Azure App Gateway to respond with 403.4 when HTTP used - azure-application-gateway

Is there a way to get App Gateways (v1 or v2) to respond with 403 (or 403.4) when an HTTPS only resource is accessed through HTTP?
Redirect is not desired.
Right now, my requests just time out:
curl -G -v "http://my-custom-domain/v1/api" --data-urlencode "username=myusername" --data-urlencode "password=secret" --data-urlencode "api-client-key=some-key"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying xx.xxx.xx.xxx...
* TCP_NODELAY set
0 0 0 0 0 0 0 0 --:--:-- 0:00:20 --:--:-- 0* connect to xx.xxx.xx.xxx port 80 failed: Timed out
* Failed to connect to my-custom-domain port 80: Timed out
* Closing connection 0
curl: (7) Failed to connect to my-custom-domain port 80: Timed out

Related

Curl from Jenkins workspace to docker container returning error

I am trying to curl from Jenkins workspace to a Docker container. When I run my container I user -p 1080:1080 and after that I launch a curl from my workspace pointing to 127.0.0.1:1080. Doing that locally works fine but when I launch the code in Jenkins I get the following error :
I have changed the IP address from 127.0.0.1 to 0.0.0.0 and now I can see that some data is received but still having connection reset error :
* About to connect() to 0.0.0.0 port 1080 (#0)
* Trying 0.0.0.0...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 0.0.0.0 (0.0.0.0) port 1080 (#0)
> PUT /mockserver/expectation HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 0.0.0.0:1080
> Accept: */*
> Content-Length: 37894
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
* Recv failure: Connection reset by peer
0 37894 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
script returned exit code 56```
I have resolved the issue by adding a sleep 20 into my shell script, this will wait until the service starts.

Connect to GRPC service through curl?

I have a simple grpc service helloworld. its server is running in ec2 instance behind nginx. I am trying to connect to grpc server from my local machine using curl. I am following the same code that is in official repo so I don't think any problem from code side because I can able to connect to my grpc server from my local grpc client (greeter_client.py).
But when I try in curl I am getting response like this
abci#learnerc MINGW64 ~/Desktop
$ curl -v -H "Content-Type: application/grpc" 3.x6.xx9.xx1:50052/helloworld --http2-prior-knowledge
* Uses proxy env variable no_proxy == 'xxx.xxx.xx.100'
* Trying x.xx.xxx.xx:50052...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 3.xx.xxx.xxx (3.xx.xxx.xxx) port 50052 (#0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x6712b0)
> GET /helloworld HTTP/2
> Host: 3.xx.xxx.xxx:50052
> user-agent: curl/7.68.0
> accept: */*
> content-type: application/grpc
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 204
< server: nginx/1.18.0 (Ubuntu)
< date: Fri, 12 Mar 2021 01:57:01 GMT
< grpc-status: 14
< grpc-message: unavailable
<
{ [0 bytes data]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host 3.xx.xxx.xxx left intact
My nginx config:
server {
listen 50052 http2;
location /helloworld {
default_type application/grpc;
grpc_pass grpc://localhost:50051;
}
# Error responses
include conf.d/errors.grpc_conf; # gRPC-compliant error responses
default_type application/grpc;
}
The grpc server is running in docker container with exposed port on 50051.
root#ip-xx2-x1-xx-xx:/etc/nginx/sites-enabled# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
xxx xxx "/bin/sh -c 'python …" 6 hours ago Up 6 hours 0.0.0.0:50051->50051/tcp obje_galois
Thanks. Any help is appreciated.

cadvisor: TLS not working when provinding a key and a certificate

According to cadvisor documentation ( https://github.com/google/cadvisor/blob/master/docs/runtime_options.md#metrics ) using options collector_cert and collector_key should enable TLS on Prometheus endpoint.
I have launched the cadvisor container using the following command :
docker run --rm -d --volume=/:/rootfs:ro --volume=/tmp/cadvisor.crt:/etc/ssl/cadvisor.crt --volume=/tmp/cadvisor.key:/etc/ssl/cadvisor.key --volume=/var/run:/var/run:rw --volume=/sys:/sys:ro --volume=/var/lib/docker/:/var/lib/docker:ro --publish=8080:8080 --name=cadvisor gcr.io/cadvisor/cadvisor:latest --collector_cert=/etc/ssl/cadvisor.crt --collector_key=/etc/ssl/cadvisor.key
but when I try to access the metrics using curl https://127.0.0.1:8080/metrics -v I get the following error:
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
On the other hand using curl http://127.0.0.1:8080/metrics -v returns docker host metrics
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /metrics HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/plain; version=0.0.4; charset=utf-8
< Date: Mon, 01 Feb 2021 11:03:33 GMT
< Transfer-Encoding: chunked
<
{ [12148 bytes data]
100 300k 0 300k 0 0 4421k 0 --:--:-- --:--:-- --:--:-- 4357k
* Connection #0 to host 127.0.0.1 left intact
Any pointers will be appreciated.
As far as i know, there is no https support in cAdvisor. Maybe you can use a reverse proxy instead? There is an issue with the same topic on github: https://github.com/google/cadvisor/issues/2539
These flags are used to collect data from another endpoint with TLS authentication enabled.

