Grpc reverse proxy does not working with Caddy - grpc

My caddy file look like this, and I am trying to revers proxy with grpc, and it does not working.
:2016
reverse_proxy {
to grpc://localhost:8090
transport http {
versions h2c
}
}
Getting this error while calling from client
rpc error: code = Unavailable desc = failed to receive server preface within timeout

Related

GCP deployment with nginx - uwsgi - flask fails

I have a very simple flask app that is deployed on GKE and exposed via google external load balancer. And getting random 502 responses from the backend-service (added a custom headers on backend-service and nginx to make sure the source and I can see the backend-service's header but not nginx's)
The setup is;
LB -> backend-service -> neg -> pod (nginx -> uwsgi) where pod is the application built using flask and deployed via uwsgi and nginx.
The scenario is to handle image uploads in simple-secured way. Sender sends me a token with upload request.
My flask app
receive request and check the sent token via another service using "requests".
If token valid, proceed to handle the image and return 200
If token is not valid, stop and send back a 401 response.
First, I got suspicious about the 200 and 401's. And reverted all responses to 200. Following some of the expected responses, server starts to respond 502 and keep sending it. "Some of the messages at the very beginning succeeded".
nginx error logs contains below lines
2023/02/08 18:22:29 [error] 10#10: *145 readv() failed (104: Connection reset by peer) while reading upstream, client: 35.191.17.139, server: _, request: "POST /api/v1/imageUpload/image HTTP/1.1", upstream: "uwsgi://127.0.0.1:21270", host: "example-host.com"
my uwsgi.ini file is as below;
[uwsgi]
socket = 127.0.0.1:21270
master
processes = 8
threads = 1
buffer-size = 32768
stats = 127.0.0.1:21290
log-maxsize = 104857600
logdate
log-reopen
log-x-forwarded-for
uid = image_processor
gid = image_processor
need-app
chdir = /server/
wsgi-file = image_processor_application.py
callable = app
py-auto-reload = 1
pidfile = /tmp/uwsgi-imgproc-py.pid
my nginx.conf is as below
location ~ ^/api/ {
client_max_body_size 15M;
include uwsgi_params;
uwsgi_pass 127.0.0.1:21270;
}
Lastly, my app has a healthcheck method with simple JSON response. It does no extra stuff and simply returns. This never fails as explained above.
Edit : my nginx access logs in the pod shows the response as 401 while the client receives 502.
for those who gonna face with the same issue, the problem was post data reading (or not reading).
nginx was expecting to get post data read by the proxied, in our case uwsgi, app. But according to my logic I was not reading it in some cases and returning back the response.
Setting uwsgi post-buffering solved the issue.
post-buffering = %(16 * 1024 * 1024)
Which led me to this solution;
https://stackoverflow.com/a/26765936/631965
Nginx uwsgi (104: Connection reset by peer) while reading response header from upstream

Raspbian / Mercure - bind: permission denied

I'm trying to run Mercure on my Raspbian.
First :
I tried with mercure-legacy_0.13.0_Linux_armv6.tar.gz using the following command to run mercure
JWT_KEY='example'; ADDR='localhost:3000'; DEMO='1'; ALLOW_ANO NYMOUS='1'; CORS_ALLOWED_ORIGINS='*'; PUBLISH_ALLOWED_ORIGINS='*'; PUBLISHER_JWT_KEY='example' ./mercure run
It returns :
"msg":"Unexpected error","error":"listen tcp :80: bind: permission denied"
Second : I tried with mercure_0.13.0_Linux_armv6.tar.gz using the following command to run Mercure
MERCURE_PUBLISHER_JWT_KEY='!ChangeMe!' MERCURE_SUBSCRIBER_JWT _KEY='!ChangeMe!' ./mercure run
Caddy file :
{
{$GLOBAL_OPTIONS}
}
{
auto_https off
}
{$SERVER_NAME:localhost}
log
route {
encode zstd gzip
mercure {
# Transport to use (default to Bolt)
transport_url {$MERCURE_TRANSPORT_URL:bolt://mercure.db}
# Publisher JWT key
publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
# Subscriber JWT key
subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
# Extra directives
{$MERCURE_EXTRA_DIRECTIVES}
}
respond /healthz 200
respond "Not Found" 404
}
It returns :
run: loading initial config: loading new config: http app module: start: tcp: listening on :443: listen tcp :443: bind: permission denied
Can anyone provide a solution : I intend to host my symfony project on a web server using apache2 on the same Raspberrry
I don't know this specific application, but your error message:
listen tcp :80: bind: permission denied
could be related with restriction for ports 80 and 443 (second message) - non-root user cannot use ports lower than 1024 on standard Linux configuration. Try to use different port or (if you don't care about security - i.e. local hobby project) run app as root.
Keep in mind that you can run Nginx as reverse proxy, so you can run your app on any high port (like 3000) on standard user.
it's a rights issue with your user.
Try with sudo, it should work.

