We Keep Coding

Why I get "Forbidden" status while I trying to redirect, with HAProxy, calls on CRC installed in a CentOS Docker container?

I have this scenario:
a HOST machine running Debian that runs docker containers.
a CentOS docker container that have CodeReady Containers (CRC) installed on itself. CRC working on the container, via command line, without problems.
I want access, from the Host machine, to CRC web console that works on https://console-openshift-console.apps-crc.testing (on a specific IP in the hosts file of the container).
I found this RedHat guide for accessing CRC remotely.
And, applied to Docker containers, making the following changes to haproxy.conf:
global
log 127.0.0.1 local0
debug
defaults
log global
mode http
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000
frontend apps
bind CONTAINER_IP:80
bind CONTAINER_IP:443
option tcplog
mode tcp
default_backend apps
backend apps
mode tcp
balance roundrobin
option ssl-hello-chk
server webserver1 CRC_IP:6443 check
frontend api
bind CONTAINER_IP:6443
option tcplog
mode tcp
default_backend api
backend api
mode tcp
balance roundrobin
option ssl-hello-chk
server webserver1 CRC_IP:6443 check
enabling forwarding for the container:
$ sysctl net.ipv4.conf.all.forwarding=1
$ sudo iptables -P FORWARD ACCEPT
and also starting CRC behind a proxy:
$ crc config set http-proxy http://example.proxy.com:<port>
$ crc config set https-proxy http://example.proxy.com:<port>
$ crc config set no-proxy <comma-separated-no-proxy-entries>
I can successfully call the url https://console-openshift-console.apps-crc.testing from the Host machine (that have dnsmasq as DNS resolver properly configured)!!!
but I get this error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
Notes:
when CRC starts I have a warning: WARN Wildcard DNS resolution for apps-crc.testing does not appear to be working
even trying to login with oc, on Host machiche via command line, fail with an error message with status "Forbidden": Error from server (InternalError): Internal error occurred: unexpected response: 403.
Where is the problem? I can't figure it out.
For those interested, this is the project's Git repository on GitHub.

This message means that the user "system:anonymous" have not the permission to access the cluster. Have you done a login into the crc cluster as written in the documentation?
3.3. Accessing the OpenShift cluster
oc login -u developer https://api.crc.testing:6443

This is the final message when you run crc start
To access the cluster, first set up your environment by following 'crc oc-env' instructions.
Then you can access it by running 'oc login -u developer -p developer https://api.crc.testing:6443'.
To login as an admin, run 'oc login -u kubeadmin -p xxxx-xxxx-xxxxx-xxxx https://api.crc.testing:6443'.
To access the cluster, first set up your environment by following 'crc oc-env' instructions.
Therefore, you have to run first to have the oc client available on the command line:
crc oc-env
Then you have to run login with oc client. In my installation was:
oc login -u developer https://api.crc.testing:6443

Yarn: Error: connect ECONNREFUSED 127.0.0.1:443

When I install ELM via yarn, I get
-- ERROR -----------------------------------------------------------------------
Something went wrong while fetching the following URL:
https://github.com/elm/compiler/releases/download/0.19.1/binary-for-windows-64-bit.gz
It is saying:
Error: connect ECONNREFUSED 127.0.0.1:443
NOTE: You can avoid npm entirely by downloading directly from:
https://github.com/elm/compiler/releases/download/0.19.1/binary-for-windows-64-bit.gz
When I manually browse to https://github.com/elm/compiler/releases/download/0.19.1/binary-for-windows-64-bit.gz. I get
However other people can access the link and it downloads the file.
EDIT:
HOSTS File:
127.0.0.1 view-localhost # view localhost server
127.0.0.1 mydevsnapcap.com www.mydevsnapcap.com app.mydevsnapcap.com internal.mydevsnapcap.com
0.0.0.1 mssplus.mcafee.com
Edit
This use to work a few days ago.
More tests:
I cannot access it from my phone and pc using my fibre connection, but I can access it on both my phone and mobile using my mobile connection.

It turns out that it was my ISP that was for some reason blocking the link. I switch to using the google dns and all is good in the hood: https://developers.google.com/speed/public-dns/docs/using

Something in your computer or on your network is resolving the domain github.com to 127.0.0.1, i.e. localhost. Hence, everytime you attempt this access, it tries to reach a service running on the very same computer you're making the request from.
Check your DNS settings.
Check that there are no entries for github.com in the hosts file (on Windows C:\Windows\System32\drivers\etc\hosts, everywhere else /etc/hosts).
If you're running something like Pi-Hole on your network, check, that it doesn't catch github.com

exposing api via secure gateway

I want to expose one blue zone api to external customers via secure-gateway, I am using docker as the client, but I always met below errors (the api server is in DST environment), can anyone help me on this? I have added the host name and port into ACL file, also, I tried adding --allow when I run docker, it will disable 'deny all'
[INFO] (Client ID d83dty5MIJA_rVI) Connection #2 is being established to ralbz001234.cloud.dst.ibm.com:8888
[2017-09-06 20:59:19.210] [ERROR] (Client ID d83dty5MIJA_rVI) Connection #1 to destination ralbz001234.cloud.dst.ibm.com:8888 had error: EHOSTUNREACH
When I add secure-gateway, the resource loacated filed, I choose On-Premises, is this correct?

