Seite 1 von 1
WAPT-Konsolenzugriffsfehler
Veröffentlicht: 11. Juni 2026 - 16:22 Uhr
von celine18
Hallo,
seit dem WAPT-Server-Update funktioniert die Konsolenverbindung nicht mehr.
Wir erhalten folgende Fehlermeldung:
„Anmeldefehler: HTTP-Clientfehler: THttpClientSocket.OpenBind: Ist ein Server unter dieser Adresse:Port verfügbar? {remoteip=]{#6 Schwerwiegender Fehler]“.
Wir verwenden Active Directory-Authentifizierung für die Konsolenverbindung.
Unser WAPT-Server ist auf Debian 13 mit WAPT 2.6.1.17765 installiert.
Die Konsole läuft unter Windows 10.
Vielen Dank im Voraus für Ihre Hilfe.
Mit freundlichen Grüßen,
Céline
Betreff: WAPT-Konsolenzugriffsfehler
Veröffentlicht: 11. Juni 2026 - 17:40 Uhr
von dcardon
Hallo Céline,
von welcher Version von Wapt und Debian hast du aktualisiert?
Hast du beim Upgrade auch die Debian-Pakete aktualisiert? Wurde nginx aktualisiert?
Läuft nginx korrekt auf dem Server? Hat das spnego-Paket die gleiche Version wie der nginx-Server (nginx ist da sehr pingelig)?
Und wurde der waptserver-Dienst selbst korrekt aktualisiert?
Viele Grüße,
Denis
Betreff: WAPT-Konsolenzugriffsfehler
Veröffentlicht: 12. Juni 2026 - 08:51 Uhr
von celine18
Hallo,
ich habe von Debian 12 auf Debian 13 aktualisiert.
Ja, nginx wurde ebenfalls aktualisiert. Es ist jetzt Version 1.26.3.
Das Paket libnginx-mod-http-auth-spnego hat die Version 1.1.3.
WAPT habe ich auf Version 2.6.1.17813 aktualisiert.
Auf der Webseite meines Servers ist alles auf dem neuesten Stand.
Mit freundlichen Grüßen,
Céline
Betreff: WAPT-Konsolenzugriffsfehler
Veröffentlicht: 12. Juni 2026 - 09:30 Uhr
von dcardon
Hallo Céline,
Was ist dein Problem mit einem
Das spnego-Paket ist tatsächlich dasjenige aus Debian (früher, in Debian 12 und darunter, hat Tranquil IT das spnego-Modul neu kompiliert und bereitgestellt, seit Debian 13 ist es standardmäßig in den Debian-Repositories enthalten)?
Code: Alle auswählen
apt info libnginx-mod-http-auth-spnego | grep "Maintainer:"
Aufrichtig,
Denis
Betreff: WAPT-Konsolenzugriffsfehler
Veröffentlicht: 12. Juni 2026 - 10:18 Uhr
von celine18
Denis,
Vielen Dank für Ihr Feedback.
Hier ist die Ausgabe des Befehls nginx -T
Code: Alle auswählen
2026/06/12 10:09:59 [warn] 56020#56020: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/opt/wapt/waptse rver/ssl/cert.pem"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 32768;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 4096;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
access_log /var/log/nginx/access.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-spnego.conf:
load_module modules/ngx_http_auth_spnego_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xslt+xml xsl xslt;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-matroska mkv;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/wapt.conf:
limit_req_zone $proxy_add_x_forwarded_for zone=wsgi:20m rate=100r/s;
limit_req_zone $proxy_add_x_forwarded_for zone=login:20m rate=2r/s;
limit_req_zone $proxy_add_x_forwarded_for zone=websockets:20m rate=300r/s;
log_format combined_ssl '$remote_addr $ssl_client_s_dn $ssl_client_verify $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name serveurwapt.domain.local;
server_name X.X.X.X;
access_log "/var/log/nginx/access.log" combined_ssl;
ssl_certificate "/opt/wapt/waptserver/ssl/cert.pem";
ssl_certificate_key "/opt/wapt/waptserver/ssl/key.pem";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam "/etc/ssl/certs/dhparam.pem";
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache none;
ssl_session_tickets off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_client_certificate "/opt/wapt/conf/ca-wapt.crt";
ssl_crl "/opt/wapt/conf/ca-check-clients.crl";
ssl_verify_client optional;
gzip_min_length 1000;
gzip_buffers 4 8k;
gzip_http_version 1.0;
gzip_disable "msie6";
gzip_types text/plain text/css application/json;
gzip_vary on;
index index.html;
server_tokens off;
client_max_body_size 12288m;
client_body_timeout 1800;
large_client_header_buffers 4 16k;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
proxy_request_buffering off;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
}
# sub instances
include "/opt/wapt/conf/wapt.d/*.conf";
location /static/ {
alias "/opt/wapt/waptserver/static/";
}
location /ssl/ {
alias "/var/www/ssl/";
}
# not protected URL
location ~ ^/(robots.txt|wapt/waptsetup.*\.exe|wapt/ping|wapt/waptagent/.*|wapt/waptagent\.exe|wapt/waptdeploy\.exe|wa pt/conf\.d/.*\.json)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
root "/var/www";
}
location ~ ^/api/v3/(wads_register_host|set_host_wads_status|baseipxe|get_host_ipxe|get_wads_exe.*|get_wads_config)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# not protected URL
