After authenticating, if I call any method, like os.compute().flavors().list() or os.images().list(), I get connect timed out. Why is this happening?
I set up a OpenStack with RDO packstack at a GoogleCloudsPlataform VM. I am doing auth with domain and project. Ive tried authing without project, and method calls did not timed out, but the responses were wrong, e.g, if I called list flavors, return none flavor.
If I do those calls with API endpoints, it works; if I auth with the same infos (user, pass, domain, project) and call flavors or images, it works.
Auth code:
OSClient.OSClientV3 os = OSFactory.builderV3()
.endpoint("http://host:5000/v3")
.credentials("admin", "pass", domain)
.scopeToProject(project)
.authenticate();
os.compute().flavors().list(); // "connection timed out" code
Endpoint auth call (that works):
curl -i \
-H "Content-Type: application/json" \
-d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "admin",
"domain": { "id": "default" },
"password": "pass"
}
}
},
"scope": {
"project": {
"name": "admin",
"domain": { "id": "default" }
}
}
}
}' \
"http://host:5000/v3/auth/tokens" ; echo
Endpoint images call:
curl -v -i -H "Content-Type: application/json" -H "X-Auth-Token:token" "http://host:8774/v2/images"; echo
In general, if you are getting timeouts on HTTP requests, the things to check are:
Are you using the correct hostname or IP address?
Are you using the correct port?
Is access being blocked by a firewall (somewhere)?
Is access being thwarted by misconfigured network routing (somewhere)?
Since you are using openstack4j, you can probably get more insights as to what is going on by turning on logging of the HTTP requests:
OSFactory.enableHttpLoggingFilter(true);
Check that it is sending requests to the V2 glance endpoint.
If that fails, use your IDE's Java debugger to figure out what requests are being sent to which service endpoints.
Related
I'm trying to create a simple REST API with a mock back-end in the publisher and test it in the publisher itself, before publishing it to the Dev portal.
Swagger definition
openapi: 3.0.1
info:
title: TestAPI
version: '1.0'
servers:
- url: /
security:
- default: []
paths:
/getMessage:
get:
parameters: []
responses:
'200':
description: ok
security:
- default: []
x-auth-type: Application & Application User
x-throttling-tier: Unlimited
x-wso2-application-security:
security-types:
- oauth2
optional: false
components:
securitySchemes:
default:
type: oauth2
flows:
implicit:
authorizationUrl: 'https://test.com'
scopes: {}
x-wso2-auth-header: Authorization
x-wso2-cors:
corsConfigurationEnabled: false
accessControlAllowOrigins:
- '*'
accessControlAllowCredentials: false
accessControlAllowHeaders:
- authorization
- Access-Control-Allow-Origin
- Content-Type
- SOAPAction
- apikey
- Internal-Key
accessControlAllowMethods:
- GET
- PUT
- POST
- DELETE
- PATCH
- OPTIONS
x-wso2-production-endpoints:
urls:
- 'https://run.mocky.io/v3/64df2918-ea8d-4fc9-8e6e-1f57d8b07070'
type: http
x-wso2-sandbox-endpoints:
urls:
- 'https://run.mocky.io/v3/64df2918-ea8d-4fc9-8e6e-1f57d8b07070'
type: http
x-wso2-basePath: /test/1.0
x-wso2-transports:
- http
- https
x-wso2-response-cache:
enabled: false
cacheTimeoutInSeconds: 300
Request (generated from the "Test -> Try it out" section )
curl -X 'GET' \
'https://localhost:8243/test/1.0/getMessage' \
-H 'accept: */*' \
-H 'Internal-Key: [key]'
Response (from postman)
{
"code": "404",
"type": "Status report",
"message": "Not Found",
"description": "The requested resource is not available."
}
APIM Log
[2022-06-07 12:02:06,610] INFO - LogMediator STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = /test/1.0/getMessage, HEALTH CHECK URL = /test/1.0/getMessage
NOTE: The sample "PizzaShack" API gets deployed correctly and works fine but when I try to create one from scratch it always gives the Invalid URL error. The request URL seems fine to me, what am I doing wrong ?
I have a website hosted on Firebase, using static html, no server-side function is used to deliver the result.
When running curl -X PURGE https://mywebsite.com -v -L the result is:
{ "status": "ok", "id": "20755-1619059392-3560756" }
I need a way to restrict this action to specific IPs so that not anybody can reset my cache which might result in extra costs.
Also it seems that Firebase uses Varnish to manage cache (which is something am null at).
My client's security consultant sent us this recommendation on how to handle this issue, I'm not sure exactly if this is .htaccess syntax or what:
# Varnish recommends to using PURGE method only by valid user,
# for example by ip limiting and for other return 405 Not allowed:
acl purge {
"localhost";
"192.168.55.0"/24;
}
sub vcl_recv {
# allow PURGE from localhost and 192.168.55...
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
return(synth(405,"Not allowed."));
}
return (purge);
}
}
I don't know how to apply this in Firebase Hosting, again am not using Server Functions, just the regular firebase.json with the following headers:
"headers": [
{
"source": "*.[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].+(css|js)",
"headers": [
{
"key": "Cache-Control",
"value": "public,max-age=31536000,immutable"
}
]
},
{
"source": "**/*.#(json|eot|otf|ttf|ttc|woff|font.css)",
"headers": [
{
"key": "Access-Control-Allow-Origin",
"value": "*"
}
]
}
]
The following code is VCL code:
acl purge {
"localhost";
"192.168.55.0"/24;
}
sub vcl_recv {
# allow PURGE from localhost and 192.168.55...
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
return(synth(405,"Not allowed."));
}
return (purge);
}
}
This code allows you to extend the behavior of Varnish. This code has to be added to your /etc/varnish/default.vcl file.
