Some of my frontends aren't routed properly to backend.
I do have 2 container:
- portainer;
- homeassistant;
Portainer works properly but homeassistant is not routed properly to backend.
my docker-compose:
version: "3.6"
services:
portainer:
image: portainer/portainer
container_name: portainer
domainname: ${DOMAINNAME}
hostname: portainer
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${USERDIR}/dockerha/uavportainer/data:/data
- ${USERDIR}/dockerha/shared:/shared
environment:
- TZ=${TZ}
networks:
- ${NETWORK_NAME}
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /portainer"
- "traefik.backend=portainer"
- "traefik.port=9000"
- "traefik.frontend.entryPoints=http"
homeassistant:
image: homeassistant/home-assistant
container_name: homeassistant
domainname: ${DOMAINNAME}
hostname: homeassistant
volumes:
- ${USERDIR}/dockerha/uavha:/config
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/dockerha/shared:/shared
ports:
- "8123:8123"
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- ${NETWORK_NAME}
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:${DOMAINNAME};PathPrefixStrip:/hass"
- "traefik.backend=hass"
- "traefik.port=8123"
- "traefik.frontend.entryPoints=http"
toml file:
[accessLog]
filepath = "/etc/traefik/access.log"
format = "json"
debug = true
logLevel = "DEBUG" #"ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
#InsecureSkipVerify = true
defaultEntryPoints = ["http", "https"]
# WEB interface of Traefik - it will show web page with overview of frontend an$
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# usersFile = "/shared/.htpasswd"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[file]
watch = true
[docker]
Endpoint = "unix:///var/run/docker.sock"
Domain = "192.168.56.102"
watch = true
SwarmMode = true
network = "uavhanet"
ExposedRyDefault = false
The below are 2 different access logs:
working one:
{
"BackendAddr": "10.0.14.11:9000",
"BackendName": "backend-portainer",
"BackendURL": {
"Scheme": "http",
"Opaque": "",
"User": null,
"Host": "10.0.14.11:9000",
"Path": "",
"RawPath": "",
"ForceQuery": false,
"RawQuery": "",
"Fragment": ""
},
"ClientAddr": "192.168.56.1:58089",
"ClientHost": "192.168.56.1",
"ClientPort": "58089",
"ClientUsername": "-",
"DownstreamContentSize": 3,
"DownstreamStatus": 200,
"DownstreamStatusLine": "200 OK",
"Duration": 3927995,
"FrontendName": "Host-192-168-56-102-PathPrefixStrip-portainer-4",
"OriginContentSize": 3,
"OriginDuration": 3468375,
"OriginStatus": 200,
"OriginStatusLine": "200 OK",
"Overhead": 459620,
"RequestAddr": "192.168.56.102",
"RequestContentSize": 0,
"RequestCount": 63,
"RequestHost": "192.168.56.102",
"RequestLine": "GET /portainer/api/teams HTTP/1.1",
"RequestMethod": "GET",
"RequestPath": "/portainer/api/teams",
"RequestPort": "-",
"RequestProtocol": "HTTP/1.1",
"RetryAttempts": 0,
"StartLocal": "2019-02-19T12:45:44.966258565Z",
"StartUTC": "2019-02-19T12:45:44.966258565Z",
"downstream_Content-Length": "3",
"downstream_Content-Type": "application/json",
"downstream_Date": "Tue, 19 Feb 2019 12:45:44 GMT",
"downstream_X-Content-Type-Options": "nosniff",
"downstream_X-Xss-Protection": "1; mode=block",
"level": "info",
"msg": "",
"origin_Content-Length": "3",
"origin_Content-Type": "application/json",
"origin_Date": "Tue, 19 Feb 2019 12:45:44 GMT",
"origin_X-Content-Type-Options": "nosniff",
"origin_X-Xss-Protection": "1; mode=block",
"request_Accept": "application/json, text/plain, */*",
"request_Accept-Encoding": "gzip, deflate",
"request_Accept-Language": "en-US,en;q=0.9",
"request_Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTU1MDU5ODIzMn0.nOzaZYo7gu3An_nHZMpCqPnQ0XNFEvEfrivZ40RumUI",
"request_Connection": "keep-alive",
"request_Cookie": "_ga=GA1.1.364506726.1550080124; _gid=GA1.1.376969405.1550080124; portainer.UI_STATE=%7B%22dismissedInfoPanels%22%3A%7B%7D%2C%22dismissedInfoHash%22%3A%22y%2BAiiJOM%2Feqr4gyAl6VKBw%3D%3D%22%7D; pma_lang=en; portainer.pagination_containers=25; portainer.pagination_images=25; _gat=1",
"request_Referer": "http://192.168.56.102/portainer/",
