Erreur accès console WAPT

Share here your tips or issues concerning WAPT Console or WAPT Agent / Venez ici partager vos problèmes et astuces concernants la console et l'agent WAPT
Règles du forum
Règles du forum communautaire
* English support on www.reddit.com/r/wapt
* Le support communautaire en français se fait sur ce forum
* Merci de préfixer le titre du topic par [RESOLU] s'il est résolu.
* Merci de ne pas modifier un topic qui est taggé [RESOLU]. Ouvrez un nouveau topic en référençant l'ancien
* Préciser version de WAPT installée, version complète ET numéro de build (2.2.1.11957 / 2.2.2.12337 / etc.) AINSI QUE l'édition Enterprise / Discovery
* Les versions 1.8.2 et antérieures ne sont plus maintenues. Les seules questions acceptées vis à vis de la version 1.8.2 sont liés à la mise à jour vers une version supportée (2.1, 2.2, etc.)
* Préciser OS du serveur (Linux / Windows) et version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019)
* Préciser OS de la machine d'administration/création des paquets et de la machine avec l'agent qui pose problème le cas échéant (Windows 7 / 10 / 11 / Debian 11 / etc.)
* Eviter de poser plusieurs questions lors de l'ouverture de topic, sinon il risque d'être ignorer. Si plusieurs sujet, ouvrir plusieurs topic, et de préférence les uns après les autres et pas tous en même temps (ie ne pas spammer le forum).
* Inclure directement les morceaux de code, les captures d'écran et autres images directement dans le post. Les liens vers les pastebin, les bitly et autres sites tierces seront systématiquement supprimés.
* Comme tout forum communautaire, le support est fait bénévolement par les membres. Si vous avez besoin d'un support commercial, vous pouvez contacter le service commercial Tranquil IT au 02.40.97.57.55
Répondre
celine18
Messages : 25
Inscription : 03 oct. 2018 - 15:14

11 juin 2026 - 16:22

Bonjour,

Suite à la mise à jour du serveur Wapt, la connexion à la console ne fonctionne plus.

Nous avons le message suivant :
"Erreur lors du login : Http client error: THttpClientSocket.OpenBind: Is a server available on this address:port? {remoteip=]{#6 Fatal Error]"

Nous utilisons l'authentification AD pour nous connecter à la console.
Notre serveur WAPT est installé sur un Debian 13 avec WAPT 2.6.1.17765
La console est installé sur un Windows 10.

Merci d'avance pour votre aide,
Cordialement
Céline
Haut
Avatar de l’utilisateur
dcardon
Expert WAPT
Messages : 1947
Inscription : 18 juin 2014 - 09:58
Localisation : Saint Sébastien sur Loire
Contact :
Contacter dcardon

11 juin 2026 - 17:40

Bonjour Céline,

vous aviez upgradé depuis quelle version de Wapt, quelle version de Debian?

Lorsque vous avez upgradé, vous avez aussi mis à jour les paquets Debian j'imagine? Est ce que nginx a été mis à jour?

Est ce que nginx tourne bien sur le serveur? Est ce que le paquet spnego est bien dans la même version que le serveur nginx (nginx est très tatillon par rapport à ça).

Et est ce que le service waptserver a lui même bien upgradé?

Cordialement,

Denis
Denis Cardon - Tranquil IT
Communiquez autour de vous sur WAPT! Envoyez nous vos url de blog et d'articles dans la catégorie votre avis du forum, nous les mettrons en avant sur le site WAPT
Haut
celine18
Messages : 25
Inscription : 03 oct. 2018 - 15:14

12 juin 2026 - 08:51

Bonjour,

J'ai effectué un upgrade de Debian 12 à Debian 13.
Et oui nginx a été mis à jour aussi. Il est en version 1.26.3.
Le paquet libnginx-mod-http-auth-spnego est en version 1.1.3.

J'ai mis à jour WAPT à la version 2.6.1.17813.
Sur la page web de mon serveur, je vois bien tout à jour.

Cordialement
Céline
Haut
Avatar de l’utilisateur
dcardon
Expert WAPT
Messages : 1947
Inscription : 18 juin 2014 - 09:58
Localisation : Saint Sébastien sur Loire
Contact :
Contacter dcardon

12 juin 2026 - 09:30

Bonjour Céline,

qu'est ce que vous avez avec un

Code : Tout sélectionner

nginx -T
Le paquet spnego est bien celui de Debian (avant en Debian 12 et en dessous Tranquil IT recompilait et fournissait le module spnego, depuis la deb13 c'est inclus par défaut dans les dépôts Debian) ?

Code : Tout sélectionner

apt info libnginx-mod-http-auth-spnego | grep "Maintainer:"
Cordialement,

Denis
Denis Cardon - Tranquil IT
Communiquez autour de vous sur WAPT! Envoyez nous vos url de blog et d'articles dans la catégorie votre avis du forum, nous les mettrons en avant sur le site WAPT
Haut
celine18
Messages : 25
Inscription : 03 oct. 2018 - 15:14

12 juin 2026 - 10:18

Denis,

Merci pour votre retour.