After adding this code to your VCL file, you have to reload your varnishd process to activate this VCL configuration.
If reloading varnishd is not an option, you can also activate the new VCL file using the following commands:
sudo varnishadm vcl.load purge_acl /etc/varnish/default.vcl
sudo varnishadm vcl.use purge_acl
For more information about Varnish and the VCL programming language, please have look at http://varnish-cache.org/docs/6.0/reference/index.html
There is no solution for the moment. This is the answer I received from the firebase support :
Hi Damien,
My name is Sergei, thanks for reaching out. I'll be assisting you.
The first thing to be addressed here is the fact that Varnish services
fall outside of our scope, so our information about its
implementations with our hosting services are not the most abundant.
Unfortunately, right now we can only control the caching behavior with
our existing tools.
I am sorry we cannot provide the functionality you need at the time,
if you would like to, we can submit the feature request so this is
visible to our engineering team.
gRPC services (developed in springboot) deployed as docker container on AWS linux (ec2). Started the docker image with port forwarding -p6565:6565.
Now when directly hit via BloomRPC on laptop, it worked : ec2.IP:6565 Package.Service.Method
Configured service & route in Kong:
{
"host": "ec2.IP",
"created_at": 1588403433,
"connect_timeout": 60000,
"id": "e657d8df-6247-458a-a8e8-bec00c41e03c",
"protocol": "grpc",
"name": "aws-grpc1",
"read_timeout": 60000,
"port": 6565,
"path": null,
"updated_at": 1588403433,
"retries": 5,
"write_timeout": 60000,
"tags": null,
"client_certificate": null
}
Route:
{
"strip_path": false,
"path_handling": "v0",
"updated_at": 1588403452,
"destinations": null,
"headers": null,
"protocols": [
"grpc",
"grpcs"
],
"created_at": 1588403452,
"snis": null,
"service": {
"id": "e657d8df-6247-458a-a8e8-bec00c41e03c"
},
"name": "aws-grpc1-route1",
"methods": null,
"preserve_host": false,
"regex_priority": 0,
"paths": [
"/grpc2"
],
"sources": null,
"id": "5739297e-3be7-4a0d-8afb-cfa8ed01cec2",
"https_redirect_status_code": 426,
"hosts": null,
"tags": null
}
Now hitting it via grpcurl -> its not working:
grpcurl -v -d "{}" -insecure ec2.ip:8443 package.service.pingMethod
Error invoking method "package.service.ping": target server does not expose service "package.service"
Here is kong config which looks related:
"proxy_listen": [
"0.0.0.0:8000 reuseport backlog=16384",
"0.0.0.0:8443 **http2** ssl reuseport backlog=16384"
],
So here are queries:
(1) can 8000 also be configured for https as insecure -> via passing a env KONG_PROXY_LISTEN variable at time of kong-container start by
-e "KONG_PROXY_LISTEN=0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl"
Is this good to do?
(2) How to enable server side reflection? OR what is use of /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo ?
You need to expose HTTP2 Proxy Listener for Kong.
You can refer to this one: https://konghq.com/blog/manage-grpc-services-kong/
In short, you need to add env variable details for KONG_PROXY_LISTEN like so:
-e "KONG_PROXY_LISTEN=0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl, 0.0.0.0:9080 http2, 0.0.0.0:9081 http2 ssl"
Note: apparently Kong uses the ports 9080 for HTTP2 and 9081 for HTTP2 SSL. But I think this can be changed.
And also expose those 9080 and 9081 ports like so, this is example for docker run command:
-p 127.0.0.1:9080:9080 \
-p 127.0.0.1:9081:9081
And use the 9080 port in grpcurl when you try to request, like so:
grpcurl -v -d '{"name": "Ken"}' -plaintext localhost:9080 facade.GreetingService/SayHello
More updates:
gRPC deployed behind kong.ingress is working fine:
grpcurl -v -d "{\"greeting\":\"111\"}" -insecure acfb0xxxxx.elb.us-east-2.amazonaws.com:443 hello.HelloService.SayHello
Response:
Resolved method descriptor:
rpc SayHello ( .hello.HelloRequest ) returns ( .hello.HelloResponse );
Request metadata to send:
(empty)
Response headers received:
content-type: application/grpc
date: Sat, 02 May 2020 07:00:17 GMT
server: openresty
trailer: Grpc-Status
trailer: Grpc-Message
trailer: Grpc-Status-Details-Bin
via: kong/2.0.3
x-kong-proxy-latency: 1
x-kong-upstream-latency: 9
Response contents:
{
"reply": "hello 111"
}
Response trailers received:
(empty)
Sent 1 request and received 1 response
when configured on kong-API-gateway, it is not working:
grpcurl -v -d "{\"greeting\":\"111\"}" -insecure kong.ce-gateway.ip:8443 hello.HelloService.SayHello
Error invoking method "hello.HelloService.SayHello": failed to query for service descriptor "hello.HelloService": rpc error: code = Internal desc = An invalid response was received from the upstream server
Http2 is now enabled by default for Kong, but if you are having issues, a good place to start is to inspect the proxy_listeners section of the global config. In my case, I found that http2 was only enabled for the SSL port, and not for the non SSL. A good way to see the global config is to send a GET request to the root url of the admin api, for example GET http://localhost:8001/.
