Expose Globaleaks


#1

Hi, I tried to install Globalaks and using localhost everything works correctly. On 127.0.0.1:8082 I can access the admin interface and user interface.
If I try to access from the outside instead with name.domainname.it or name.domainname.it:8082 the page remains in loading.
If in “Administration interface - Network settings” – “HTTPS Settings” tab I click on “Verify” I get “Warning! The platform does not seem to be reachable with the configured host name”

Where am I wrong?

Thanks in advance


#2

You can access GlobaLeaks directly on the port 80 with normal http://name.domainname.it in order to make the setup.

The port 80 must be reachable from the internet, in order to have the LetsEncrypt Certification Authority Bot talk to GlobaLeaks to enroll the digital certificate automatically.

Can you access from the internet your globaleaks platform under http://name.domainname.it without any problem?

Fabio


#3

Hello Fabio, thanks for the reply.
If I try to access http://name.domainname.it or https://name.domainname.it I get this page


#4

Does the platform load correctly and visualize the web interface?
If not, there maybe:
a. some kind of firewall or inspection proxy to be disabled
b. some bug, please check logs on the server /var/globaleaks/log and report here the error you get

Let me know


#5

The interface from localhost is fully functional, freezes as from image only from the outside.

Here log
https://drive.google.com/open?id=1a43i2Sb4qKkVHh0sJiw1ENN4Nen3KOx6

thanks


#6

May i suggest to reboot the server?
Because the logs report a lot of Bind Port permission denied, because of the port being occupied.

Is it possible that there’s a GlobaLeaks zombie process, preventing a clean startup?

Are there any other server process onto that server?


#7

The server is a test machine where only globaleaks are installed.

I tried to reboot the server and globaleaks was no longer accessible even from localhost.

I checked with the command ps -A | grep globaleaks and there were no instances running.

I gave the permissions to the folders that in the previous launch told me that I had no permissions.

sudo chown pyramid /var/run/globaleaks/
sudo chown pyramid /dev/shm/
sudo chown pyramid /dev/shm/globaleaks/
sudo chown pyramid /var/globaleaks/

and I launched the globaleask commando and I got “Serving the client from directory: /usr/share/globaleaks/client/”

globaleaks is back available on localhost, while nothing has changed from the outside.

These row have been added to the log

2017-12-05 13:39:23+0100 [-] Log opened.
2017-12-05 13:39:23+0100 [-] twistd 16.0.0 (/usr/bin/python 2.7.12) starting up.
2017-12-05 13:39:23+0100 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2017-12-05 13:39:23+0100 [-] [E] Could not reserve socket for 13 (error: Permission denied)
2017-12-05 13:39:23+0100 [-] [E] Could not reserve socket for 13 (error: Permission denied)
2017-12-05 13:39:23+0100 [-] [E] Found an already initialized database version: 38
2017-12-05 13:39:23+0100 [-] [E] Performing data update
2017-12-05 13:39:23+0100 [-] Site starting on 8082
2017-12-05 13:39:23+0100 [-] Starting factory <twisted.web.server.Site instance at 0x7fcb4e111b90>
2017-12-05 13:39:23+0100 [-] Site starting on 8083
2017-12-05 13:39:23+0100 [-] [I] Starting process monitor
2017-12-05 13:39:23+0100 [-] [E] No ports to bind to! Spawning processes will not work!
2017-12-05 13:39:23+0100 [-] [I] Not launching workers
2017-12-05 13:39:23+0100 [-] GlobaLeaks is now running and accessible at the following urls:
2017-12-05 13:39:23+0100 [-] - [LOCAL HTTP] --> http://127.0.0.1:8082
2017-12-05 13:39:23+0100 [-] - [LOCAL HTTP] --> http://127.0.0.1:8083
2017-12-05 13:39:23+0100 [-] - [REMOTE HTTP] --> http://globaleaks.sitename.it
2017-12-05 13:39:24+0100 [-] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7fcb51c43cf8>
2017-12-05 13:39:24+0100 [-] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7fcb51c1e368>
2017-12-05 13:39:24+0100 [-] [E] Failed to initialize Tor connection; error: Unable to access /var/run/tor/control; manual permission recheck needed
2017-12-05 13:39:25+0100 [-] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x7fcb51c43cf8>
2017-12-05 13:39:25+0100 [-] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x7fcb51c1e368>
2017-12-05 13:39:34+0100 [-] 200 GET / 383683B 8ms
2017-12-05 13:39:34+0100 [-] 200 GET /js/scripts.js 2670800B 60ms
2017-12-05 13:39:35+0100 [-] 200 GET /l10n/en 58386B 6ms
2017-12-05 13:39:35+0100 [-] 200 GET /public 28071B 228ms
2017-12-05 13:39:35+0100 [-] 200 GET /l10n/it 63204B 7ms
2017-12-05 13:39:35+0100 [-] 200 GET /public 28071B 0ms


#8

Is this machine an Ubuntu 16.04 server installed following the standard procedure?

