Please, can somebody look at this config?
global
log stdout format raw local0 debug
stats timeout 30s
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 50000
timeout client 50000
timeout server 50000
frontend app
bind *:15080
default_backend myback
backend myback
server site google.com:80 check
Why is this not working? If I try to visit 127.0.0.1:15080 it takes some time and then the url in a browser changes to www.google.com:16080 which obviously doesn't take you anywhere. The browser says: "This site can’t be reached - ERR_CONNECTION_TIMED_OUT".
So why doesn't it proxy to port 80 as one would expect?
The log entry does not tell much:
127.0.0.1:50871 [01/Jul/2019:14:39:45.879] app myback/site 0/0/20/84/104 301 681 - - ---- 2/2/0/0/0 0/0 "GET / HTTP/1.1"
Haproxy version:
HA-Proxy version 2.0.0-4fb65f-8 2019/06/19 - https://haproxy.org/
EDIT:
I somehow solved the problem by trial & error..
Actually, HAProxy is working as expected and proxying your request to google. Google, however, sees that the host header is 'Host: 127.0.0.1:15080', and responds with a 301 redirect to www.google.com:15080. You can see this without setting up HAProxy by doing:
$ curl -I -H 'Host: 127.0.0.1:15080' google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com:15080/
Content-Type: text/html; charset=UTF-8
Date: Mon, 01 Jul 2019 14:26:09 GMT
Expires: Wed, 31 Jul 2019 14:26:09 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 225
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
If you want to set up a very basic proxy to google, you need to make sure your host header matches and that you are sending requests via https.
backend myback
http-request set-header Host www.google.com
server site google.com:443 ssl verify none check
Related
I am using IBM Container Registry and trying to list the repositories/catalog using the below command.
curl -i https://us.icr.io/v2/_catalog
HTTP/2 401
content-type: application/json; charset=utf-8
www-authenticate: Bearer realm="https://us.icr.io/oauth/token",service="registry",scope="registry:catalog:*",error="invalid_token"
The www-authenticate field state that the scope of the token should be registry:catalog:*.
When I tried to create a token with this scope, the generated token provides an empty access list.
Running the command with above generated access token gives the below error:
curl -i -H "Authorization: Bearer $token" https://us.icr.io/v2/_catalog
HTTP/2 403
content-type: application/json; charset=utf-8
www-authenticate: Bearer realm="https://us.icr.io/oauth/token",service="registry",scope="registry:catalog:*",error="insufficient_scope"
date: Mon, 23 May 2022 16:53:38 GMT
content-length: 134
cache-control: no-cache, no-store, must-revalidate
content-security-policy: default-src 'self'; frame-ancestors 'none'; form-action 'none';
docker-distribution-api-version: registry/2.0
expires: 0
pragma: no-cache
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-registry-supports-signatures: 1
x-xss-protection: 1; mode=block
server: IBM Cloud Container Registry
{"errors":[{"code":"DENIED","message":"insufficient scope","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
Does IBM Container Registry support _catalog docker v2 api?
Are there any other way to list the repositories?
Note: I have tried https://cloud.ibm.com/apidocs/container-registry#list-images, it lists all the images but not the repositories like _catalog docker v2 api.
According to the IBM Cloud Container Registry documentation and the experience you made, that API is not supported.
IBM Cloud Container Registry supports Docker Engine v17.07, or later.
Docker itself defines the Engine API, Hub API and the Registry API. The latter has the function you asked for.
I have a Docker Swarm cluster on AWS which I am trying to load balance using HAProxy. My setup which is behind a VPC looks similar to this:
haproxy_server 10.10.0.10
docker_swarm_master1 10.10.0.12
docker_swarm_master2 10.10.0.13
docker_swarm_worker3 10.10.0.14
My only Tomcat container is currently on master_1 and below is my current HAProxy config file:
global
log 127.0.0.1 local0
log 127.0.0.1 local0 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
maxconn 2000
frontend servers
bind *:80
bind *:8443 ssl crt /etc/haproxy/certs/ssl.pem
default_backend hosts
backend hosts
mode http
balance roundrobin
option httpchk OPTIONS /
option forwardfor
option http-server-close
server swarm 10.10.0.12:8443 check inter 5000
I am able able to see the index.html page in the webapps directory when I do the following from the HAProxy server:
curl -k https://10.10.0.12:8443/docs/index.html
However when I try the following curl command below, I get a 503 server not available error
curl -k https://10.10.0.10:8443/docs/index.html
Anyone know what I am doing wrong? I have spent half the day on this to no avail.
EDIT
curl -XOPTIONS -vk https://10.10.0.10:8443/docs/index.html
* Trying 10.10.0.10...
* Connected to 10.10.0.10 (10.10.0.10) port 8443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: *.secreturl.com (does not match '10.10.0.10')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: OU=Domain Control Validated,CN=*.secreturl.com
* start date: Sat, 27 Jun 2016 16:39:39 GMT
* expire date: Tue, 11 Jun 2020 18:09:38 GMT
* issuer: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certs.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2
* compression: NULL
* ALPN, server did not agree to a protocol
> OPTIONS / HTTP/1.1
> Host: 10.10.0.10:8443
> User-Agent: curl/7.47.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Closing connection 0
curl -XOPTIONS -vk https://10.10.0.12:8443/docs/index.html
* Trying 10.10.0.12...
