I'm installing OKD v3.11 cluster with ansible.
Cluster configuration:
4 master-infra-etcd nodes
4 computing nodes
1 external load balancer
Load balancer configuration is described here:
https://github.com/redhat-cop/openshift-playbooks/blob/master/playbooks/installation/load_balancing.adoc#custom-certificate-ssl-termination-production
I'm using nginx as my external load balancer.
Inventory (truncated):
openshift_master_cluster_hostname: okd-internal.example.com
openshift_master_cluster_public_hostname: okd.example.com
openshift_master_default_subdomain: okd.example.com
Here is my NGINX configuration:
user nginx;
error_log /var/log/nginx/error.log warn;
load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
pid /var/run/nginx.pid;
worker_processes "4";
events {
worker_connections 1024;
multi_accept off;
}
stream {
upstream okd_masters {
server okdmaster01.lab.example.com:8443;
server okdmaster02.lab.example.com:8443;
server okdmaster03.lab.example.com:8443;
server okdmaster04.lab.example.com:8443;
}
server {
listen 8443;
proxy_pass okd_masters;
}
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
client_max_body_size 20M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
keepalive_requests 10;
server_tokens on;
upstream okd_masters {
server okdmaster01.lab.example.com:8443;
server okdmaster02.lab.example.com:8443;
server okdmaster03.lab.example.com:8443;
server okdmaster04.lab.example.com:8443;
}
server {
listen 443 ssl;
server_name okd.example.com *.okd.example.com;
ssl_certificate /etc/nginx/ssl/all.okd.example.com.crt;
ssl_certificate_key /etc/nginx/ssl/all.okd.example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
keepalive_timeout 600;
keepalive_requests 10;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
location / {
proxy_pass https://okd_masters;
}
}
}
The problem is when I'm trying to access route (app.okd.example.com) I'm getting redirected to okd.example.com instead
Related
I am trying to create a facebook messenger bot. every thing work woth heroku. then i transfer it to my own server. then i got the error "curl errno =35" i tried it with ngrok work fine on the server but not work with my server.
using debian with nginx x and letsencrypt.
the url is preetombot.bddevwork.net
my setting
server {
listen 80;
server_name preetombot.bddevwork.net www.preetombot.bddevwork.net;
#root /usr/share/nginx/www/preetombot.bddevwork.net;
#return 301 https://$server_name$request_uri;
}
server {
listen 443 default_server ssl http2;
server_name preetombot.bddevwork.net
www.preetombot.bddevwork.net;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/preetombot.bddevwork.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/preetombot.bddevwork.net/privkey.pem;
ssl_trusted_certificate /test/ca-certs.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM$
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /test/dhparam.pem;
root /usr/share/nginx/www/preetombot.bddevwork.net;
index index.php index.html index.htm;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://localhost:5000$request_uri;
proxy_redirect off;
proxy_http_version 1.1;
}
location ~ /.well-known{
allow all;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
}
I have multiple secure ports listening within a single server, in this case for FB bot I'm using port 8083.
upstream botd {
server application_1:8083 max_fails=3 fail_timeout=30s;
keepalive 64;
}
server {
listen 443 default_server;
listen [::]:443 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
rewrite_log on;
ssl on;
server_name _;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
ssl_certificate /etc/ssl/techie8.io/api.techie8.io.bundle;
ssl_certificate_key /etc/ssl/techie8.io/api.techie8.io.key;
# Botd skill.
location /botd {
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://botd;
break;
}
}
# Techie8 API.
location / {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
#Timeout after 8 hours
proxy_read_timeout 43200000;
proxy_connect_timeout 43200000;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://application;
break;
}
}
}
In Flask App:
#app.route('/botd', methods=['GET'])
def handle_verification():
"""Handle Token verification."""
print "Handling Verification."
if request.args.get('hub.verify_token') == VERIFY_TOKEN:
print "Verification successful!"