As it’s quite strange that gives all of those permission denied


#9

Hi, the server is Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64)

for the installation I followed the steps that I found here

https://globaleaks.readthedocs.io/en/latest/InstallationGuide.html

(I have not found other tutorial).

If you have another tutorial, I can also start with a new server.


#10

Then it shall work, it’s a local configuration problem.

Do you have any webserver (like apache or nginx) in front of the installed platform, operating as a reverse proxy?


#11

No, I simply installed apache and allowed inbound traffic on ports 80 and 443


#12

Please uninstall apache, as they may just be conflicting on their own ports, and try again.


#13

I uninstalled and reinstalled apache but nothing changes


#14

Just uninstall apache, it’s not compatible with GlobaLeaks that does require to have port 80 available for it’s embedded webserver.

Let me know


#15

Hi, I start with a new server.

I install as root

root@testx:~# ./install-globaleaks.sh
Checking preliminary packaging GlobaLeaks requirements

  • apt-key requirement met
  • apt-get requirement met
    Detected OS: Ubuntu - xenial
    Running: “apt-get update -y”… SUCCESS
  • curl requirement met
  • netstat requirement met
    Running: “is_tcp_sock_free_check 0.0.0.0:80”… SUCCESS
    Running: “is_tcp_sock_free_check 0.0.0.0:443”… SUCCESS
    Running: “is_tcp_sock_free_check 127.0.0.1:8082”… SUCCESS
    Running: “is_tcp_sock_free_check 127.0.0.1:8083”… SUCCESS
  • required TCP sockets open
    Adding GlobaLeaks PGP key to trusted APT keys
    Running: “apt-key add /tmp/tmp.tPRtkGOrRZ/globaleaks_key”… SUCCESS
    Running: “rm /tmp/tmp.tPRtkGOrRZ/globaleaks_key”… SUCCESS
    Installing software-properties-common
    Running: “apt-get install software-properties-common -y”… SUCCESS
    Adding Tor PGP key to trusted APT
    Running: “apt-key add /tmp/tmp.tPRtkGOrRZ/torproject_key”… SUCCESS
    Running: “rm /tmp/tmp.tPRtkGOrRZ/torproject_key”… SUCCESS
    grep: /etc/apt/sources.list.d/*: No such file or directory
    Adding Tor repository
    Running: “add-apt-repository ‘deb http://deb.torproject.org/torproject.org xenial main’”… SUCCESS
    Running: “apt-get update -y”… SUCCESS
    Running: “apt-get install globaleaks -y”… SUCCESS
    Ouch! The installation is complete but GlobaLeaks failed to start.
    For Professional Support requests please visit: https://www.globaleaks.org/contact/
    Please report encountered issues to the Community Forum at https://forum.globaleaks.org

start as root

root@testx:~# globaleaks
Starting GlobaLeaks…
Invalid user: cannot run as root

I create new user and give root privileges

adduser matteo
usermod -aG sudo matteo

start globaleaks

matteo@testx:~$ globaleaks
Starting GlobaLeaks…
Serving the client from directory: /usr/share/globaleaks/client/
Error in creating directory: /var/globaleaks/db (Permission denied)
Traceback (most recent call last):
File “/usr/bin/globaleaks”, line 144, in
Settings.create_directories()
File “/usr/lib/python2.7/dist-packages/globaleaks/settings.py”, line 354, in c reate_directories
self.create_directory(dirpath)
File “/usr/lib/python2.7/dist-packages/globaleaks/settings.py”, line 332, in c reate_directory
raise excep
OSError: [Errno 13] Permission denied: ‘/var/globaleaks/db’

in the other tests I did I gave permission to the folders, now I wait for advice.

Thank you.


