Develop Reference

gRPC service endpoint is not accessible via Kong Gateway

gRPC services (developed in springboot) deployed as docker container on AWS linux (ec2). Started the docker image with port forwarding -p6565:6565.
Now when directly hit via BloomRPC on laptop, it worked : ec2.IP:6565 Package.Service.Method
Configured service & route in Kong:
{
"host": "ec2.IP",
"created_at": 1588403433,
"connect_timeout": 60000,
"id": "e657d8df-6247-458a-a8e8-bec00c41e03c",
"protocol": "grpc",
"name": "aws-grpc1",
"read_timeout": 60000,
"port": 6565,
"path": null,
"updated_at": 1588403433,
"retries": 5,
"write_timeout": 60000,
"tags": null,
"client_certificate": null
}
Route:
{
"strip_path": false,
"path_handling": "v0",
"updated_at": 1588403452,
"destinations": null,
"headers": null,
"protocols": [
"grpc",
"grpcs"
],
"created_at": 1588403452,
"snis": null,
"service": {
"id": "e657d8df-6247-458a-a8e8-bec00c41e03c"
},
"name": "aws-grpc1-route1",
"methods": null,
"preserve_host": false,
"regex_priority": 0,
"paths": [
"/grpc2"
],
"sources": null,
"id": "5739297e-3be7-4a0d-8afb-cfa8ed01cec2",
"https_redirect_status_code": 426,
"hosts": null,
"tags": null
}
Now hitting it via grpcurl -> its not working:
grpcurl -v -d "{}" -insecure ec2.ip:8443 package.service.pingMethod
Error invoking method "package.service.ping": target server does not expose service "package.service"
Here is kong config which looks related:
"proxy_listen": [
"0.0.0.0:8000 reuseport backlog=16384",
"0.0.0.0:8443 **http2** ssl reuseport backlog=16384"
],
So here are queries:
(1) can 8000 also be configured for https as insecure -> via passing a env KONG_PROXY_LISTEN variable at time of kong-container start by
-e "KONG_PROXY_LISTEN=0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl"
Is this good to do?
(2) How to enable server side reflection? OR what is use of /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo ?

You need to expose HTTP2 Proxy Listener for Kong.
You can refer to this one: https://konghq.com/blog/manage-grpc-services-kong/
In short, you need to add env variable details for KONG_PROXY_LISTEN like so:
-e "KONG_PROXY_LISTEN=0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl, 0.0.0.0:9080 http2, 0.0.0.0:9081 http2 ssl"
Note: apparently Kong uses the ports 9080 for HTTP2 and 9081 for HTTP2 SSL. But I think this can be changed.
And also expose those 9080 and 9081 ports like so, this is example for docker run command:
-p 127.0.0.1:9080:9080 \
-p 127.0.0.1:9081:9081
And use the 9080 port in grpcurl when you try to request, like so:
grpcurl -v -d '{"name": "Ken"}' -plaintext localhost:9080 facade.GreetingService/SayHello

More updates:
gRPC deployed behind kong.ingress is working fine:
grpcurl -v -d "{\"greeting\":\"111\"}" -insecure acfb0xxxxx.elb.us-east-2.amazonaws.com:443 hello.HelloService.SayHello
Response:
Resolved method descriptor:
rpc SayHello ( .hello.HelloRequest ) returns ( .hello.HelloResponse );
Request metadata to send:
(empty)
Response headers received:
content-type: application/grpc
date: Sat, 02 May 2020 07:00:17 GMT
server: openresty
trailer: Grpc-Status
trailer: Grpc-Message
trailer: Grpc-Status-Details-Bin
via: kong/2.0.3
x-kong-proxy-latency: 1
x-kong-upstream-latency: 9
Response contents:
{
"reply": "hello 111"
}
Response trailers received:
(empty)
Sent 1 request and received 1 response
when configured on kong-API-gateway, it is not working:
grpcurl -v -d "{\"greeting\":\"111\"}" -insecure kong.ce-gateway.ip:8443 hello.HelloService.SayHello
Error invoking method "hello.HelloService.SayHello": failed to query for service descriptor "hello.HelloService": rpc error: code = Internal desc = An invalid response was received from the upstream server

Http2 is now enabled by default for Kong, but if you are having issues, a good place to start is to inspect the proxy_listeners section of the global config. In my case, I found that http2 was only enabled for the SSL port, and not for the non SSL. A good way to see the global config is to send a GET request to the root url of the admin api, for example GET http://localhost:8001/.