"request_User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
"request_X-Forwarded-Prefix": "/portainer",
"time": "2019-02-19T12:45:44Z"
}
not working properly:
{
"BackendAddr": "",
"BackendName": "Traefik",
"BackendURL": {
"Scheme": "",
"Opaque": "",
"User": null,
"Host": "",
"Path": "/frontend_latest/hass-icons-8b13a1ef.js",
"RawPath": "",
"ForceQuery": false,
"RawQuery": "",
"Fragment": ""
},
"ClientAddr": "192.168.56.1:58071",
"ClientHost": "192.168.56.1",
"ClientPort": "58071",
"ClientUsername": "-",
"DownstreamContentSize": 19,
"DownstreamStatus": 404,
"DownstreamStatusLine": "404 Not Found",
"Duration": 100373,
"FrontendName": "backend not found",
"OriginContentSize": 19,
"OriginDuration": 13969,
"OriginStatus": 404,
"OriginStatusLine": "404 Not Found",
"Overhead": 86404,
"RequestAddr": "192.168.56.102",
"RequestContentSize": 0,
"RequestCount": 78,
"RequestHost": "192.168.56.102",
"RequestLine": "GET /frontend_latest/hass-icons-8b13a1ef.js HTTP/1.1",
"RequestMethod": "GET",
"RequestPath": "/frontend_latest/hass-icons-8b13a1ef.js",
"RequestPort": "-",
"RequestProtocol": "HTTP/1.1",
"RetryAttempts": 0,
"StartLocal": "2019-02-19T12:46:54.875219779Z",
"StartUTC": "2019-02-19T12:46:54.875219779Z",
"downstream_Content-Type": "text/plain; charset=utf-8",
"downstream_X-Content-Type-Options": "nosniff",
"level": "info",
"msg": "",
"origin_Content-Type": "text/plain; charset=utf-8",
"origin_X-Content-Type-Options": "nosniff",
"request_Accept": "*/*",
"request_Accept-Encoding": "gzip, deflate",
"request_Accept-Language": "en-US,en;q=0.9",
"request_Connection": "keep-alive",
"request_Cookie": "_ga=GA1.1.364506726.1550080124; _gid=GA1.1.376969405.1550080124; portainer.UI_STATE=%7B%22dismissedInfoPanels%22%3A%7B%7D%2C%22dismissedInfoHash%22%3A%22y%2BAiiJOM%2Feqr4gyAl6VKBw%3D%3D%22%7D; pma_lang=en; portainer.pagination_containers=25; portainer.pagination_images=25",
"request_Referer": "http://192.168.56.102/hass/",
"request_User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
"time": "2019-02-19T12:46:54Z"
}
What's wrong ?
Why I get a 404 and not the a 200 ?
Thank you in advance.
In the second case, you have this "RequestLine": "GET /frontend_latest/hass-icons-8b13a1ef.js HTTP/1.1", this doesn't match any PathPrefixStrip, if when you go to /IP/hass you redirect to /frontend_latest/ using the traefik ip, from my point of view gets a 404, because traefik doesn't have any rule for /frontend_latest/
Related
I have nextcloud running on bare metal 2 nodes:
node1: 192.168.1.10
node2: 192.168.1.11
In the consul I have defined nextcloud service as such on both the nodes:
{
"service": {
"name": "nextcloud",
"tags": ["nextcloud", "traefik"],
"port": 80,
"check": {
"tcp": "localhost:80",
"args": ["ping", "-c1", "127.0.0.1"],
"interval": "10s",
"status": "passing",
"success_before_passing": 3,
"failures_before_critical": 3
}
}
now this shows up in consul fine:
static config: traefik.yaml
global:
# Send anonymous usage data
sendAnonymousUsage: true
api:
dashboard: true
debug: true
log:
level: DEBUG
entryPoints:
http:
address: ":80"
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: "/config/"
watch: true
consulCatalog:
defaultRule: "Host(`{{ .Name }}.sub.mydomain.com`)"
endpoint:
address: http://127.0.0.1:8500
certificatesResolvers:
linode:
acme:
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: myemail#domain.com
storage: acme.json
dnsChallenge:
provider: linode
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
and then dynamic /config/config.yaml:
http:
routers:
nextcloud#consulCatalog:
entryPoints:
- "https"
rule: "Host(`home.sub.mydomain.com`) && Path(`/nextcloud`)"
tls:
certResolver: linode
service: nextcloud
services:
nextcloud:
loadBalancer:
servers:
- url: http://192.168.1.10
- url: http://192.168.1.11
passHostHeader: true
but this shows up as file provider with TLS in instead in addtion to exisiting consulcatalog provider.
and not IP or domain mapped.
actual consulcatalog provider showing up but no tls
I am wondering why my dynamic configuration in http did not updated the nextcloud#consulcatalog and set the https entrypoint.
