Page 1 sur 1
Erreur accès console WAPT
Publié : 11 juin 2026 - 16:22
par celine18
Bonjour,
Suite à la mise à jour du serveur Wapt, la connexion à la console ne fonctionne plus.
Nous avons le message suivant :
"Erreur lors du login : Http client error: THttpClientSocket.OpenBind: Is a server available on this address:port? {remoteip=]{#6 Fatal Error]"
Nous utilisons l'authentification AD pour nous connecter à la console.
Notre serveur WAPT est installé sur un Debian 13 avec WAPT 2.6.1.17765
La console est installé sur un Windows 10.
Merci d'avance pour votre aide,
Cordialement
Céline
Re: Erreur accès console WAPT
Publié : 11 juin 2026 - 17:40
par dcardon
Bonjour Céline,
vous aviez upgradé depuis quelle version de Wapt, quelle version de Debian?
Lorsque vous avez upgradé, vous avez aussi mis à jour les paquets Debian j'imagine? Est ce que nginx a été mis à jour?
Est ce que nginx tourne bien sur le serveur? Est ce que le paquet spnego est bien dans la même version que le serveur nginx (nginx est très tatillon par rapport à ça).
Et est ce que le service waptserver a lui même bien upgradé?
Cordialement,
Denis
Re: Erreur accès console WAPT
Publié : 12 juin 2026 - 08:51
par celine18
Bonjour,
J'ai effectué un upgrade de Debian 12 à Debian 13.
Et oui nginx a été mis à jour aussi. Il est en version 1.26.3.
Le paquet libnginx-mod-http-auth-spnego est en version 1.1.3.
J'ai mis à jour WAPT à la version 2.6.1.17813.
Sur la page web de mon serveur, je vois bien tout à jour.
Cordialement
Céline
Re: Erreur accès console WAPT
Publié : 12 juin 2026 - 09:30
par dcardon
Bonjour Céline,
qu'est ce que vous avez avec un
Le paquet spnego est bien celui de Debian (avant en Debian 12 et en dessous Tranquil IT recompilait et fournissait le module spnego, depuis la deb13 c'est inclus par défaut dans les dépôts Debian) ?
Cordialement,
Denis
Re: Erreur accès console WAPT
Publié : 12 juin 2026 - 10:18
par celine18
Denis,
Merci pour votre retour.
Voici le retour de la commande nginx -T
Code : Tout sélectionner
2026/06/12 10:09:59 [warn] 56020#56020: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/opt/wapt/waptse rver/ssl/cert.pem"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 32768;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 4096;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
access_log /var/log/nginx/access.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-spnego.conf:
load_module modules/ngx_http_auth_spnego_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xslt+xml xsl xslt;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-matroska mkv;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/wapt.conf:
limit_req_zone $proxy_add_x_forwarded_for zone=wsgi:20m rate=100r/s;
limit_req_zone $proxy_add_x_forwarded_for zone=login:20m rate=2r/s;
limit_req_zone $proxy_add_x_forwarded_for zone=websockets:20m rate=300r/s;
log_format combined_ssl '$remote_addr $ssl_client_s_dn $ssl_client_verify $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name serveurwapt.domain.local;
server_name X.X.X.X;
access_log "/var/log/nginx/access.log" combined_ssl;
ssl_certificate "/opt/wapt/waptserver/ssl/cert.pem";
ssl_certificate_key "/opt/wapt/waptserver/ssl/key.pem";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam "/etc/ssl/certs/dhparam.pem";
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache none;
ssl_session_tickets off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_client_certificate "/opt/wapt/conf/ca-wapt.crt";
ssl_crl "/opt/wapt/conf/ca-check-clients.crl";
ssl_verify_client optional;
gzip_min_length 1000;
gzip_buffers 4 8k;
gzip_http_version 1.0;
gzip_disable "msie6";
gzip_types text/plain text/css application/json;
gzip_vary on;
index index.html;
server_tokens off;
client_max_body_size 12288m;
client_body_timeout 1800;
large_client_header_buffers 4 16k;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
proxy_request_buffering off;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
}
# sub instances
include "/opt/wapt/conf/wapt.d/*.conf";
location /static/ {
alias "/opt/wapt/waptserver/static/";
}
location /ssl/ {
alias "/var/www/ssl/";
}
# not protected URL
location ~ ^/(robots.txt|wapt/waptsetup.*\.exe|wapt/ping|wapt/waptagent/.*|wapt/waptagent\.exe|wapt/waptdeploy\.exe|wa pt/conf\.d/.*\.json)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
root "/var/www";
}
location ~ ^/api/v3/(wads_register_host|set_host_wads_status|baseipxe|get_host_ipxe|get_wads_exe.*|get_wads_config)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# not protected URL
location /wads/ {
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
alias "/var/www/wads/";
}
# homepage
location = / {
include "/opt/wapt/conf/forward_ssl_auth.conf";
proxy_pass http://127.0.0.1:8080;
}
# SSL protected URL or cacheable
location /waptwua/ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
alias "/var/www/waptwua/";
}
# SSL protected URL but never cached
location ~ ^/(wapt/Packages)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
# SSL protected URL or cacheable
location ~ ^/(wapt/.*)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
# SSL protected URL but Never cached
location ~ ^/(licences\.json|sync\.json)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
# SSL protected only when wads is not enabled
location /rules.json {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
include "/opt/wapt/conf/forward_ssl_auth.conf";
root "/var/www";
