I have a microservice architecture (implemented in Spring Boot) deployed in Google Kubernetes Engine. For this microservice architecture I have setup the following:
domain: comanddev.tk (free domain from Freenom)
a certificate for this domain
the following Ingress config:
The problem is that when I invoke an URL that I know it should be working https://comanddev.tk/customer-service/actuator/health, the response I get is ERR_TIMEDOUT. I checked Ingress Controller and I don't receive any request in the ingress although URL forwarding is set.
Update: I tried to set a "glue record" like in the following picture and the response I get is that the certificate is not valid (i have certificate for comanddev.tk not dev.comanddev.tk) and I get 401 after agreeing to access unsecure url.
I've digged a bit into this.
As I mentioned when you $ curl -IL http://comanddev.tk/customer-service/actuator/health you will received nginx ingress response.
As domain intercepts the request and redirect to the destination server I am not sure if there is point to use TLS.
I would suggest you to use nameserver instead of URL Forwarding, just use IP of your Ingress. In this option you would redirect request to your Ingress. When you are using Port Forwarding you are using Freenom redirection and I am not sure how its handled on their side.
Related
I have a ALB set up behind a cloudfront distro. I have a rule to redirect an HTTP request to URL A to URL B which is not on AWS infrastructure.
When I query the ALB directly for URL A, the load balancer properly redirects to URL B. When I query a cloudfront endpoint for URL A, I get a 403 error back. Per the troubleshoot 403s aws doc, it seems the issue is that I don't have an alternate CNAME configured for URL B. However, since it's not on my SAN certificate that's associated with my CloudFront distro, I can't add it to the list of alternate CNAMES. is there a workaround to allow requests to URL A to properly travel through my cloudfront distro and get redirected? It doesn't make sense to me that I can't do this for an HTTP request.
verified that the ALB can be queried directly and redirect works
tried to add an alternate cname for http domain
removed wacl on alb to make sure that wasn't blocking it
I cannot for the life of me get the AWS API Gateway HTTP Proxy to work, i.e. redirect http://<my-domain>.com to https://<my-domain>.com. Here is how I set it up:
Using the Test functionality on the ANY method inside the resource works. But if I simply do curl http://<my-domain>.com or run http://<my-domain>.com in Chrome, it fails to connect; https://<my-website>.com works just fine. I'm driving myself crazy trying to figure out what I'm missing here; it seems like it should just redirect http://<my-domain>.com to https://<my-domain>.com, but it doesn't (even on different devices).
So, it turns out that API Gateway's HTTP Proxy allows HTTPS traffic to go to an HTTP endpoint, but not the reverse. In fact, API Gateway won't even establish a connection on port 80; from the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS
endpoints only. Amazon API Gateway does not support unencrypted (HTTP)
endpoints.
API Gateway doesn't support unencrypted HTTP traffic. Here are the possible options you can do to secure your website:
If you have access to the server that hosts the website, install an SSL certificate to the webserver.
If the website is hosted on EC2, you can set up a load balancer and let it do the SSL termination.
I'm pretty new to kubernetes, I hope to explain myself in a good way, and if anyone has any resources/suggestions to read for my problem it would be really much appreciated.
Let's get straight to the point.
The web app I'm trying to expose accepts only https connection on the service. So basically I would like to ask the ingress to communicate with my service through https
Following some tutorial I tried to expose a simple web app(that accept http connection) through https, craeting a certificate and a secret and adding the following line to the ingress.yml:
tls:
- secretName: testexample.com
hosts:
- testexample.com
and executing a curl -k https://testexample.com or through browser I can see my webpage.
The troubles pops out when my webapp accept only https connection, and the webapp we are moving to kubernetes does.
I always receive "404 default backend" message.
I tried to look for some resources/tutorial/previous questions,
Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes
Securing connections from ingress to services in Kubernetes with TLS
but I didnt figure out how to get out of the problem.
Any suggestions as mentioned before would be much appreciated.
Error source can are probably your Ingress rule. It's their not pointing to the correct service & port or it is not in the same namespace as the service.
I want to remove Host header at ingress controller before sending the request to backend service. Will appreciate your insight.
My backend service is NOT expecting any Host header.
Thank you !
Google Cloud Platform is working on richer routing and transforms with HTTP(s) Load Balancer, used by Kubernetes Engine Ingress. No ETA is available.
In the meantime, you can use a proxy service in front of the application. See this answer on how to remove a header with nginx.
I found an issue in a new KONG installation (v0.11.2).
When an upstream api return HTTP 301, the KONG will pass this to consumer side instead of following the redirect in the internal process. screenshot
Please advise how to let KONG follow the 301 redirect (as an expected reverse proxy behavior)?
I found a workaround instead of having to deploy a separate web server, if you register DNS through GoDaddy, you can enable their "Domain Forward & Mask" features. What I was trying to enable is a redirect from root domain to www.domain and enforce https.
https://www.godaddy.com/help/manually-forward-or-mask-your-domain-or-subdomain-422
Since DNS was pointed from GoDaddy nameservers, they update the A record pointing to their own configurable proxy, and I was able to enter the redirect URL. Perhaps other domain registrars offer this feature, and it can avoid "hacky" configuration of Kong.
Attempts with Kong
I enabled the request transform plugin for an API and tried overriding the header host and forwarded values to no avail
I tried variations on the downstream url as well
If you want to redirect only for specific upstream APIs, you can use the pre-function plugin.
name: my-redirect
kind: KongPlugin
namespace: my-namespace
global: "false"
plugin: pre-function
config:
access:
- |
if ngx.var.uri == "/product/1" then
local forwarded_host = "new-domain.com"
ngx.header["Location"] = "https://" .. forwarded_host .. ngx.var.request_uri
return kong.response.exit(301)
end
This will redirect traffic from let's say old-domain.com/product/1 to new-domain.com/product/1