Haproxy always giving 503 Service Unavailable

I've installed Haproxy 1.8 on a Kubernetes Container.
Whenever I make any request to /test, I always get 503 Service Unavailable response. I want to return the stats page when I get a request to /test
Following is my configuration file:
/etc/haproxy/haproxy.cfg:
global
daemon
maxconn 256
defaults
mode http
timeout connect 15000ms
timeout client 150000ms
timeout server 150000ms
frontend stats
bind *:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
frontend http-in
bind *:8083
default_backend servers
acl ar1 path -i -m sub /test
use_backend servers if ar1
backend servers
mode http
server server1 10.1.0.46:8404/stats maxconn 32
# 10.1.0.46 is my container IP
I can access the /stats page using:
curl -ik http://10.1.0.46:8404/stats
But when I do:
curl -ik http://10.1.0.46:8083/test
I always get following response:
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Content-Type: text/html
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
I started haproxy using:
/etc/init.d/haproxy restart
and then subsequently restart it using:
haproxy -f haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
Following is the output of netstat -anlp:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 54/python3.5
tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN 802/haproxy
tcp 0 0 0.0.0.0:8404 0.0.0.0:* LISTEN 802/haproxy
tcp 0 0 10.1.0.46:8404 10.0.15.225:20647 TIME_WAIT -
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
Following is the output of ps -eaf:
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jul22 ? 00:00:00 /bin/sh -c /bin/bash -x startup_script.sh
root 6 1 0 Jul22 ? 00:00:00 /bin/bash -x startup_script.sh
root 54 6 0 Jul22 ? 00:00:09 /usr/local/bin/python3.5 /usr/local/bin/gunicorn --bind 0.0.0.0:5000 runner:app?
root 57 54 0 Jul22 ? 00:02:50 /usr/local/bin/python3.5 /usr/local/bin/gunicorn --bind 0.0.0.0:5000 runner:app?
root 61 0 0 Jul22 pts/0 00:00:00 bash
root 739 0 0 07:02 pts/1 00:00:00 bash
root 802 1 0 08:09 ? 00:00:00 haproxy -f haproxy.cfg -p /var/run/haproxy.pid -sf 793
root 804 739 0 08:10 pts/1 00:00:00 ps -eaf
Why could I be getting 503 unavailable always?
Why do you use HAProxy 1.8 when a 2.2.x already exists?
You will need to adopt the path in the backend which can't be set on the server level.
backend servers
mode http
http-request set-path /stats
server server1 10.1.0.46:8404 maxconn 32
# 10.1.0.46 is my container IP

Docker Couchbase: Cannot connect to port 8091 using curl from within entrypoint script

Running docker-machine version 0.5.0, Docker version 1.9.0 on OS X 10.11.1.
I've a Couchbase image of my own (not the official one). From inside the entrypoint script, I'm running some curl commands to configure the Couchbase server and to load sample data. Problem is, curl fails with error message Failed to connect to localhost port 8091: Connection refused.
I've tried 127.0.0.1, 0.0.0.0, localhost, all without any success. netstat shows that port 8091 on localhost is listening. If I later log on to the server using docker exec and run the same curl commands, those work! What am I missing?
Error:
couchbase4 | % Total % Received % Xferd Average Speed Time Time Time Current
couchbase4 | Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to localhost port 8091: Connection refused
netstat output:
root#cd4d3eb00666:/opt/couchbase/var/lib# netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:21100 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21101 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9998 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8091 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8092 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:41125 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11209 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11210 0.0.0.0:* LISTEN
tcp6 0 0 :::11209 :::* LISTEN
tcp6 0 0 :::11210 :::* LISTEN
Here is my Dockerfile:
FROM couchbase
COPY configure-cluster.sh /opt/couchbase
CMD ["/opt/couchbase/configure-cluster.sh"]
and configure-cluster.sh
/entrypoint.sh couchbase-server &
sleep 10
curl -v -X POST http://127.0.0.1:8091/pools/default -d memoryQuota=300 -d indexMemoryQuota=300
curl -v http://127.0.0.1:8091/node/controller/setupServices -d services=kv%2Cn1ql%2Cindex
curl -v http://127.0.0.1:8091/settings/web -d port=8091 -d username=Administrator -d password=password
curl -v -u Administrator:password -X POST http://127.0.0.1:8091/sampleBuckets/install -d '["travel-sample"]'
This configures the Couchbase server but still debugging how to bring Couchbase back in foreground.
Complete details at: https://github.com/arun-gupta/docker-images/tree/master/couchbase
It turns out that if I do the curls after restarting the server, those work. Go figure! That said, note that the REST API for installing sample buckets is undocumented as far as I know. arun-gupta's blog and his answer here are the only places where I saw any mention of a REST call for installing sample buckets. There's a python script available but that requires installing python-httplib2.
That said, arun-gupta's last curl statement may be improved upon as follows:
if [ -n "$SAMPLE_BUCKETS" ]; then
IFS=',' read -ra BUCKETS <<< "$SAMPLE_BUCKETS"
for bucket in "${BUCKETS[#]}"; do
printf "\n[INFO] Installing %s.\n" "$bucket"
curl -sSL -w "%{http_code} %{url_effective}\\n" -u $CB_USERNAME:$CB_PASSWORD --data-ascii '["'"$bucket"'"]' $ENDPOINT/sampleBuckets/install
done
fi
where SAMPLE_BUCKETS can be a comma-separated environment variable, possible values being combinations of gamesim-sample, beer-sample and travel-sample. The --data-ascii option keeps curl from choking on the dynamically created JSON.
Now if only there was an easy way to start the server in the foreground. :)

Resources