How do I verify Traefik configurations - traefik

I am absolutely in love with Traefik. As a beginner, however, I miss Nginx style nginx -t to verify the configuration files.
I am running traefik in a docker container and whenever I update my configuration files (the *.toml ones), is there a way I can check if there were errors or not?

As #steadweb mentioned, there does not seem to be a functionality to validate .toml-configs for traefik, but docker logs <traefik-container> should give you at least some insight whether the startup went as it was supposed to or not.

Related

Session is lost in apache after nginx proxy switch

I am building a docker which i can use for my work. I am using MacOS. If I create docker container with xdebug installed (Ubuntu 16, php7.2, xdebug, apache), code execution is extremely slow even if i am not listening to xdebug port. I have already get rid of 'mounts'.
So I decided to created something like this:
docker structure
And everything works just like i want. When i change cookie in browser, my wesbite works fast, but when i change cookie to another one, i am able to debug. But i am facing a problem that it logs out me when i change that cookie value and nginx proxies me to another server. (Each apache is a single docker container with ubuntu and apache)
So my question is if there is a workaround for this so I could share session between server that I don't get logged out? Or at least any ideas what needs to be changed in that scheme.
P.S. My project is Magento 2 and probably the source of an issue is in this one. But i actually don't think so.
According to https://www.nginx.com/products/nginx/load-balancing/, the sticky session is a feature of nginx plus.

Docker for Win acme.json permissions

Traefik v1.3.1
Docker CE for Windows: 17.06.0-ce-win18 (12627)
I have the /acme folder routed to a host volume which contains the file acme.json. With the Traefik 1.3.1 update, I noticed that Traefik gets stuck in an infinite loop complaining that the "permissions 755 for /etc/traefik/acme/acme.json are too open, please use 600". The only solution I've found is to remove acme.json and let Traefik re-negotiate the certs. Unfortunately, if I need to restart the container, I have to remove acme.json again or I'm stuck with the same issue again!
My guess is that the issue lies with the Windows volume mapped to Docker but I was wondering what the recommended workaround would even be for this?
Can I change permissions on shared volumes for container-specific deployment requirements?
No, at this point, Docker for Windows does not enable you to control (chmod) the Unix-style permissions on shared volumes for deployed containers, but rather sets permissions to a default value of 0755 (read, write, execute permissions for user, read and execute for group) which is not configurable.
Traefik is not compatible with regular Windows due to the POSIX permissions check. It may work in the Windows Subsystem for Linux since that has a Unix-style permission system.
Stumbled across this issue when trying to get traefik running on Docker for Windows... ended up getting it working by adding a few lines to a dockerfile to create the acme.json and set permissions. I then built the image and despite throwing the "Docker image from Windows against a non-Windows Docker host security warning" when I checked permissions on the acme.json file it worked!
[
I setup a repo and have it auto building to the dockerhub here for further testing.
https://hub.docker.com/r/guerillamos/traefik/
https://github.com/guerillamos/traefikwin/blob/master/Dockerfile
Once I got that built I switched the image out in my docker-compose file and my DNS challenge to Cloudflare worked like a charm according to the logs.
I hope this helps someone!

Why using NGINX or how to deploy Meteor app correctly?