#16

Can you collect the logs “just after” the attempt to start the software after the installation (after “Ouch! The installation is complete but GlobaLeaks failed to start.”) message?

The commands to retrieve the logs are:

cat /var/globaleaks/log/globaleaks.log
journalctl | grep -i globaleaks

Then activate DEBUG logging that way:
echo “LOGLEVEL= DEBUG >> /etc/default/globaleaks”

Then try to start again GlobaLeaks (always with init script, will not work from a normal user, unless you are developing or using advanced command lines):
bash -x /etc/init.d/globaleaks start 2>&1 >/tmp/startup.log

Now extract again those log files:
cat /var/globaleaks/log/globaleaks.log
cat /tmp/startup.log
journalctl | grep -i globaleaks

I think that with those set of debug log, we should come up with what’s going on, as the released software version seems to be working fine on multiple installation and we received feedback of successful installation, but something on your side is not working, so it must be fixed!


#17

Hi, I start with a new server.

root@testX2:/var/globaleaks# cat /var/globaleaks/log/globaleaks.log
cat: /var/globaleaks/log/globaleaks.log: No such file or directory

root@testX2:/var/globaleaks# journalctl | grep -i globaleaks
Dec 06 10:09:14 testX2 groupadd[10604]: group added to /etc/group: name=globalea ks, GID=118
Dec 06 10:09:14 testX2 groupadd[10604]: group added to /etc/gshadow: name=global eaks
Dec 06 10:09:14 testX2 groupadd[10604]: new group: name=globaleaks, GID=118
Dec 06 10:09:14 testX2 useradd[10608]: new user: name=globaleaks, UID=112, GID=1 18, home=/var/globaleaks, shell=/bin/false
Dec 06 10:09:14 testX2 chage[10613]: changed password expiry for globaleaks
Dec 06 10:09:15 testX2 systemd[1]: Starting LSB: Start the GlobaLeaks server…
Dec 06 10:09:15 testX2 globaleaks[10714]: * Starting GlobaLeaks daemon globalea ks
Dec 06 10:09:15 testX2 audit[10740]: AVC apparmor=“DENIED” operation=“change_one xec” info=“label not found” error=-2 profile=“unconfined” name=“usr.bin.globalea ks” pid=10740 comm="aa-exec"
Dec 06 10:09:15 testX2 globaleaks[10714]: aa-exec: ERROR: profile ‘usr.bin.globa leaks’ does not exist
Dec 06 10:09:15 testX2 globaleaks[10714]: …fail!
Dec 06 10:09:15 testX2 kernel: audit: type=1400 audit(1512551355.976:3): apparmo r=“DENIED” operation=“change_onexec” info=“label not found” error=-2 profile=“un confined” name=“usr.bin.globaleaks” pid=10740 comm="aa-exec"
Dec 06 10:09:15 testX2 systemd[1]: Started LSB: Start the GlobaLeaks server…

root@testX2:/var/globaleaks# bash -x /etc/init.d/globaleaks start 2>&1 >/tmp/startup.log

  • PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    +++ readlink -nf /etc/init.d/globaleaks
    ++ basename /etc/init.d/globaleaks
  • NAME=globaleaks
  • SCRIPTNAME=/etc/init.d/globaleaks
  • WAITFORDAEMON=60
  • test -e /usr/share/globaleaks/default
  • . /usr/share/globaleaks/default
    ++ LOGLEVEL=CRITICAL
    ++ USERNAME=globaleaks
    ++ GROUP=globaleaks
    ++ APPARMOR_SANDBOXING=1
    ++ API_PREFIX=
    ++ LISTENING_IP=0.0.0.0
    ++ WORKING_DIR=/var/globaleaks/
    ++ RAM_DISK=/dev/shm/globaleaks/
  • [[ ! -d /var/globaleaks/db ]]
  • NETWORK_SANDBOXING=0
  • test -e /etc/default/globaleaks
  • . /etc/default/globaleaks
  • . /lib/init/vars.sh
    ++ TMPTIME=0
    ++ SULOGIN=no
    ++ DELAYLOGIN=no
    ++ UTC=yes
    ++ VERBOSE=no
    ++ FSCKFIX=no
    ++ ‘[’ -f /etc/default/rcS ‘]’
    ++ . /etc/default/rcS
    ++ unset EDITMOTD
    ++ unset RAMRUN
    ++ unset RAMLOCK
    ++ ‘[’ -r /proc/cmdline ‘]’
    +++ cat /proc/cmdline
    ++ for ARG in ‘$(cat /proc/cmdline)’
    ++ case $ARG in
    ++ for ARG in ‘$(cat /proc/cmdline)’
    ++ case $ARG in
    ++ for ARG in ‘$(cat /proc/cmdline)’
    ++ case $ARG in
    ++ for ARG in ‘$(cat /proc/cmdline)’
    ++ case $ARG in
    ++ for ARG in ‘$(cat /proc/cmdline)’
    ++ case $ARG in
    ++ ‘[’ ‘’ ‘]’
  • . /lib/lsb/init-functions
    +++ run-parts --lsbsysinit --list /lib/lsb/init-functions.d
    ++ for hook in ‘$(run-parts --lsbsysinit --list /lib/lsb/init-functions.d 2>/dev/null)’
    ++ ‘[’ -r /lib/lsb/init-functions.d/01-upstart-lsb ‘]’
    ++ . /lib/lsb/init-functions.d/01-upstart-lsb
    +++ unset UPSTART_SESSION
    +++ _RC_SCRIPT=/etc/init.d/globaleaks
    +++ ‘[’ -r /etc/init//etc/init.d/globaleaks.conf ‘]’
    +++ _UPSTART_JOB=globaleaks
    +++ ‘[’ -r /etc/init/globaleaks.conf ‘]’
    ++ for hook in ‘$(run-parts --lsbsysinit --list /lib/lsb/init-functions.d 2>/dev/null)’
    ++ ‘[’ -r /lib/lsb/init-functions.d/20-left-info-blocks ‘]’
    ++ . /lib/lsb/init-functions.d/20-left-info-blocks
    ++ for hook in ‘$(run-parts --lsbsysinit --list /lib/lsb/init-functions.d 2>/dev/null)’
    ++ ‘[’ -r /lib/lsb/init-functions.d/40-systemd ‘]’
    ++ . /lib/lsb/init-functions.d/40-systemd
    +++ _use_systemctl=0
    +++ ‘[’ -d /run/systemd/system ‘]’
    +++ prog=globaleaks
    +++ service=globaleaks.service
    ++++ systemctl -p LoadState show globaleaks.service
    +++ state=LoadState=loaded
    +++ ‘[’ LoadState=loaded = LoadState=masked ‘]’
    +++ ‘[’ 1441 -ne 1 ‘]’
    +++ ‘[’ -z ‘’ ‘]’
    +++ ‘[’ -z ‘’ ‘]’
    +++ case $(readlink -f “$0”) in
    ++++ readlink -f /etc/init.d/globaleaks
    +++ _use_systemctl=1
    ++++ systemctl -p CanReload show globaleaks.service
    +++ ‘[’ CanReload=no = CanReload=no ‘]’
    +++ ‘[’ start = reload ‘]’
    +++ ‘[’ 1 = 1 ‘]’
    +++ set +e
    +++ set +u
    +++ ‘[’ xstart = xstart -o xstart = xstop -o xstart = xrestart -o xstart = xreload -o xstart = xforce-reload -o xstart = xstatus ‘]’
    +++ systemctl_redirect /etc/init.d/globaleaks start
    +++ local s
    +++ local rc
    +++ local prog=globaleaks
    +++ local command=start
    +++ case “$command” in
    +++ s=‘Starting globaleaks (via systemctl)’
    +++ service=globaleaks.service
    ++++ systemctl is-system-running
    +++ OUT=running
    +++ ‘[’ start = status ‘]’
    +++ log_daemon_msg ‘Starting globaleaks (via systemctl)’ globaleaks.service
    +++ ‘[’ -z ‘Starting globaleaks (via systemctl)’ ‘]’
    +++ log_daemon_msg_pre ‘Starting globaleaks (via systemctl)’ globaleaks.service
    +++ log_use_fancy_output
    +++ TPUT=/usr/bin/tput
    +++ EXPR=/usr/bin/expr
    +++ ‘[’ -t 1 ‘]’
    +++ FANCYTTY=0
    +++ case “$FANCYTTY” in
    +++ false
    +++ ‘[’ -z globaleaks.service ‘]’
    +++ echo -n ‘Starting globaleaks (via systemctl): globaleaks.service’
    +++ log_daemon_msg_post ‘Starting globaleaks (via systemctl)’ globaleaks.service
    +++ :
    +++ /bin/systemctl --no-pager start globaleaks.service
    +++ rc=0
    +++ ‘[’ start = status ‘]’
    +++ log_end_msg 0
    +++ ‘[’ -z 0 ‘]’
    +++ local retval
    +++ retval=0
    +++ log_end_msg_pre 0
    +++ log_use_fancy_output
    +++ TPUT=/usr/bin/tput
    +++ EXPR=/usr/bin/expr
    +++ ‘[’ -t 1 ‘]’
    +++ FANCYTTY=0
    +++ case “$FANCYTTY” in
    +++ false
    +++ log_use_fancy_output
    +++ TPUT=/usr/bin/tput
    +++ EXPR=/usr/bin/expr
    +++ ‘[’ -t 1 ‘]’
    +++ FANCYTTY=0
    +++ case “$FANCYTTY” in
    +++ false
    +++ RED=
    +++ YELLOW=
    +++ NORMAL=
    +++ ‘[’ 0 -eq 0 ‘]’
    +++ echo .
    +++ log_end_msg_post 0
    +++ :
    +++ return 0
    +++ return 0
    +++ exit 0