* Connected to 10.10.0.12 (10.10.0.12) port 8443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: *.secreturl.com (does not match '10.10.0.10')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: OU=Domain Control Validated,CN=*.secreturl.com
* start date: Sat, 27 Jun 2016 16:39:39 GMT
* expire date: Tue, 11 Jun 2020 18:09:38 GMT
* issuer: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certs.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2
* compression: NULL
* ALPN, server did not agree to a protocol
> OPTIONS / HTTP/1.1
> Host: 10.10.0.12:8443
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Content-Length: 0
< Date: Sat, 24 Dec 2016 18:39:27 GMT
<
* Connection #0 to host 10.10.0.12 left intact
If you get a 503 Service Not Available, then your health check fails.
From your configuration, HAProxy will use OPTIONS http://10.10.0.12:8443/ which will fail: your backend accept HTTPS connections. To fix that, tell HAProxy to use HTTPS:
server swarm 10.10.0.12:8443 check inter 5000 ssl verify none
Note: you can enable the stat page with
listen haproxy_admin
bind 127.0.0.1:22002
mode http
stats enable
stats uri /
That should help you debug further issues.
Edit:
The stat page shows L7STS/404, that's the http code HAProxy gets. HAProxy currently checks https://10.10.0.12:8443/ while you test https://10.10.0.12:8443/docs/index.html. Perhaps you should use this url in your check:
option httpchk OPTIONS /docs/index.html
I want to serve static images with nginx. I have in my nginx.conf
location /i/ {
alias /home/matt/images/;
}
I am going to server.com/i/928675140291b6.jpg Just to see if it will serve the image, But I'm getting in production.log:
ActionController::RoutingError (No route matches [GET] "/i/928675140291b6.jpg"):
The response to curl -I server.com/i/928675140291b6.jpg:
HTTP/1.1 404 Not Found
Server: nginx/1.10.0 (Ubuntu)
Date: Mon, 24 Oct 2016 13:49:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1564
Connection: keep-alive
X-Request-Id: abb0cb6c-e922-4186-b245-e78b21a88919
X-Runtime: 0.007451
My problem was, for some reason, nginx doesen't care about the nginx.conf in my Rails project folder. I edited the file in /etc/nginx/sites-enabled/my_app and now nginx is listening.
Okay so I have enabled managing the docker daemon over HTTP by starting the daemon as follows:
/usr/bin/docker -d -H fd:// -H=0.0.0.0:2376
I can create containers and remove them via the Remote API (i.e other calls are working fine) but if I try and pull an image it errors as follows:
curl -v -X POST http://localhost:2376/images/create?from=ubuntu
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 2376 (#0)
> POST /images/create?from=ubuntu HTTP/1.1
> User-Agent: curl/7.38.0
> Host: localhost:2376
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Thu, 01 Oct 2015 09:01:02 GMT
< Transfer-Encoding: chunked
<
{"status":"Downloading from http://"}
{"errorDetail":{"message":"Get http://: http: no Host in request URL"},"error":"Get http://: http: no Host in request URL"}
* Connection #0 to host localhost left intact
Anyone know what the answer is?
Ah looks like it was a typo in the parameter name
"from" -> "fromImage"
Basically you get this error if the query parameters are missing.
Also make sure you set tag=latest otherwise it downloads all ubuntu images!
I am using Grails 2.1 with the Spring Security plugin. I have some paths that have REQUIRES_SECURE_CHANNEL set. When I run my app on my machine with “grails run-app -https” everything works properly when accessing a path that requires https from http (they get redirected). However, on the Amazon Elastic Beanstalk paths requiring https do not redirect from http to https.
I have set
grails.plugins.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
in Config.groovy for production and
grails.plugins.springsecurity.secureChannel.useHeaderCheckChannelSecurity = false
in Config.groovy for development.
If I telnet to port 80 and request a path that has REQUIRES_SECURE_CHANNEL set, this is what I see on the Amazon Elastic Beanstalk:
$ telnet www.example.com 80
Connected to www.example.com.
Escape character is '^]'.
GET /login/index HTTP/1.1
Host: www.example.com
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://www.example.com/login/index
Content-Length: 0
Date: Wed, 10 Oct 2012 19:40:29 GMT
If I telnet to port 8080 using the development environment and request a path that has REQUIRES_SECURE_CHANNEL set, this is what I see on my machine:
$ telnet localhost 8080
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET /server/login/index HTTP/1.1
Host: localhost:8080
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: https://localhost:8443/server/login/index
Content-Length: 0
Date: Wed, 10 Oct 2012 19:27:09 GMT
How do I get my app on Amazon Elastic Beanstalk to properly forward paths that have REQUIRES_SECURE_CHANNEL set from http to https?