return request.args.get('hub.challenge')
else:
print "Verification failed!"
return 'Error, wrong validation token'
#app.route('/botd', methods=['POST'])
def handle_messages():
print "Handling Incoming Messages\n"
payload = request.get_data()
print payload
for sender, message in messaging_events(payload):
print "Incoming Message from %s: %s" % (sender, message)
print ("Access Token: %s" % ACCESS_TOKEN)
send_message(ACCESS_TOKEN, sender, message)
return "ok"
In Facebook WebHook Callback URL I have my host configured:
https://api.mycompany.io/botd
I am playing around with the 4.13 version of artifactory using the pro-registry docker image
I created a virtual docker repo and a local docker repo as suggested in the doc and changed the nginx conf as follows
log into the running container
sudo docker exec -i -t containerID# /bin/bash
vi /etc/nginx/conf.d/default.conf
ssl_certificate /etc/nginx/ssl/demo.pem;
ssl_certificate_key /etc/nginx/ssl/demo.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
server {
listen 80;
listen 443 ssl;
client_max_body_size 2048M;
location / {
proxy_set_header Host $host;
proxy_pass http://localhost:8081/artifactory/;
proxy_read_timeout 90;
}
access_log /var/log/nginx/access.log upstreamlog;
location /basic_status {
stub_status on;
allow all;
}
}
## Sub domain config for docker repository
server {
listen 443 ssl;
listen 80 ;
server_name my-docker-virtual.art.local art.local;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
access_log /var/log/nginx/docker-access.log;
error_log /var/log/nginx/docker-error.log;
rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/my-docker-virtual/$1/$2;
client_max_body_size 0;
chunked_transfer_encoding on;
location /artifactory/ {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://artifactory_lb/artifactory/
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
This works great I can do the following
docker login my-docker-virtual.art.local
user
pass
email
docker push my-docker-virtual.art.local/busybox
docker pull busybox
However when I change the nginx o the following
ssl_certificate /etc/nginx/ssl/demo.pem;
ssl_certificate_key /etc/nginx/ssl/demo.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
server {
listen 80;
listen 443 ssl;
client_max_body_size 2048M;
location / {
proxy_set_header Host $host;
proxy_pass http://localhost:8081/artifactory/;
proxy_read_timeout 90;
}
access_log /var/log/nginx/access.log upstreamlog;
location /basic_status {
stub_status on;
allow all;
}
}
## Sub domain config for docker repository
server {
listen 443 ssl;
listen 80 ;
server_name my-docker-virtual.art.local art.local;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
access_log /var/log/nginx/docker-access.log;
error_log /var/log/nginx/docker-error.log;
rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/wrong-docker-virtual/$1/$2;
client_max_body_size 0;
chunked_transfer_encoding on;
location /artifactory/ {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://localhost:8081/artifactory/
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
after this I reload the config
Everything still works which it should not, the redirect should fail. Shouldnt it?
Note that I am using the self signed cert that comes with the docker image
So I had to do a service nginx restart in order to see these changes reflected
This is my Nginx config:
upstream app_server {
# Bindings to the Gunicorn server
server 127.0.0.1:8002 fail_timeout=0;
}
server {
listen 80;
server_name "~^www\.(.*)$";
return 301 https://$host$request_uri;
}
server {
access_log path_to_nginx-access.log;
error_log path_to_nginx-error.log;
listen 443 ssl;
server_name _;
ssl_certificate path_to_nginx.crt;
ssl_certificate_key path_to_nginx.key;
client_max_body_size 4G;
keepalive_timeout 5;
root path_to_root;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://app_server;
break;
}
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root path_to_templates;
}
}
My goal is to have all this addresses redirecting to https://domain.com
http://domain.com
https://domain.com
http://www.domain.com
https://www.domain.com
What should I change?
Keep in mind that I need to handle multiple domains with the same Nginx server (vide server_name).
Thanks!