Voici le retour de la commande nginx -T

Code : Tout sélectionner

2026/06/12 10:09:59 [warn] 56020#56020: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/opt/wapt/waptse                                                                                                                   rver/ssl/cert.pem"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 32768;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
    worker_connections 4096;
}
http {
    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    server_tokens off;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    access_log /var/log/nginx/access.log;
    gzip on;
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-spnego.conf:
load_module modules/ngx_http_auth_spnego_module.so;

# configuration file /etc/nginx/mime.types:
types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xslt+xml                             xsl xslt;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/ogg                                        ogv;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-matroska                                 mkv;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/sites-enabled/wapt.conf:



limit_req_zone  $proxy_add_x_forwarded_for zone=wsgi:20m rate=100r/s;
limit_req_zone  $proxy_add_x_forwarded_for zone=login:20m rate=2r/s;
limit_req_zone  $proxy_add_x_forwarded_for zone=websockets:20m rate=300r/s;







log_format combined_ssl '$remote_addr $ssl_client_s_dn $ssl_client_verify $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

server {

    listen                      80;

    listen                      [::]:80;


    listen                      443 ssl;

    listen                      [::]:443 ssl;




    server_name                 serveurwapt.domain.local;

    server_name                 X.X.X.X;




    access_log "/var/log/nginx/access.log" combined_ssl;


    ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
    ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";
    ssl_protocols               TLSv1.2 TLSv1.3;

    ssl_dhparam                 "/etc/ssl/certs/dhparam.pem";


    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_stapling                on;
    ssl_stapling_verify         on;
    ssl_session_cache           none;
    ssl_session_tickets         off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;


    ssl_client_certificate "/opt/wapt/conf/ca-wapt.crt";

    ssl_crl "/opt/wapt/conf/ca-check-clients.crl";

    ssl_verify_client optional;


    gzip_min_length     1000;
    gzip_buffers        4 8k;
    gzip_http_version   1.0;
    gzip_disable        "msie6";
    gzip_types          text/plain text/css application/json;
    gzip_vary           on;

    index index.html;

        server_tokens off;

    client_max_body_size 12288m;
    client_body_timeout 1800;

    large_client_header_buffers 4 16k;
    proxy_headers_hash_max_size 1024;
    proxy_headers_hash_bucket_size 128;

    proxy_request_buffering off;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /var/www/html;
    }

    # sub instances
    include "/opt/wapt/conf/wapt.d/*.conf";

    location /static/ {
            alias "/opt/wapt/waptserver/static/";
    }


    location /ssl/ {
            alias "/var/www/ssl/";
    }


    # not protected URL
    location ~ ^/(robots.txt|wapt/waptsetup.*\.exe|wapt/ping|wapt/waptagent/.*|wapt/waptagent\.exe|wapt/waptdeploy\.exe|wa                                                                                                                   pt/conf\.d/.*\.json)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        root "/var/www";
    }

    location ~ ^/api/v3/(wads_register_host|set_host_wads_status|baseipxe|get_host_ipxe|get_wads_exe.*|get_wads_config)$ {

            proxy_http_version 1.1;
            proxy_request_buffering off;

            include "/opt/wapt/conf/forward_ssl_auth.conf";

            rewrite /(.*) /$1 break;

            proxy_pass http://127.0.0.1:8080;



    }


    # not protected URL
    location /wads/ {

       sendfile           on;
       sendfile_max_chunk 1m;
       tcp_nopush on;
       alias "/var/www/wads/";

    }


    # homepage
    location = / {
       include "/opt/wapt/conf/forward_ssl_auth.conf";
       proxy_pass http://127.0.0.1:8080;
    }




    # SSL protected URL or cacheable
    location /waptwua/ {

        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";



        sendfile           on;
        sendfile_max_chunk 1m;
        tcp_nopush on;
        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";

        alias "/var/www/waptwua/";


    }

    # SSL protected URL but never cached
    location ~ ^/(wapt/Packages)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        sendfile           on;
        sendfile_max_chunk 1m;
        tcp_nopush on;

        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";

        root "/var/www";
    }

    # SSL protected URL or cacheable
    location ~ ^/(wapt/.*)$ {

        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";

        sendfile           on;
        sendfile_max_chunk 1m;
        tcp_nopush on;

        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";


        root "/var/www";
    }

    # SSL protected URL but Never cached
    location ~ ^/(licences\.json|sync\.json)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";

        sendfile           on;
        sendfile_max_chunk 1m;
        tcp_nopush on;

        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";


        root "/var/www";
    }

    # SSL protected only when wads is not enabled
    location /rules.json {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";

        include "/opt/wapt/conf/forward_ssl_auth.conf";

        root "/var/www";
    }


    # we don't want to expose our list of computers in case someone scan this folder.
    location /wapt-host/Packages {
        return 403;
    }

    # SSL protected and non cacheable
    location ~ ^/(wapt-host/.*)$ {
        log_not_found off;
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";

        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";


        root "/var/www";
    }


    location ~ ^/.*_kerberos$ {

        return 404 "Kerberos is disabled";