EHOSTUNREACH is an issue with the underlying system not being able to find a route to the host you've provided. From the machine hosting the docker client, are you able to access the resource located at ralbz001234.cloud.dst.ibm.com:8888? If the host is able to connect, then you could try adding --net=host to the docker run command:
docker run --net=host -it ibmcom/secure-gateway-client <gatewayID> -t <security_token> --allow
If the host is unable to connect as well, then this post may shed more light on routing.

How to access RabbitMq publicly

I have installed & setup the Rabbitmq on Centos remote server. Later I created an file "rabbitmq.config" and added the line
[{rabbit, [{loopback_users, []}]}]
and then restarted the rabbitmq server. Again tried to login the rabbitmq management web interface from my local machine using the guest credentials, but getting
login failed
error message.What is the proper way to empty the loopback user settings for Rabbitmq in Centos.

First of all connect to your rabbitmq server machine using ssh client so as to be able to run rabbitmqctl (like puTTY) & get into the sbin directory of rabbit installation
you need to create a user for any vhost on that system (here I use default vhost "/")
$ rabbitmqctl add_user yourName yourPass
Set the permissions for that user for default vhost
$ rabbitmqctl set_permissions -p / yourName ".*" ".*" ".*"
Set the administrator tag for this user (to enable him access the management pluggin)
$ rabbitmqctl set_user_tags yourName administrator
... and you are ready to login to your rabbitmq management gui using yourName and yourPass from any browser by pointing it to http://"*********":15672 where ***** is your server IP
hope it helps...
:-)

There is an example config file, on centos do:
cp /usr/share/doc/rabbitmq-server-3.4.2/rabbitmq.config.example /etc/rabbitmq/rabbitmq.config
Find and remove comments (and comma):
{loopback_users, []}
Then, stop rabbitmq:
rabbitmqctl stop
Now start the server:
service rabbitmq-server start
Now user "guest" can access from anywhere.

Since RabbitMQ 3.3.0 there you can't use default guest/guest credentials except via localhost, (see release notes for 3.3.0 for details).
As a possible solution you can (and probably should) create custom secured user to be used for monitoring, management, etc.
Also you can use proxy setup.
P.S.:
if you enabled loopback_users check that proper config loaded (for running NODENAME), it is well-formed (has valid syntax and ended with .), management plugin activated and started and no firewall blocking rules exists.
P.P.S.:
Check that default user is guest, it exists and has default (guest) password. If you use some library to access to RabbitMQ, check that it has the same defaults as remote (guest:guest) or specify them explicitly.

BOSH module not started: Ejabberd / Strophe setup issue [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Am trying to setup Strophe with Ejabberd on Ubuntu 12 (Linode latest version) using the internal Ejabberd webserver to serve the chat.
The test urls (http-bind and admin) both work.
JWChat works.
Strophe throws an error:
In Strophe:
RECV: <body xmlns='http://jabber.org/protocol/httpbind' type='terminate' condition='internal-server-error'>BOSH module not started</body>
In ejabberd.log:
E(<0.468.0>:ejabberd_http_bind:1236) :
You are trying to use BOSH (HTTP Bind) in host "admin", but the module mod_http_bind is not started in that host.
Configure your BOSH client to connect to the correct host, or add your desired host`
Setup has been straightforward (though it took quite a while to work this out):
Installed using sudo apt-get
Running under sudo
Using the internal server, to avoid messing with proxies or setting up PunJab.
In ejabberd.cfg made changes.
Changes to ejabberd.cfg:
%% In listening ports, amended the following lines:
{ request_handlers, [
{["pub"], mod_http_fileserver},
{["http-bind"], mod_http_bind}
]},
%% In modules, added the following:
{ mod_http_fileserver, [
{docroot, "/var/lib/ejabberd/www"},
{accesslog, "/var/log/ejabberd/access.log"}
]},
{mod_http_bind, []},
Any help would be much appreciated.

The answer is rather obvious.
Strophe requires the username in the following format:
username#host
eg. admin#example.com
It otherwise assumes that the username is really the host, and since such a host doesn't exist, it throws an error that mod_http_bind is not started in that host
This error is misleading at best, but it does technically explain the issue.
I was trying to login with just the username [which worked fine in JWChat], hence the issue.
In case this doesn't work, a checklist of some of the other things to verify:
Make sure that your domain is added to /etc/hosts
127.0.0.1 localhost.localdomain localhost
12.34.56.78 squire.example.com squire
Make sure that your domain is added to /etc/ejabberd/ejabberd.cfg
%% Hostname
Hostname {hosts, ["example.com","98.765.43.21","localhost"]}.
Ensure that your username exists and is registered:
ejabberdctl register username example.com password
And if user is an admin, is included in ejabberd.cfg [Note: it must also be registered!]
%% Admin user
{acl, admin, {user, "", "localhost"}}.
{acl, admin, {user, "admin", "example.com"}}.
Check that the server is running:
a. sudo ejabberdctl status
b. http://example.com:5280/admin
c. http://example.com:5280/http-bind
If there are issues, restart using both (I know you don't need both in theory. In practice, sometimes using one or the other would not work right.)
sudo /etc/init.d/ejabberd restart
sudo ejabberdctl restart
Check the logs - /var/log/ejabberd/ejabberd.log (see here).
Install JWChat and try that (or, if you have JWChat, install Strophe).
The following short tutorial is invaluable, follow it exactly: http://www.ejabberd.im/jwchat-localserver