I have the domain englishname.ca than I want to redirect to englishname.com. I did some configuration and it works with HTTP but not with https. But I go to http://englishname.ca, I'm redirected to http://englishname.com but when I go to https://englishname.ca, I'm not redirected.
This is my conf :
server {
server_name 162.243.216.109 staging.frenchname.com staging.englishname.ca staging.singularenglishname.com;
add_header X-Frame-Options "SAMEORIGIN";
rewrite ^/(.*)$ $scheme://staging.englishname.com/$1 permanent;
}
server {
listen 80 default deferred;
server_name www.englishname.com staging.englishname.com;
root /home/deployer/apps/site/current/public;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
server {
listen 443 default ssl;
server_name www.englishname.com staging.englishname.com;
root /home/deployer/apps/site/current/public;
ssl on;
ssl_certificate /etc/ssl/certs/www.englishname.crt;
ssl_certificate_key /etc/ssl/private/www.englishname.key;
ssl_session_timeout 5m;
ssl_protocols sslv3 tlsv1 tlsv1.1 tlsv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_pass http://unicorn;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
What can I do?
I found the answer, I simply added those lines :
server {
listen 443;
server_name 162.243.216.109 staging.lescollectionneursassocies.com staging.associatedartcollectors.ca staging.associatedartcollector.com;
add_header X-Frame-Options "SAMEORIGIN";
rewrite ^/(.*)$ $scheme://staging.associatedartcollectors.com/$1 permanent;
}
It's the same lines than the beggin but with listen 443.
I have an NGINX server which binds to port 443, provides authentication, and reverse-proxies all SSL requests to a bunch of back-end servers. Another server listens on port 80, but it momentarily does simply leads to a placeholder page. How do I get NGINX to redirect all external requests to the SSL-protected sites, while redirecting all intranet requests to the same sites without SSL? Here is the relevant part of my nginx.conf:
server {
listen 80;
server_name intranet;
allow 10.10.0.0/16;
#charset koi8-r;
access_log logs/host.access.log main;
#######################################
#
# locations on LOCALHOST
#
#######################################
location / {
allow all;
root /data/www;
index index.html index.htm;
}
##############
# HTTPS server
##############
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /srv/ssl/ExternalSite.com.combined.crt;
ssl_certificate_key /srv/ssl/ExternalSite.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#######################################
#
# Reverse proxy blocks
#
#######################################
#General ExternalSite web site
location / {
auth_basic "Please enter userid and password to enter the ExternalSite web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.16:2080;
}
#nagios server
location /nagios {
auth_basic "Please enter userid and password to enter the ExternalSite nagios web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_set_header Authorization $http_authorization;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.18/nagios;
}
# # munin server
location /munin {
auth_basic "Please enter userid and password to enter the ExternalSite munin web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_set_header Authorization $http_authorization;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.18/munin;
}
#######################################
#
# End of Reverse proxy blocks
#
#######################################
}
To split Intranet and external requests, create another server section and modify the listen instruction to include corresponding interface.
I.e., if your Intranet interface is 10.10.10.1 and public IP is 54.200.200.200, for Intranet you would do:
listen 10.10.10.1:80
And for external requests:
listen 54.200.200.200:80
Then to redirect to ssl, use the nginx return statement to the same server but with https.
Update: sample Nginx configuration schema (as per comments):
#######################################
#
# Intranet server
#
#######################################
server {
listen 10.10.10.1:80 default_server;
server_name intranet;
allow 10.10.0.0/16;
deny all;
# server configuration with all locations, proxy_passes, etc.
}
#######################################
#
# Internet server, redirecting to ssl
#
#######################################
server {
listen 80;
server_name www.yourdomain.com;
location / {
return https://www.yourdomain.com$request_uri;
}
}
##############
# HTTPS server
##############
server {
listen 443 ssl;
server_name www.yourdomain.com;
# server configuration with all locations, proxy_passes, etc.
}