location /wads/ {
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
alias "/var/www/wads/";
}
# homepage
location = / {
include "/opt/wapt/conf/forward_ssl_auth.conf";
proxy_pass http://127.0.0.1:8080;
}
# SSL protected URL or cacheable
location /waptwua/ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
alias "/var/www/waptwua/";
}
# SSL protected URL but never cached
location ~ ^/(wapt/Packages)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
# SSL protected URL or cacheable
location ~ ^/(wapt/.*)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
# SSL protected URL but Never cached
location ~ ^/(licences\.json|sync\.json)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
# SSL protected only when wads is not enabled
location /rules.json {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
include "/opt/wapt/conf/forward_ssl_auth.conf";
root "/var/www";
}
# we don't want to expose our list of computers in case someone scan this folder.
location /wapt-host/Packages {
return 403;
}
# SSL protected and non cacheable
location ~ ^/(wapt-host/.*)$ {
log_not_found off;
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
location ~ ^/.*_kerberos$ {
return 404 "Kerberos is disabled";
}
# we need socketio for these actions.
# they are enabled only locally on the loopback
location ~ ^/api/v3/(update_hosts_sid_table|hosts_sid)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
allow 127.0.0.1;
deny all;
}
# we need socketio for these actions
location ~ ^/api/v3/(trigger_host_action|reset_hosts_sid|host_tasks_status|trigger_cancel_task|hosts_delete|launch_syn c_on_remotes_repos|broadcast_sync_on_remotes_repo)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=20 delay=10;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# old API
location /get_websocket_auth_token {
return 404;
}
# these actions are not protected by SSL client side certificate, as we perhaps don't have one at this stage.
# in case uwsgi is enabled, we wat this to still be handled by eventlet waptserver as these endpoints are not cpu inte nsive but often called
# don't use uwsgi for this
location ~ ^/(ping)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=200 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# Not protected by SSL client side certificate, as we perhaps don't have one at this stage.
# use uwsgi for this if enabled
location ~ ^/(api/v3/get_temp_client_cert|login|api/v3/login|login_kerberos|api/v3/login_kerberos|api/v3/logout|api/v3 /get_hash_json_content|api/v3/waptagent_version|add_host|api/v3/add_host|add_host_kerberos|api/v3/add_host_kerberos|api/v3 /get_waptagent_exe/.*/waptagent.exe)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=login burst=20 delay=10;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# Big upload endpoints
# use uwsgi for this if enabled
location ~ ^/api/v3/(upload_deploy_files|upload_packages|upload_file){
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=200 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
client_max_body_size 107520m;
client_body_timeout 1800;
proxy_pass http://127.0.0.1:8080;
}
# use uwsgi for this if enabled
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=200 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
proxy_pass http://127.0.0.1:8080;
}
location /socket.io {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=websockets burst=300 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://127.0.0.1:8080/socket.io;
}
}
# configuration file /opt/wapt/conf/forward_ssl_auth.conf:
# default forwarded headers
# to inform agent about its external ip
# works only if there is no other reverse proxy or no nginx in stream mode
# in front of wapt server
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
# in case ssl auth is not enabled, this set haders to empty strings
# this is important since we trust these headers
proxy_set_header X-Ssl-Authenticated $ssl_client_verify;
proxy_set_header X-Ssl-Client-Dn $ssl_client_s_dn;
proxy_set_header X-Ssl-Client-Sha1 $ssl_client_fingerprint;
# configuration file /opt/wapt/conf/require_ssl_auth.conf:
# require ssl auth and format auth information to proxied server
if ($ssl_client_s_dn = "") {
add_header 'Content-Type' 'text/ascii';
return 401 "Requires ssl auth";
}
if ($ssl_client_verify = SUCCESS) {
set $auth_ok 1;
add_header X-Remote-IP $remote_addr;
}
if ($auth_ok != 1) {
add_header 'Content-Type' 'text/ascii';
return 403 "Bad client authentication"; # $ssl_client_verify
}
Code: Alle auswählen
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Aufrichtig
Celine