Any help will be greatly appreciated, I am struggling very hard to get this to work.
I have tried following the docs on traefik but its very confusing specially on the consulcatalog part.
Your configuration is showing up as being defined via the file provider because you are statically defining it in the file at /config/config.yaml.
In order to dynamically retrieve this configuration from Consul, you should not be defining the static config file and instead configure tags on the Consul service registrations that will instruct Traefik to route traffic to your service.
For example:
{
"service": {
"name": "nextcloud",
"tags": [
"nextcloud",
"traefik.enable=true",
"traefik.http.routers.nextcloud.entrypoints=https",
"traefik.http.routers.nextcloud.rule=(Host(`home.sub.mydomain.com`) && Path(`/nextcloud`))",
"traefik.http.routers.nextcloud.tls.certresolver=linode",
"traefik.http.services.nextcloud.loadbalancer.passhostheader=true"
],
"port": 80,
"check": {
"tcp": "localhost:80",
"args": [
"ping",
"-c1",
"127.0.0.1"
],
"interval": "10s",
"status": "passing",
"success_before_passing": 3,
"failures_before_critical": 3
}
}
}
More info can be found on the Routing Configuration docs for Traffic's Consul catalog provider.
I have a python script that tries to scale a statefulset from inside a pod, but get a forbidden error from the API server. The following yml file shows my role and rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
Kind: Role
metadata:
name: server-controller
namespace: code-server
roles:
- apiGroups: ["*"]
resources:
- statefulsets
verbs: ["update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
Kind: RoleBinding
metadata:
name: server-controller
namespace: code-server
subjects:
-kind: ServiceAccount
name: server-controller
namespace: code-server
roleRef:
kind: Role
name server-controller
apiGroup: rbac.authorization.k8s.io
The following python code snippet shows my access to the API:
kubernetes.config.load_incluster_config()
app = kubernetes.client.AppsV1Api()
body = {"spec": {"replicas": 1}}
app.patch_namespaced_stateful_set_scale(
name="jim",
namespace="code-server",
body=body)
I get the following error:
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache", 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Fri, 15 Oct 2021 15:25:24 GMT', 'Content-Length': '469'})
HTTP response Body: {
"kind": "Status",
"apiVersion": "v1"
"metadata": {
}
"status": "Failure",
"message": "statefulsets.apps \"jim\" is forbidden: User \"system:serviceaccount:code-server:server-controller\" cannot patch resource \"statefulsets/scale\" in API group \"apps\" in the namespace \"code-server\"",
"reason": "Forbidden",
"details": {
"name": "jim",
"group": "apps",
"kind": "statefulesets"
}
"code": 403
}
The solution was to change "statefulsets" to "statefulsets/scale" in the "resources" field under "role".
I have task which checks all kibana spaces, and if some kibana spaces doesn't exist it creates it
Here is my ansible code
- name: get all kibana spaces
uri:
url: '{{ kibana_url }}/api/spaces/space'
method: GET
force_basic_auth: yes
url_username: elastic
url_password: "{{elastic_ca_pass }}"
register: spaces_result
and here is a output of spaces.result variable ( all kibana spaces that exist )
"color": "#aabbcc",
"description": "tajikistan kibana space",
"disabledFeatures": [
"timelion",
"canvas",
"maps",
"Metrics",
"logs",
"apm",
"Security",
"uptime",
"advancedSettings",
"machineLearning",
"ingestManager"
],
"id": "tajikistan",
"initials": "MK",
"name": "tajikistan"
},
{
"color": "#aabbcc",
"description": "uzbekistan kibana space",
"disabledFeatures": [
"timelion",
"canvas",
"maps",
"Metrics",
"logs",
"apm",
"Security",
"uptime",
"advancedSettings",
"machineLearning",
"ingestManager"
],
"id": "uzbekistan",
"initials": "MK",
"name": "uzbekistan"
}
],
so we have a 2 Kibana spaces ( tajikistan and uzbekistan )
then the next task about to create uzbekistan space
- name: create uzbekistan kibana space
uri:
url: '{{ kibana_url }}/api/spaces/space'
method: POST
body:
{"id":"uzbekistan","name":"uzbekistan","description":"uzbekistan kibana space","color":"#aabbcc","initials":"MK","disabledFeatures":["timelion","canvas","maps","Metrics","logs","apm", "Security","uptime","advancedSettings", "machineLearning", "ingestManager"]}
body_format: json
force_basic_auth: yes
headers:
kbn-xsrf: 'true'
Content-Type: 'application/json'
url_username: elastic
url_password: " {{ elastic_ca_pass }}"
when:
- '"uzbekistan" not in spaces_result.json'
so this task will execute only if uzbekistan not in spaces_result variable but it execute why?