Nginx reverse proxy to wordpress in docker container through ecs

I am trying to proxy_pass to an http Wordpress site that is set up in a docker container through an Amazon ecs instance. The client gets to the site through a test server we have set up (https://test.xxxxxxx.com). When a user goes to https://test.xxxxxxx.com, I want it to show https://test.xxxxxxx.com in the address bar, but bring up the page for my Wordpress site (http://xx.xxx.xxx.xxx on port 80).
I can get it to go to my Wordpress site, but it looks funny. I am getting a lot of mixed content errors because I'm trying to access http files via an https request. I understand what's happening, but I can't seem to fix it, even after trying all of the suggestions I could find online.
I have tried changing several settings in both the Nginx file in the sites-available folder and by changing settings in wp-config.php on my Wordpress site. Below is one thing I tried. Almost all the tutorials I found, and everything I tried, was a variation of this.
#Nginx file
server {
listen 443;
location / {
proxy_pass http://xx.xxx.xxx.xxx:80;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#wp-config.php
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
$_SERVER['HTTPS'] = '1';
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER[HTTP_HOST'] = $_SERVER[HTTP_X_FORWARDED_HOST'];
}
define( 'WP_HOME', 'http://xx.xxx.xxx.xxx');
define( 'WP_SITEURL', 'http://xx.xxx.xxx.xxx');
What I would like to happen is that when a user enters https://test.xxxxxxx.com in the address bar, my Wordpress site loads with the proper theme and all my images, but https://test.xxxxxxx.com still shows in the address bar.

I wanna sugguest you use HA-Proxy reverse proxy in ECS.
I tried nginx reverse proxy, but failed. And success with HA-Proxy.
It is more simple than nginx configuration.
First, use "links" option of Docker and setting "environment variables" (eg. LINK_APP, LINK_PORT).
Second, fill this "environment variables" into haproxy.cfg.
Also, I recommend you use "dynamic port mapping" to ALB. it makes more flexible works.
taskdef.json :
# taskdef.json
{
"executionRoleArn": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<APP_NAME>_ecsTaskExecutionRole",
"containerDefinitions": [
{
"name": "<APP_NAME>-rp",
"image": "gnokoheat/ecs-reverse-proxy:latest",
"essential": true,
"memoryReservation": <MEMORY_RESV>,
"portMappings": [
{
"hostPort": 0,
"containerPort": 80,
"protocol": "tcp"
}
],
"links": [
"<APP_NAME>"
],
"environment": [
{
"name": "LINK_PORT",
"value": "<SERVICE_PORT>"
},
{
"name": "LINK_APP",
"value": "<APP_NAME>"
}
]
},
{
"name": "<APP_NAME>",
"image": "<IMAGE_NAME>",
"essential": true,
"memoryReservation": <MEMORY_RESV>,
"portMappings": [
{
"protocol": "tcp",
"containerPort": <SERVICE_PORT>
}
],
"environment": [
{
"name": "PORT",
"value": "<SERVICE_PORT>"
},
{
"name": "APP_NAME",
"value": "<APP_NAME>"
}
]
}
],
"requiresCompatibilities": [
"EC2"
],
"networkMode": "bridge",
"family": "<APP_NAME>"
}
haproxy.cfg :
# haproxy.cfg
global
daemon
pidfile /var/run/haproxy.pid
defaults
log global
mode http
retries 3
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http
bind *:80
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
compression algo gzip
compression type text/css text/javascript text/plain application/json application/xml
default_backend app
backend app
server static "${LINK_APP}":"${LINK_PORT}"
Dockerfile(haproxy) :
FROM haproxy:1.7
USER root
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
See :
Github : https://github.com/gnokoheat/ecs-reverse-proxy
Docker image : gnokoheat/ecs-reverse-proxy:latest

mup setup : Error: Timed out while waiting for handshake

Problem here is when I am trying to run command mup setup
there is error,where I am going wrong
Started TaskList: Setup Docker
[54.186.xx.xxx] - Setup Docker
events.js:183
throw er; // Unhandled 'error' event
My mup.js file looks like below
module.exports = {
servers: {
one: {
host: '54.186.xx.xxx',
username: 'ubuntu',
pem: '~/.ssh/mypem.pem'
}
},
app: {
name: 'myapp',
path: '/var/www/meteor/myapp',
servers: {
one: {},
},
buildOptions: {
serverOnly: true,
},
env: {
ROOT_URL: 'http://ec2-54-186-xx-xxx.us-west-2.compute.amazonaws.com',
MONGO_URL: 'mongodb://127.0.0.1:27017/myapp',
PORT: 3027,
},
docker: {
image: 'abernix/meteord:node-8.4.0-base',
},
deployCheckWaitTime: 60,
enableUploadProgressBar: true
},
mongo: {
oplog: true,
port: 27017,
version: '3.4.1',
servers: {
one: {}
}
}
};
Meteor version is 1.6.
Thanks in advance!