    }

    # we need socketio for these actions.
    # they are enabled only locally on the loopback
    location ~ ^/api/v3/(update_hosts_sid_table|hosts_sid)$ {
        proxy_http_version 1.1;
        proxy_request_buffering off;

        include "/opt/wapt/conf/forward_ssl_auth.conf";

        rewrite /(.*) /$1 break;
        proxy_pass http://127.0.0.1:8080;
        allow 127.0.0.1;
        deny all;
    }

    # we need socketio for these actions
    location ~ ^/api/v3/(trigger_host_action|reset_hosts_sid|host_tasks_status|trigger_cancel_task|hosts_delete|launch_syn                                                                                                                   c_on_remotes_repos|broadcast_sync_on_remotes_repo)$ {
        proxy_http_version 1.1;
        proxy_request_buffering off;

        limit_req zone=wsgi burst=20 delay=10;


        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";


        rewrite /(.*) /$1 break;
        proxy_pass http://127.0.0.1:8080;
    }

    # old API
    location /get_websocket_auth_token {
        return 404;
    }

    # these actions are not protected by SSL client side certificate, as we perhaps don't have one at this stage.
    # in case uwsgi is enabled, we wat this to still be handled by eventlet waptserver as these endpoints are not cpu inte                                                                                                                   nsive but often called
    # don't use uwsgi for this
    location ~ ^/(ping)$ {
        proxy_http_version 1.1;
        proxy_request_buffering off;

        limit_req zone=wsgi burst=200 delay=100;


        include "/opt/wapt/conf/forward_ssl_auth.conf";

        rewrite /(.*) /$1 break;
        proxy_pass http://127.0.0.1:8080;
    }

    # Not protected by SSL client side certificate, as we perhaps don't have one at this stage.
    # use uwsgi for this if enabled
    location ~ ^/(api/v3/get_temp_client_cert|login|api/v3/login|login_kerberos|api/v3/login_kerberos|api/v3/logout|api/v3                                                                                                                   /get_hash_json_content|api/v3/waptagent_version|add_host|api/v3/add_host|add_host_kerberos|api/v3/add_host_kerberos|api/v3                                                                                                                   /get_waptagent_exe/.*/waptagent.exe)$ {
        proxy_http_version 1.1;
        proxy_request_buffering off;

        limit_req zone=login burst=20 delay=10;


        include "/opt/wapt/conf/forward_ssl_auth.conf";

        rewrite /(.*) /$1 break;

        proxy_pass http://127.0.0.1:8080;

    }

    # Big upload endpoints
    # use uwsgi for this if enabled
    location ~ ^/api/v3/(upload_deploy_files|upload_packages|upload_file){
        proxy_http_version 1.1;
        proxy_request_buffering off;

        limit_req zone=wsgi burst=200 delay=100;


        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";

                client_max_body_size 107520m;
                client_body_timeout 1800;

        proxy_pass http://127.0.0.1:8080;

    }

    # use uwsgi for this if enabled
    location / {
        proxy_http_version 1.1;
        proxy_request_buffering off;

        limit_req zone=wsgi burst=200 delay=100;


        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";



        proxy_pass http://127.0.0.1:8080;

    }

    location /socket.io {
        proxy_http_version 1.1;
        proxy_request_buffering off;

        limit_req zone=websockets burst=300 delay=100;


        include "/opt/wapt/conf/forward_ssl_auth.conf";

        include "/opt/wapt/conf/require_ssl_auth.conf";


        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass http://127.0.0.1:8080/socket.io;
    }
}
# configuration file /opt/wapt/conf/forward_ssl_auth.conf:
# default forwarded headers

# to inform agent about its external ip
# works only if there is no other reverse proxy or no nginx in stream mode
# in front of wapt server

proxy_set_header Host $host;
proxy_set_header X-Real-IP  $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;

# in case ssl auth is not enabled, this set haders to empty strings
# this is important since we trust these headers
proxy_set_header X-Ssl-Authenticated $ssl_client_verify;
proxy_set_header X-Ssl-Client-Dn $ssl_client_s_dn;
proxy_set_header X-Ssl-Client-Sha1 $ssl_client_fingerprint;

# configuration file /opt/wapt/conf/require_ssl_auth.conf:
# require ssl auth and format auth information to proxied server

if ($ssl_client_s_dn = "") {
   add_header 'Content-Type' 'text/ascii';
   return 401 "Requires ssl auth";
}

if ($ssl_client_verify = SUCCESS) {
   set $auth_ok 1;
   add_header X-Remote-IP $remote_addr;
}

if ($auth_ok != 1) {
   add_header 'Content-Type' 'text/ascii';
   return 403 "Bad client authentication"; # $ssl_client_verify
}
Pour spnego, je ne sais pas mais voici le retour de la commande :

Code : Tout sélectionner

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Cordialement
Céline
Haut
Répondre

Revenir à « WAPT usage (Console, Agent) / Utilisation WAPT (Console, Agent) »


  • Pour aller plus loin avec WAPT