}
# we don't want to expose our list of computers in case someone scan this folder.
location /wapt-host/Packages {
return 403;
}
# SSL protected and non cacheable
location ~ ^/(wapt-host/.*)$ {
log_not_found off;
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
root "/var/www";
}
location ~ ^/.*_kerberos$ {
return 404 "Kerberos is disabled";
}
# we need socketio for these actions.
# they are enabled only locally on the loopback
location ~ ^/api/v3/(update_hosts_sid_table|hosts_sid)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
allow 127.0.0.1;
deny all;
}
# we need socketio for these actions
location ~ ^/api/v3/(trigger_host_action|reset_hosts_sid|host_tasks_status|trigger_cancel_task|hosts_delete|launch_syn c_on_remotes_repos|broadcast_sync_on_remotes_repo)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=20 delay=10;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# old API
location /get_websocket_auth_token {
return 404;
}
# these actions are not protected by SSL client side certificate, as we perhaps don't have one at this stage.
# in case uwsgi is enabled, we wat this to still be handled by eventlet waptserver as these endpoints are not cpu inte nsive but often called
# don't use uwsgi for this
location ~ ^/(ping)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=200 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# Not protected by SSL client side certificate, as we perhaps don't have one at this stage.
# use uwsgi for this if enabled
location ~ ^/(api/v3/get_temp_client_cert|login|api/v3/login|login_kerberos|api/v3/login_kerberos|api/v3/logout|api/v3 /get_hash_json_content|api/v3/waptagent_version|add_host|api/v3/add_host|add_host_kerberos|api/v3/add_host_kerberos|api/v3 /get_waptagent_exe/.*/waptagent.exe)$ {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=login burst=20 delay=10;
include "/opt/wapt/conf/forward_ssl_auth.conf";
rewrite /(.*) /$1 break;
proxy_pass http://127.0.0.1:8080;
}
# Big upload endpoints
# use uwsgi for this if enabled
location ~ ^/api/v3/(upload_deploy_files|upload_packages|upload_file){
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=200 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
client_max_body_size 107520m;
client_body_timeout 1800;
proxy_pass http://127.0.0.1:8080;
}
# use uwsgi for this if enabled
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=wsgi burst=200 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
proxy_pass http://127.0.0.1:8080;
}
location /socket.io {
proxy_http_version 1.1;
proxy_request_buffering off;
limit_req zone=websockets burst=300 delay=100;
include "/opt/wapt/conf/forward_ssl_auth.conf";
include "/opt/wapt/conf/require_ssl_auth.conf";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://127.0.0.1:8080/socket.io;
}
}
# configuration file /opt/wapt/conf/forward_ssl_auth.conf:
# default forwarded headers
# to inform agent about its external ip
# works only if there is no other reverse proxy or no nginx in stream mode
# in front of wapt server
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
# in case ssl auth is not enabled, this set haders to empty strings
# this is important since we trust these headers
proxy_set_header X-Ssl-Authenticated $ssl_client_verify;
proxy_set_header X-Ssl-Client-Dn $ssl_client_s_dn;
proxy_set_header X-Ssl-Client-Sha1 $ssl_client_fingerprint;
# configuration file /opt/wapt/conf/require_ssl_auth.conf:
# require ssl auth and format auth information to proxied server
if ($ssl_client_s_dn = "") {
add_header 'Content-Type' 'text/ascii';
return 401 "Requires ssl auth";
}
if ($ssl_client_verify = SUCCESS) {
set $auth_ok 1;
add_header X-Remote-IP $remote_addr;
}
if ($auth_ok != 1) {
add_header 'Content-Type' 'text/ascii';
return 403 "Bad client authentication"; # $ssl_client_verify
}
Code : Tout sélectionner
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Cordialement
Céline