I lauched docker container using Rancher 2 and when i click on its URL it takes me to http://xx.xxx.xxx.xx:32000
But i would like is : it takes me to directly to https://xx.xxx.xxx.xx:32000 (https instead of http).
How can i do that ?
Any help would appriciated!
Since I see 32000 in the URL, I am assuming you had used NodePort to expose your application. If you are using Rancher 2.x, you would be able to take advantage of Ingress. You can expose your app using port 433 by providing your SSL certificates and the ingress controller automatically does the redirect for you. This is similar behavior provided by Load Balancers in various cloud providers.
If you want to do it in your app, you should be able to add logic in your http/https action handler code where you can do a redirect from http to https.
Related
Okay, I have a DB consisting of several nodes deployed to GKE.
The deployment.yaml adds each node as ClusterIP, which makes sense. Here is the complete deployment file:
https://github.com/dgraph-io/dgraph/blob/master/contrib/config/kubernetes/dgraph-ha/dgraph-ha.yaml
For whatever reason, the DB has zero security functionality, so I cannot expose any part using a LoadBalancer service because doing so would give unsecured access to the entire DB. The vendor argues that security is solely the user's problem. The AlphaNode comes with an API endpoint, which is also unsecured, but I actually want to connect to that API endpoint from an external IP.
So, the best I can do is adding an NGNIX as a (reverse) proxy with authentication to secure access to the API endpoint of the Alpha node(s). Practically, I have three alpha nodes so adding load balancing makes sense. I found a config that does load balancing to three alpha nodes in Docker Compose although, without authenication.:
https://gist.github.com/MichelDiz/42954e321620159c872c35c20e9d85c6
Now, the million-dollar question I have is, how do I add an NGNIX load balance to Kubernetes that authenticates and load balances incoming traffic to my (ClusterIP) alpha nodes?
Any pointers?
Any help?
If you want to do it that hard way, you can deploy your own nginx deployment and expose it as LoadBalancer Service. You can configure it with different authentication mechanisms that nginx support.
Instead, you can use Ingress resource backed by an IngressController that supports authentication. Check if your kubernetes distribution provides an IngressController and if it is supports auth. If not, you can install nginx or Traefik IngressControllers which supports authentication.
Looks like GKE ingress has recently added support for IAP bassed authentication which is still in beta - https://cloud.google.com/iap/docs/enabling-kubernetes-howto
If you are looking for more traditional type of authentication with ingress, install nginx or traefik and use the kubernetes.io/ingress.class annotation so that only IngressController claims your ingress resource - https://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/
I have developed a spring boot based REST API service and enabled https on it by using a self signed cert keystore (to test locally), and it works well.
server.ssl.key-store=classpath:certs/keystore.jks
server.ssl.key-store-password=keystore
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=tomcat
Now, I want to package a docker image and deploy this service in a kubernetes cluster. I know I can expose the service as a NodePort and access it externally.
What I want to know is, I doubt that my self signed cert generated in local machine will work when deployed in kubernetes cluster. I researched and found a couple of solutions using kubernetes ingress, kubernetes secrets, etc. I am confused as to what will be the best way to go about doing this, so that I can access my service running in kubernetes through https. What changes will I need to do to my REST API code?
UPDATED NOTE : Though I have used a self signed cert for testing purposes, I can obtain a CA signed cert from my company and use it for production. My question is more on the lines of, For a REST API service which already uses a SSL/TLS based connection, what are some of the better ways to deploy and access the cert in kubernetes cluster , eg: package in the application itself, use Secrets, or scrap the application's SSL configuration and use Ingres instead, etc. Hope my question makes sense :)
Thanks for any suggestions.
Well it depends on the way you want to expose your service. Basically you have either an ingress, an external load balancer (only in certain cloud evironments available) or a Service thats routed to a Port (either via NodePort or HostPort) as options.
Attention: Our K8S Cluster is self hosted so I have no reliable information about external load balancers in K8S and will therefore omit that option.
If you want to expose your service directly behind one of your domains on port 80 (e.g. https://app.myorg.org) you'll want to use ingress. But if you don't need that and you can live with a specific port the NodePort approach should do the trick (e.g. https://one.ofyourcluster.servers:30000/).
Let's assume you want to try the ingress approach than you need to add the certificates to the ingress definition in K8S instead of the spring boot application or you must additionally specify that the service is reachable via https itself in the ingress. The way to do it may differ from ingress controller to ingress controller.
For the NodePort/HostPort you just need to enable SSL in your application.
Despite that you also need a valid certificate e.g. issued by https://letsencrypt.org/
Actually for K8S there are some projects that can fetch you a letsencrypt certificate automatically if you to use ingresses. (e.g. https://github.com/jetstack/cert-manager/)
Firstly, this is a great place to learn and share new information.
Now I've an issue with hosting two websites on the same server but before describing my problem, there are some terms that I'll use henceforth to make things easier.
Website Setup
Server OS - CentOS 7 x64, Docker version - 18.03.0-ce, build 0520e24
1st Website: example.com - hosted via Nginx (Runs as a service on the host machine and not via Docker Container) on port 80 (re-directs to 443) : static website with HTML / CSS code.
2nd Website: http://art.example.com:8080/ : served on port 8080 via this Docker Image
SSL - using LetsEncrypt for both the above domains.
Requirements
To serve both sites (and possibly more) via HTTPs without breaking either of them.
This is because when I browse the 2nd website using art.example.com:8080, it works fine but if I browse the 1st website then subsequent requests to 2nd website somehow start going on HTTPs, causing the page to not load.
Questions
Can both sites (and more) be served via port 80|443 via Nginx VHosts (or any other alternative) without using a different port, i.e: 8080 for 2nd website? This is to not have any ports in the URL as mentioned above but just the domain name.
Or, is there a way to forward traffic to the Docker service on a different port while the main main web service listens to port 80|443? What config changes would I need to do?
I've searched on this forum as much possible but couldn't get much.
Please let me know if any more information would be required from me.
Thanks in advance!
Solution: As recommended by this Docker image maintainer - kdelfour as well as a quick recommendation by BretFisher, we can remake the 1st Website as a Docker Container like the 2nd Website and then load-balance them using Traefik as a reverse proxy to manage SSL
Marking this as solved until an even better solution is found, cheers!
I am currently trying to setup wso2 api manager on openshift. The problem i am running into is that when i try to browse the url created by the openshift route, the application redirects me to the internally created IP address of the publisher app. However when i launch the container without openshift, the application directs me to it's intended API login page which is the Mgt console url.
I suspect this has to do with how the HAProxy embedded load balancer is behaving. I was able to hack around the configurations by changing the default ports to 443 however that created a new set of issues because changing the ports also required me hard coding container hostnames in the carbon.xml. Hardcoding settings in the configuration files prevents me from being able to scale up the containers.
Any assistance on this will be much appreciated.
I want to run a docker container, and somehow intercept/modify HTTP responses in the host. That means, basically take every HTTP response coming out of the container, and modify it before sending it back to the user. Is there a standard way to do this in docker?
What you could do is create a reverse proxy.
All communication in and out of the docker container is done indirectly, trough the proxy. So clients connect to the reverse proxy, the proxy requests the information from the process inside the container. The proxy will also handle the response to the client.
If you simply want to change some headers, a default setup of an apache reverse proxy might be enough.
See this link on how to set up a reverse proxy using apache:
https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
Other proxy technologies you might consider:
- Nginx
- HAProxy
If you want to do more than just changing headers (please fill me in!) than you might have to write some code to handle that for you.
Good luck! And let me know if you need more help!
Something like mitmproxy. Docker does not change the approach.