I found out, that the gsad services are still running after “systemctl stop gsad” so you have to kill them by hand, otherwise you can change the configuration in “/etc/systemd/system/gsad.service”.
To solve the problem and be also flexible with a modern and fast webservice i used the reverse proxy solution with nginx.
It did the following:
CERTBOT / LET’S ENCRYPT
apt instal certbot -y
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --email “email@domain.com” --agree-tos --no-eff-email --must-staple --redirect --hsts --uir --staple-ocsp --rsa-key-size 4096 --domain sub.domain.com
GSAD
→ kill all gsad processes
systemctl disable gsad
→ edit this file:
/etc/systemd/system/gsad.service
→ edit this line (add this there: --listen=127.0.0.1 --port=4000 --http-only)
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm --listen=127.0.0.1 --port=4000 --http-only
→ enable service and restart
systemctl daemon-reload
systemctl enable gsad
systemctl start gsad
→ check if the port ist listening on localhost
netstat -tulpen | grep 4000
tcp 0 0 127.0.0.1:4000 0.0.0.0:* LISTEN 0 7446690 892953/gsad
NGINX
apt install nginx nginx-extras libnginx-mod-http-headers-more-filter -y
→ create dhparam
cd /etc/ssl/certs/
openssl dhparam -out dhparams.pem 4096
→ edit this file
/etc/nginx/nginx.conf
→ edit this lline
ssl_protocols TLSv1.3;
server {
server_name sub.domain.com;
server_tokens off;
more_set_headers "Server: webserver";
listen 443 ssl http2;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/sub.domain.com/chain.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy "same-origin" always;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE_HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED-PROTOCOL $scheme;
proxy_pass http://localhost:4000;
}
}
→ nginx config test
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
→ manage nginx service
systemctl start nginx
systemctl restart nginx
systemctl status nginx
→ check if the ports are listening
netstat -tulpen | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 7490929 908916/nginx: maste
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 7490928 908916/nginx: maste