I have setup an application in openshift and it is accessible through https://test-uat-ex.com which is a route for the application in openshift.
I have registered a domain called example.com and added https://test-uat-ex.com as a CNAME record to newly registered domain.
I am able to access the application using openshift route URL. But, when I access the newly created domain call example.com, I am getting
Service unavailable 503 error.
Related
I have a REST API on a Hetzner server which uses Varnish. I am trying to set up Cloudfront to use as the CDN for it. After reading around, I currently have the following setup:
Hetzner / Varnish
A main API route api.mydomain.com.
Config in Varnish for cdn-api.mydomain.com to also act as a route to the same API.
In the DNS for the domain in Hetzner, for cdn-api.mydomain.com I have
added the name servers for Route 53.
Route 53
Hosted zone called cdn-api.mydomain.com.
An A record with name prod.cdn-api.mydomain.com which points to my Cloudfront distribution.
An A record with name cdn-api.mydomain.com which points to the IP address of the server.
Cloudfront Distribution
Has the alternate domain name prod.cdn-api.mydomain.com.
Has the origin domain of cdn-api.mydomain.com
Protocol for origin is HTTP only
What I think should happen
Make a request to prod.cdn-api.mydomain.com.
Route 53 forwards to the Cloudfront distribution.
CloudFront looks to origin cdn-api.mydomain.com.
Origin cdn-api.mydomain.com looks to IP address of Hetzner.
Hetzner receives request, Varnish allows the domain through, sends back data to Cloudfront.
What actually happens
If I make a request straight to cdn-api.mydomain.com from Postman, it works if I turn off SSL.
If I turn on SSL, I get the error SSL Error: Hostname/IP does not match certificate's altnames, saying that cdn-api.mydomain.com is not on the certificates of the server.
If I make a request to prod.cdn-api.mydomain.com, I get the error Error: Exceeded maxRedirects. Probably stuck in a redirect loop. Which may be due to the same certs error.
Cloudflare
As a comparison, we have Cloudflare set up as the CDN for a different domain on the same Hetzner server. It has:
A main API route api.myotherdomain.com
In Hetzner a CNAME for cdn-api.myotherdomain.com with value cdn-api.myotherdomain.com.cdn.cloudflare.net.
In Cloudflare, an A record for cdn-api.myotherdomain.com which points to the IP address of the server.
cdn-api.myotherdomain.com is set up in Varnish as an entry point, but is not on the list of certificates of the server.
This all works fine including with SSL enabled.
It would be good to understand what I'm doing wrong here.
I have an application that runs fine in AWS App Runner and can be found here: https://iyarles.net
However, it's not accessible via the naked domain name iyarles.net.
Clarification comment: If I goto iyarles.net in my browser (edge), the request times out. If I goto iyarles.net, my website loads fine.
The App Runner service has a custom domain configured and my hosted zone has the 2 certificate validation records and the alias record pointing to my service.
A few weeks ago I transferred my domain from Google Domains to Route 53. It was originally a redirect from iyarles.net or any other subdomain (with or without https://) to the default domain for my service.
How can I replicate the previous behavior? What exactly are these alias records doing?
When you type the hostname into the browsers address bar, browsers will assume you want to make a plain HTTP request.
When you explicitly include the https: scheme, browsers will make a secure HTTP request.
Your server is running an encrypted service on port 433. It is not running a plain service on port 80.
It times out if you type http://iyarles.net too.
The issue is that the custom domain configured in AWS App Runner is not accessible via the naked domain name, iyarles.net. To replicate the previous behavior, you will need to create an Alias Record in your hosted zone in Route 53, which will point your domain name to the service URL.
The Alias Record is used to route traffic from a domain name to the service URL. It will ensure that any requests to the domain name will be routed to the service URL, thereby allowing your application to be accessible via the naked domain name.
It is important to note that you will also need to create two Certificate Validation Records in your hosted zone in Route 53. These records are used to validate the SSL Certificate for your domain name, which is necessary for HTTPS connections.