According to Google Cloud Console > Endpoints > Services > Deployment History this is the currently deployed API spec:
swagger: "2.0"
info:
title: "JSON Ingester"
description: "Receive JSON files, transform and load them."
version: "1.0.0"
host: "project-id-123.appspot.com"
schemes:
- "https"
paths:
"/upload":
post:
summary: "ETL JSON file."
security:
- api_key: []
operationId: "upload"
consumes:
- multipart/form-data
parameters:
- in: formData
name: file
type: string
responses:
200:
description: "File uploaded."
schema:
type: string
400:
description: "Error during file upload."
securityDefinitions:
api_key:
type: "apiKey"
name: "apikey"
in: "query"
But the key "apikey" is not accepted - instead it requires "key" which was specified in an openapi.yaml that I deployed few hours ago.
This works while it shouldn't:
$ curl -X POST -F "file=#data/file_6.json" https://project-id-123.appspot.com/upload\?key\=AIzaS...Eaoog
And this doesn't work while it should:
$ curl -X POST -F "file=#data/file_6.json" https://project-id-123.appspot.com/upload\?apikey\=AIzaS...Eaoog
{
"code": 16,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"details": [
{
"#type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "service_control"
}
]
}
Do I have to clear a cache or something?
For deploying the API I use:
gcloud endpoints services deploy "./openapi.yaml"
Any ideas?
What rollout_strategy did you use when you deploy ESP? If not specified, default is "fixed". You should use "managed"
Please also check the generated service config by CLI "gcloud endpoints configs describe". Check its system_parameters filed to see if your new "apikey" is created properly.
I am trying to use lets encrypt with docker in order to put my website in https.
I use docker with nginx proxy and nginx companion. I have set up everything correctly regarding documentation. My containers are running.
Now, i have an issue with lets encrypt here is the debug file provided :
{
"identifier": {
"type": "dns",
"value": "jack-world.com"
},
"status": "invalid",
"expires": "2017-12-20T18:42:39Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/G_0PYv_VpnEEUbV1PUjpJZyOIeP6b0zPxXeAlyYXclE/2728472678",
"token": "fXuUQ77koLDDTuAqEgeqQA1q_DHinF2wanQReSrgIdk"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/G_0PYv_VpnEEUbV1PUjpJZyOIeP6b0zPxXeAlyYXclE/2728472680",
"token": "iab5h37N-Io6lzfi8-DKmccXsF8_Y5Ws_RYCcwzREBw"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "The key authorization file from the server did not match this challenge [fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0.K6eBCVMCFTPDy-GGls8jpd0O75tW9kFA9tsX7dEU_Zw] != [fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]",
"status": 403
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/G_0PYv_VpnEEUbV1PUjpJZyOIeP6b0zPxXeAlyYXclE/2728472682",
"token": "fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0",
"keyAuthorization": "fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0.K6eBCVMCFTPDy-GGls8jpd0O75tW9kFA9tsX7dEU_Zw",
"validationRecord": [
{
"url": "http://jack-world.com/.well-known/acme-challenge/fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0",
"hostname": "jack-world.com",
"port": "80",
"addressesResolved": [
"149.202.73.189",
"2001:41d0:301::21"
],
"addressUsed": "2001:41d0:301::21",
"addressesTried": []
}
]
}
],
"combinations": [
[
0
],
[
1
],
[
2
]
]
}
Here is logs from companion :
argos#jackworld:~/JackProxy$ sudo docker exec jackproxy_nginx-proxy-companion_1 /app/force_renew -v --help
/etc/nginx/certs/jack-world.com /app
Creating/renewal jack-world.com certificates... (jack-world.com)
2017-12-13 19:03:34,715:INFO:simp_le:1538: Retrieving Let's Encrypt latest Terms of Service.
2017-12-13 19:03:36,629:INFO:simp_le:1455: Generating new certificate private key
2017-12-13 19:03:37,221:ERROR:simp_le:1421: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If you haven't setup correct CAA fields or if your DNS provider does not support CAA, validation attempts after september 8, 2017 will fail. Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/Xw790v5P8mgdjsh-A-_wvwcmAFRIu-6UxlT2l5I7JB8
Challenge validation has failed, see error log.
Debugging tips: -v improves output verbosity. Help is available under --help.
/app
I need some help to figure out why http-01 is invalid, and if this is the only issue.
Thanks by advance