root@testX2:/var/globaleaks# cat /var/globaleaks/log/globaleaks.log
cat: /var/globaleaks/log/globaleaks.log: No such file or directory

root@testX2:/var/globaleaks# cat /tmp/startup.log
Starting globaleaks (via systemctl): globaleaks.service.

root@testX2:/var/globaleaks# journalctl | grep -i globaleaks
Dec 06 10:09:14 testX2 groupadd[10604]: group added to /etc/group: name=globaleaks, GID=118
Dec 06 10:09:14 testX2 groupadd[10604]: group added to /etc/gshadow: name=globaleaks
Dec 06 10:09:14 testX2 groupadd[10604]: new group: name=globaleaks, GID=118
Dec 06 10:09:14 testX2 useradd[10608]: new user: name=globaleaks, UID=112, GID=118, home=/var/globaleaks, shell=/bin/false
Dec 06 10:09:14 testX2 chage[10613]: changed password expiry for globaleaks
Dec 06 10:09:15 testX2 systemd[1]: Starting LSB: Start the GlobaLeaks server…
Dec 06 10:09:15 testX2 globaleaks[10714]: * Starting GlobaLeaks daemon globaleaks
Dec 06 10:09:15 testX2 audit[10740]: AVC apparmor=“DENIED” operation=“change_onexec” info=“label not found” error=-2 profile=“unconfined” name=“usr.bin.globaleaks” pid=10740 comm="aa-exec"
Dec 06 10:09:15 testX2 globaleaks[10714]: aa-exec: ERROR: profile ‘usr.bin.globaleaks’ does not exist
Dec 06 10:09:15 testX2 globaleaks[10714]: …fail!
Dec 06 10:09:15 testX2 kernel: audit: type=1400 audit(1512551355.976:3): apparmor=“DENIED” operation=“change_onexec” info=“label not found” error=-2 profile=“unconfined” name=“usr.bin.globaleaks” pid=10740 comm="aa-exec"
Dec 06 10:09:15 testX2 systemd[1]: Started LSB: Start the GlobaLeaks server…
Dec 06 10:12:33 testX2 systemd[1]: Started LSB: Start the GlobaLeaks server…

bye


#18

Opened a bug on our ticketing system https://github.com/globaleaks/GlobaLeaks/issues/2131

It seems there’s a bug in AppArmor, to debug properly debugged on our side.

To let you move on for testing purposes, just disable it by doing:
echo “APPARMOR_SANDBOXING=0” >> /etc/default/globaleaks

Then starting it:
/etc/init.d/globaleaks start

And it should start with no apparmor error on /var/globaleaks/log/globaleaks.log right?


#19

root@testX4:~# echo “APPARMOR_SANDBOXING=0” >> /etc/default/globaleaks
root@testX4:~# /etc/init.d/globaleaks start
/etc/default/globaleaks: line 6: “APPARMOR_SANDBOXING=0”: command not found
[ ok ] Starting globaleaks (via systemctl): globaleaks.service.

root@testX4:~# cat /var/globaleaks/log/globaleaks.log
cat: /var/globaleaks/log/globaleaks.log: No such file or directory


#20

very strange, what’s the content of /etc/default/globaleaks now?

cat /etc/default/globaleaks