I'm trying to setup Identity Aware Proxy for my backend services parts of which resides in GCP and other on on-prem,according to the instruction given in the following link
Enabling IAP for on-premises apps and
Overview of IAP for on-premises apps
After, following the guide I ended up in a partial state where services running on GCP serving at https endpoint is perfectly accessible via IAP. However, the app which is running on on-prem is not reachable through pods* and external loadbalancer*.
Current Architecture followed:
Steps Followed
On GCP project
Created a VPC network in any region with one subnet in my case (asia-southeast1)
Used IAP connector https://github.com/GoogleCloudPlatform/iap-connector
Configured the mapping for 2 domains.
For app in GCP
source: gcp.domain.com
destination: app1.domain.com (serving at https endpoint)
For app in on-prem(Another GCP project)
source: onprem.domain.com
destination: app2.domain.com (serving at https endpoint but not exposed to internet)
Configured VPN Tunnel between both the project so the network gets peered
Enabled IAP for the loadbalancer which is created by the deployment.
Added corresponding accounts to allow access to the services with IAP web-user role.
On-prem
Created VPC network in a region with one subnet (asia-southeast1)
Created VM on VPC in that region
Assigned that VM to an instance group
Created Internal Https loadbalancer and chose instance group as backend
Secured load balancer http with ssl
Setup VPN tunnel to the first project
What I have tried?
logged in to pods and pinged different pods. All pods were reachable.
logged in to nodes and pinged the remote VM on port 80 and 443 both are reachable.
pinged remote VM from inside the pods. Not reachable.
Expected Behaviour:
User requests to loadbalancer on the app1.domain.com which IAP authenticates and authorizes user with OAuth and grant access to the webapp.
User requests to loadbalancer on the app2.domain.com which IAP authenticates and authorizes user with OAuth and grant access to the webapp running on on-prem.
Actual Behaviour
Request to the app1.domain.com prompts OAuth screen after authenticating the website is returned to the user.
Request to the app2.domain.com prompts OAuth screen after authenticating the browser returns 503 - "No healthy upstream"
Note:
I am using a separate GCP project to simulate on-premise.
Both projects are peered via VPN tunnel.
Both peering projects have subnets in the same region.
I have used internal https loadbalancer in my on-prem project to make my VM visible in my host project so that the external loadbalancer can route request to the VM's https endpoint.
** I'm suspecting that if pod could able to reach the remote VM the problem might as well be resolved. It's just a wild guess.
Thank you so much guys. I'm looking forward for your responses.
I'm running meteor on localhost:3000 and I have apache set up to proxy requests for a domain to that meteor instance using a virtualhost and mod_proxy.
I'm getting this error when trying to log in to my meteor app using accounts-facebook:
Given URL is not allowed by the Application configuration.: One or
more of the given URLs is not allowed by the App's settings. It must
match the Website URL or Canvas URL, or the domain must be a subdomain
of one of the App's domains.
I think this is because my ROOT_URL is http://localhost:3000 . If I change the ROOT_URL to the domain, then of course meteor tries to listen to the domain, but can't because my apache server is in the way.
Is there a way I can make this work without another IP address?
From Meteor documentation,
Ensure that your $ROOT_URL matches the authorized domain and callback
URL that you configure with the external service (for instance, if you
are running Meteor behind a proxy server, $ROOT_URL should be the
externally-accessible URL, not the URL inside your proxy).
In my case, my app is listening on a configured port with mod_proxy behind an Apache proxy server, say it is listening http://www.example.com:8080. I have other applications running on other ports.
To get going, on Facebook I set Site URL and Valid OAuth redirect URIs to http://www.example.com:3000 and App Domains to www.example.com. On my machine I set ROOT_URL to http://www.example.com:3000, which is externally-accessible.
Such configurations work for me without a second IP address.
I could get it working by simply having
# /etc/hosts
127.0.0.1 localhost.localdomain localhost
And the facebook settings as in the image below. I've set a secondary (mobile) url to point to http://localhost:3000
I've created a whole facebook app like this, with login, access to graph-api etc. And everything was working both online and in the dev envrionment
In my site I have payment service. when i was trying to access it from VS it was not working because URL was not as registers.
once i have hosted site on server and I have made request from the registered URL It has started working and i can access it.
My query is how they can restrict their service to my domain name ?
They have probably restricted it by IP address.