websockets in openresty proxy

I created proxy with MFA using OpenResty, it mainly works ok.
But I have problem with websockets: Firefox says that it "cannot connect with server wss://...". Looking in browser's network panel I can see switching protocols request that seems be ok. My nginx.conf looks as bellow:
worker_processes auto;
env TARGET_APPLICATION_HOST;
env TARGET_APPLICATION_PORT;
env TARGET_USE_SSL;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
resolver local=on ipv6=off valid=100s;
content_by_lua_block {
local http = require "resty.http"
local httpc = http.new()
httpc:set_timeout(500)
local ok, err = httpc:connect(
os.getenv("TARGET_APPLICATION_HOST"),
os.getenv("TARGET_APPLICATION_PORT"))
if not ok then
ngx.log(ngx.ERR, err)
return
end
if os.getenv("TARGET_USE_SSL") == "TRUE" then
-- Trigger the SSL handshake
session, err = httpc:ssl_handshake(False, server, False)
end
httpc:set_timeout(2000)
httpc:proxy_response(httpc:proxy_request())
httpc:set_keepalive()
}
}
}
}
It is simpler version of production proxy, but returns the same error with websockets. I tried to use proxy with pure nginx and it works ok with websockets, but I need capabilites of OpenResty (proxing different hosts basing of cookie value).
Is there any simple mistake in the above file or OpenResty does not have websocket abilities?
lua-resty-http is a HTTP(S) client libraty, it does not (and probably will not) support the WebSocket protocol.
There is another library for the WebSocket protocol: lua-resty-websocket. It implements both client and server, so it should be possible to write the proxy using this library.
I need capabilites of OpenResty (proxing different hosts basing of cookie value)
ngx.balancer does exactly what you need, check the example and this answer.

Nginx: Setting up SSL-passthorugh

I'm trying to configure SSL-passthrough for multiple webapps using the same nginx server (nginx version: nginx/1.13.6), but when restarting the nginx server, I get an error complaining that
nginx: [emerg] "stream" directive is duplicate
The configuration I have is the following:
2 files for the ssl passthrough that look like this:
server1.conf:
stream {
upstream workers {
server 192.168.1.10:443;
server 192.168.1.11:443;
server 192.168.1.12:443;
}
server {
listen server1.com:8443;
proxy_pass workers;
}
}
and server2.conf:
stream {
upstream workers {
server 192.168.1.20:443;
server 192.168.1.21:443;
server 192.168.1.22:443;
}
server {
listen server2.com:8443;
proxy_pass workers;
}
}
If I remove one of the two files, then nginx starts correctly.
How can this be achieved?
Thanks,
Cristi
Streams work on Layer 5, and cannot read encrypted traffic (which is Layer 6 on the OSI model), and thus cannot tell apart requests hitting server1.com and server2.com unless they are pointing to different IPs.
This can be solved by one of the following solutions
Decrypt the traffic on nginx, then proxy-pass it to backend processes/wockers using HTTP.
Bind server1.com to a port that is different to server2.com.
Get an additional IP address and bind server2.com on that.
Get an additional load balancer and move server2.com there.

Kibana - socket hang up error

I am running Kibana behind IIS reverse proxy server and getting following error
Courier Fetch Error: unhandled courier request error: socket hang up
I am on Version: 4.2.2, Build: 9177.
I get this error only when I use proxy server which I need to restrict access to Kibana. I am not sure what is causing this or how to fix it.
Error: unhandled courier request error: socket hang up
at handleError (http://kibana-server/bundles/kibana.bundle.js:70047:23)
at DocRequest.AbstractReqProvider.AbstractReq.handleFailure (http://kibana-server/bundles/kibana.bundle.js:69967:15)
at http://kibana-server/bundles/kibana.bundle.js:69861:18
at Array.forEach (native)
at http://kibana-server/bundles/kibana.bundle.js:69859:19
at wrappedErrback (http://kibana-server/bundles/commons.bundle.js:39286:79)
at http://kibana-server/bundles/commons.bundle.js:39419:77
at Scope.$eval (http://kibana-server/bundles/commons.bundle.js:40406:29)
at Scope.$digest (http://kibana-server/bundles/commons.bundle.js:40218:32)
at Scope.$apply (http://kibana-server/bundles/commons.bundle.js:40510:25)
If you have enabled Integrated Windows Authentication in your IIS the Kibana server cannot process the request, because the http-Authorization-Header is too large (group memberships are stored in the PAC field of the kerberos tickets).
We had the same Problem with an Apache reverse proxy server in front of Kibana. The solution is to unset the Authorization-Header after Kerberos/NTLM-Authentication is done and before sending the proxy request to Kibana.
Configuration for Apache:
RequestHeader unset Authorization
Try removing http.cors and http.compression as noted in https://github.com/elastic/kibana/issues/6719

Resources