ASK [../roles/elasticsearch_nopci_efk_users : create uzbekistan kibana space] ***********************************************************
fatal: [loges-prod-01-uv01]: FAILED! => {"cache_control": "private, no-cache, no-store, must-revalidate", "changed": false, "connection": "close", "content": "{\"statusCode\":409,\"error\":\"Conflict\",\"message\":\"A space with the identifier uzbekistan already exists.\"}", "content_length": "99", "content_type": "application/json; charset=utf-8", "date": "Thu, 08 Apr 2021 09:13:51 GMT", "elapsed": 0, "json": {"error": "Conflict", "message": "A space with the identifier ibank already exists.", "statusCode": 409},
so why is it exeucte?
Issue :
I successfully Login and make a Post Call and receive for following
error after making a cy.request( )POST API call :
I was able to make cy.request( ) get API calls which retured 200 , so API call error seems specific to the above cy.request( ) POST API call
Error:
The response we got was:
Status: 403 - Forbidden
Headers: {
"date": "Thu, 19 Dec 2019 16:10:19 GMT",
"server": "Apache",
"x-frame-options": "SAMEORIGIN, DENY",
Full Error
CypressError: cy.request() failed on:
https://uat1.dns2.merchantportal.eu/MerchantApiWeb/rest/secure/user/financial/preauthorisation
The response we received from your web server was:
403: Forbidden
This was considered a failure because the status code was not '2xx' or '3xx'.
If you do not want status codes to cause failures pass the option: 'failOnStatusCode: false'
The request we sent was:
Method: POST
URL: https://uat1.dns2.merchantportal.eu/MerchantApiWeb/rest/secure/user/financial/preauthorisation
Headers: {
"Connection": "keep-alive",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
"accept": "/",
"Cookie": "NSC_JOfmamujd2zndlkdwlzogneusels0bQ=ffffffff09405a8245525d5f4f58455e445a4a42378b; ROUTEID=.1; JSESSIONID=mu_x-VvVK3_rycxkJ9eef9w7lUPzw-SFLqiyXZnd.r5cvap1013.1dc.com.MP.WEB",
"accept-encoding": "gzip, deflate",
"content-type": "application/json",
"content-length": 101
}
Body: {"fromDate":"2019-12-19","toDate":"2019-12-19","pageNumber":1,"sortBy":"preAuthDate","sortOrder":"D"}
The response we got was:
Status: 403 - Forbidden
Headers: {
"date": "Thu, 19 Dec 2019 16:10:19 GMT",
"server": "Apache",
"x-frame-options": "SAMEORIGIN, DENY",
"strict-transport-security": "max-age=15552000; includeSubdomains; preload, max-age=31536000 ; includeSubDomains",
"expires": "0",
"cache-control": "no-cache, no-store, max-age=3600, must-revalidate",
"x-xss-protection": "1; mode=block",
"pragma": "no-cache",
"x-content-type-options": "nosniff",
"content-type": "application/json;charset=ISO-8859-1",
"content-security-policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://*.tiqcdn.com https://www.googletagmanager.com https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com/; img-src 'self' data: https://www.google-analytics.com https:; style-src 'self' 'unsafe-inline' blob:; font-src 'self' blob:; frame-src 'self' data: *; frame-ancestors 'self'; media-src *;",
"x-powered-by": "",
"keep-alive": "timeout=10",
"connection": "Keep-Alive",
"transfer-encoding": "chunked"
}
Body: {
"code": "MPERR08",
"message": "You are not privileged to request this resource.",
"access-denied": true,
"cause": "AUTHORIZATION_FAILURE"
}
Error I Recieved - Click to see
I'm trying to make Phantom JS load a page, but no matter what, it responds with an "operation canceled :( I've tried various versions settings that ignore ssl and various websites. But neither works.
I can reach all sites with a normal browser and run PhantomJS locally from a fully updated mac osx
./phantomjs --ignore-ssl-errors=true --ignore-ssl-errors=yes --ssl-protocol=tlsv1 ../../index.js http://askbar.dk
yelds
= onNavigationRequested
destination_url: http://askbar.dk/
type (cause): Other
will navigate: true
from page's main frame: true
= onResourceRequested()
request: {
"headers": [
{
"name": "Accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
}
],
"id": 1,
"method": "GET",
"time": "2016-04-11T20:05:39.998Z",
"url": "http://askbar.dk/"
}
= onNavigationRequested
destination_url: about:blank
type (cause): Other
will navigate: true
from page's main frame: true
http://askbar.dk/: Operation canceled
phantomjs://code/index.js:60 in onResourceError
= onResourceReceived()
id: 1, stage: "end", response: {"contentType":null,"headers":[],"id":1,"redirectURL":null,"stage":"end","status":null,"statusText":null,"time":"2016-04-11T20:05:39.999Z","url":"http://askbar.dk/"}
Any ideas ?