I am going to finish my Meteor app in a few weeks. So the problem that I will face - how to make my app available to other people.
Firstly I bought a droplet on Digital Ocean. And started to read about the ways to deploy meteor app to production server.
I found 2 totally different ways to do that!
The first one is pretty simple (and so I really love it). Here is the link. I have to do a few steps - create a droplet with Ubuntu 14.04, then connect to this droplet via ssh, then install and run mup. After that anybody can access to my app. I worry, that there is no ssl support (my project is e-commerce, so I really need https-connection), but then I found in mup docs a short article How to set up SSL with Mup. So everything is perfect at first glance.
But then I found another way to deploy meteor app. Here is link. It is much more complicated. First I need to install node and mongo on my droplet. Then install and configure nginx. And then after many steps comes Meteor installation. Author don't explain why people need do deploy app this way, assuming that it is obviously to everyone. His explanation is "The problem with this is that it isn’t wise to run an application like Meteor through your public port (which is 80)".
I admit I have no experience and knowledge in such questions. The one thing that I can say exactly is that I need a really proper way to deploy e-commerce meteor app. And it doesn't matter I won't sleep many hours by doing this.
So question is: which one way is proper? And (it is important) why?
Either security and performance are important for this project. I am also going to use prerender.io or spiderable (for seo purposes) and fast render, if it can have an influence on your answers. and really thank you for answers guys!
You can deploy your Meteor App on server via different mechanism . There are lots of way to do the same thing.
Like as you said you also found two ways to do that.
So in first link you used Meteor up for deployment your application as you successfully deployed .
In second approach you need to first login to the server and than create user than install everything needed to your server machine after that you need to setup Nginx.
So as i guess your question is related to "Nginx" . And you want to know
1)Why we need to use Nginx
2)Which one is the better approach
So answer for your first question is as follows:-
Nginx (pronounced "engine x") is a web server that is used for many purpose mainly use for proxy pass. Means using nginx you can redirect your request from one url to another and the actual url is hidden from the UI (For securety purpose and for redirection).
Like in meteor your app is by default running on 3000 so one way is that you can open 3000 port and run your application on that port. But via nginx you can run your app on 80 port and as user hit any event than in nginx you can configure address where you want to send your request.
Like you can send them to 3000 port.
So now user don't know in actual where is your request going on because you show them port 80 but in actual your request is go to 3000 port. So this is the one advantage of using nginx same there are lots more.
So for configuration of nginx you just need to install nginx if you are using ubuntu than via simple command-:
sudo apt-get install nginx
then setting in nginx configuration file that is under the following directory:-
/etc/nginx/sites-enabled/default
just open this file and setup up your configuration here like:-
server {
listen 80;
server_name localhost;
root /home/parveen/meteor/app;
location / {
index /index.html;
}
location /api {
proxy_pass http://localhost:3000;
}
}
In this way you can configure your nginx setting as you want please read nginx documentation for detail.
After that you need to start your server using forever or nohup which you want to use so that your server will not stop as you exit from the login of server.
Conclusion:-
In the second approach you need to install everything by yourself via ssh login to your server than configuration of nginx and and then run your server.
If you do any changes than again you need to update your changes to server and then stop meteor app then restart that. But this is more secure approach and you can do what you want to do.
In first approach they are using mup (Meteor up) that do so many of works for you . You just need to do some configuration you can use Docker or as define in the blog (droplet) link you shared and just need to run meteor up command and that will first create a bundle for your app than run that so in the first approach if you do any changes than you not need to login again to your server update changes , what you need to do is just run again the same command and that will create new bundle with updates and run your project. But i don't think that is more secure.
So its depend on your requirement and choice which you want to use.
If you have any question than most welcome.
Hope this would help!
Thanks

Does enable-basic-auth actually work in the keycloak-tomcat-adapter?

I'm trying to get the tomcat8-keycloak-adapter to accept basic auth as specified in the documentation, by setting enable-basic-auth to true. Instead of working or failing, as expected, this causes the thread to hang until HTTP times out.
Using tcpdump to snoop the HTTP connection between the tomcat adapter and the keycloak server shows that it is never sending the HTTP request. I can find no information about this on the internet, so I am down to the actual point of asking: does "enable-basic-auth" actually work in the tomcat adapter?
Note that I am using keycloak v1.9.8 and matching adpater 1.9.8. adaptever v2.0.0 appears to have difficulty starting up at this time, and we are still using the 1.9 keycloak in production. keycloak is the official docker image, tomcat is manually installed into the official tomcat8 docker image, using jre8.
It works for me in a Jetty setup. A hanging request indicates a networking problem to me. You question indicates that you are using docker.
The Tomcat inside its docker container needs to contact Keycloak as configured by the URL auth-server-url in the file keycloak.json.
I suspect that the Tomcat can't reach this URL. Please try to reach the URL as stated in keycloak.json from within the Tomcat's docker container, for example via curl --verbose ...

Pushing my Mercurial Repository through HTTP with Apache and Windows

So I have managed it. I can clone mercurial-repositories remotely using HTTP to my Windows Server 2003 machine and the ipaddress from that machine. Although I did deactivate IIS6 and am using Apache 2.2.x now. But not all works right now...darn! Here's the thing:
Cloning goes smooth! But when I want to push my changes to the original repository I get the message "cannot lock static http-repository". On the internet I get to read several explanations that Mercurial wasn't designed to push over HTTP connections. Still, on the Mercurial website there's something about configuring an hgrc file.
There's also the possibilty to configure Apache to host via HTTPS (or SSL). For this you have to load the module enabling OpenSSL and generating keys.
Configuring the hgrc file
Just add "push_ssl = false" under the [web] line. But where to put this file when pushing your changes back?! Because I placed it in the root of the server, in the ".hg" directory, nothing works.
Using SSL/HTTPS with Apache
When I try to access 'https://myipaddress' it fails, displaying a dutch message which would mean something like "server taking too long to respond". Trying to push also gives me a dutch error message which means about the same. It can not connect to my server via https although I followed the steps exactly at this blog.
I don't care which of the above solutions will work for me. Turns out none of them work so far. So please, can anyone help me with one of the solutions above? Pick the easiest! Help will be greatly appreciated, not only from me.
Summary
-Windows Server 2003
-Apache 2.2 with OpenSSL
-Mercurial 1.8.2
-I can clone, but not push!
Thank you!
Maarten Baar(s)
It seems like you might have apache configured incorrectly for getting it to do what you want. Based on your question it sounds like you have a path (maybe the root of the server) pointing to the repository you want to serve.
Mercurial comes with a script for this exact purpose, in the latest version it is hgweb.cgi. There are reasonably good instructions for setting it up on the mercurial site. It should allow both cloning and pushing. You will need the push_ssl=false if you will not be configuring https and also an allow_push line which will let certain users, or all (*) push to the repository. But all that should be part of the setup docs.