docker logs den-server > c:\den-server.txt
Apart from doing a Jet Relay which I'm not ready to try yet, what else am I missing? I've really run out of ideas.
den-server.txt
IPConfig-All.txt
Start-WaykDen-Verbose.txt
All Comments (3)
Hi,
If I understand correctly, this virtual machine is exposed directly to the internet, with no reverse proxy like IIS, traefik, nginx or haproxy in front of it. You did most of the configuration correctly, the only step that might be missing is modifying your ListenerUrl to match the ExternalUrl in terms of protocol and port:
Set-WaykDenConfig -ListenerUrl 'https://localhost:443' -ExternalUrl 'https://den.xyz.com'
Wayk Den either listens on HTTP or HTTPS, but not both at the same time. Call 'Restart-WaykDen' and it should be working now. Confirm that it works by loading 'https://den.xyx.com/.well-known/configuration' and it should return the external URLs.
Best regards,
Marc-André Moreau
Hi Marc-André,
That worked, thank you!
On my workstation: I have also noticed, however, I have to specify https:// in front of the address of den.xyz.com as Firefox isn't able to automatically detect HTTPS and I think it just times out trying to use HTTP.
At the moment this is all internal on our network.
In a traditional sense of web apps and keeping it simple, the next step was to setup a NAT rule on our firewall and port forward 443 from our public IP to the Internal IP of the Den server.
Unless this isn't ideal and we should be using a reverse proxy?
I have seen mention of IIS, traefik, nginx or haproxy for a reverse proxy a few times?
Is there any official Wayk Den documentation for implementing this? Or do I need to implement my own type of generic reverse proxy of some sort? and do I need a second server just for this or can I use the same WaykDen server?
Thank you again!
Hello crawfordo,
You will need to use https as Wayk Den only listen to only one protocol.
You can use the same server for both Wayk Den and the reverse proxy. The instructions for IIS are provided in Github: https://github.com/Devolutions/WaykDen-ps/blob/master/docs/iis-deployment.adoc , or if you are using Server Core 2019 you can refer to https://kb.devolutions.net/wayk_configuring_waykden_servercore2019_iis_https.html
Best regards,
Richard Boisvert