Nothing looks wrong with your mup.js file.
The problem may be that you cannot SSH with your current IP address. For instance, if you are using AWS, make sure that in the security groups your current IP address have access to it.

Not sure what is happening exactly, but there are a few potential issues:
deployCheckWaitTime: 60,
You could make this longer, eg 90 or 120 to give it more time to deploy (in case that is a problem)
path: '/var/www/meteor/myapp',
This might be the cause of the problem. Usually it is a relative path to the source code of the app, not where you deploy to, so typically it is something like ../app
ROOT_URL: 'http://ec2-54-186-xx-xxx.us-west-2.compute.amazonaws.com',
Presumably you are intending to use something like http://myapp.com/ for your app - that's what should go here.

In security groups, SSH source rule was MY IP, which I changed to anywhere then created elastic ip and bind it with instance. And now I can access login.
One can use this link to get help.

check your host ip.
I had same issue changing host ip fixed it for me.
Ip changes when you restart your VM es2 client.

meteor up listen tcp 0.0.0.0:80: bind: address already in use

I am using meteor up to deploy to a vps. I get the error in the title during the "Start Meteor" stage of mup deploy, along with a long list of
Error response from daemon: endpoint (appname) not found
Error response from daemon: No such container: (appname)-frontend
etc.
I have tried changing the imagePort value for docker in mup.js but I still get the same error, still for 0.0.0.0:80

In your case there is already an application that uses port 80. You can either remove that app and go ahead and redeploy, or you can change the port that your meteor application is going to be using, like so:
module.exports = {
servers: { ... },
meteor: {
name: ...,
path: ...
buildOptions: ...
env: {
PORT: 3000,
ROOT_URL: 'http://<your server ip>:3000',
MONGO_URL: ...
},
deployCheckWaitTime: 120,
enableUploadProgressBar: true,
}
};

How to change ip address range of docker swarm ingress network

I use a docker swarm 1.13.1, and when I init the docker swarm or join to docker swarm sometimes it creates a docker_gwbridge network in a "172.19.0.0/16" subnet.
But my computer subnet is in the same range, so when it initializes this network the docker swarm host machine becomes inaccessible from my computer.
So my question is: how can I change the subnet of the existing docker network.
> docker network ls
NETWORK ID NAME DRIVER SCOPE
ac1100164960 bridge bridge local
3838ae360f35 docker_gwbridge bridge local
f9a77266aa15 host host local
rgqnm19zbasv ingress overlay swarm
04c1c6b3ade7 none null local
Inspect the network:
> docker network inspect 3838ae360f35
[
{
"Name": "docker_gwbridge",
"Id": "3838ae360f3585f2cda8a43a939643cdd74c0db9bfb7f4f18b3b80ae07b3b9db",
"Created": "2017-03-22T13:26:50.352865644+01:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.19.0.0/16",
"Gateway": "172.19.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Containers": {
"ingress-sbox": {
"Name": "gateway_ingress-sbox",
"EndpointID": "194d965dd2997bddb52eab636950e219043215a5a1a6a60d08f34e454a0eaa56",
"MacAddress": "02:42:ac:13:00:02",
"IPv4Address": "172.19.0.2/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.enable_icc": "false",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.name": "docker_gwbridge"
},
"Labels": {}
}
]

You can create docker_gwbridge before you initialize the swarm, as explained here.
for example：
docker network rm docker_gwbridge
docker network create --subnet=172.20.0.1/16 -o com.docker.network.bridge.enable_icc=false -o com.docker.network.bridge.name=docker_gwbridge docker_gwbridge

The general way to solve this, including any (non-ingress) network that gets created for you by docker or other tools like docker-compose, is to set the default address pools in your docker daemon config.
In your case, add to /etc/docker/daemon.json (or ~/.docker/daemon.json for Docker Desktop for Mac), for example:
{
"default-address-pools": [
{
"base": "10.10.0.0/16",
"size": 24
}
]
}
With this, your docker bridge network will get a subnet of 10.10.0.0/24, and your docker swarm docker_gwbridge will get a subnet of 10.10.0.1/24. Any other network that gets created for you like from a docker-compose.yml file, will get the subsequent 10.10.0.2/24 subnet. And so on.
You didn't mention this as an issue, but unfortunately, this doesn't seem to apply to the ingress network.