Grpc load balance with traefik is not working - load-balancing

I hope to use traefik as grpc load balance. Here is the traefik.toml file configuration.
logLevel = "INFO"
[entryPoints]
[entryPoints.http]
address = ":2525"
[file]
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://localhost:6565"
weight = 10
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.headers]
# SSLRedirect = true
[frontends.frontend1.routes.Route1]
rule = "Host:localhost"
My grpc server host is localhost and port is 6565. Grpc client sends grpc request to localhost:6565 (server) will work fine. But when I config traefik to listen port 2525 and ran traefik. Changing the grpc client port to 2525 is not load balancing as I request.
But grpc (http2) request are detected by traefik according to access log.
127.0.0.1 - - [13/Jun/2018:05:23:16 +0000] "PRI * HTTP/2.0" 404 19 "-" "-" 1 "backend not found" "*" 0ms
127.0.0.1 - - [13/Jun/2018:05:23:16 +0000] "PRI * HTTP/2.0" 404 19 "-" "-" 2 "backend not found" "*" 0ms
It says backend not found. Its bit hard to understand why this happen. I went through internet for better solution. Some people say to use https with this. But when NGINX use we no need to use https. So I need a solution like that. Can someone give me a better solution?

According to the official issue and this doc.
First, we need to change the backend protocol from http to h2c, which is http2 without s.
Second, traefik will not support h2c backend until v1.7, so current release won't work. As the official repo says, they release every other month, and the current version is v1.6.4, so we can have this feature next month.
However, if you want to have this right now(like me), we can build a dev version of traefik from source. See this doc, basicaly just clone the repo and build.

Related

Apache web server not working on https port work on http

Good day,
I have a apache web server (10.8.112.65), I configure ProxyPass to direct it to my app server, the ProxyPass code is as follow in the httpd.conf:
ProxyPass "/mfp" "http://101.7.2.63:9080/mfp"
ProxyPassReverse "/mfp" "http://101.7.2.63:9080/mfp"
And its listen to port 80
Listen 80
This is working fine, From my device, I fire a http url request to 10.8.112.65, it will direct to http://101.7.2.63:9080/mfp to process. For example:
Fire http://10.8.112.65/mfp/api/adapters/MyAdapter/public/init/
It will direct to http://101.7.2.63:9080/mfp/api/adapters/MyAdapter/public/init/ , this is good.
However, From my device, I need to fire a https url request instead of http. Thus, I change the Listen port to 443, and I try to fire https request as follow:
Fire https://10.8.112.65:443/mfp/api/adapters/MyAdapter/public/init/
This one could not reach to my app server, and from the web server access log, I saw it print out
10.3.131.36 - - [13/Feb/2020:18:58:01 +0800] "\x16\x03\x01\x02" 400 226 "-" "-"
10.3.131.36 - - [13/Feb/2020:18:58:01 +0800] "\x16\x03\x01\x02" 400 226 "-" "-"
Where 10.3.131.36 is my device ip address.
I try to search google for this, but didnt get any result that I understand.
Any ideas on this?

HTTPS redirect traefik v2

I'm trying to setup traefik v2 on a development server we have.
The setup:
Docker serving dozens of nginx containers acting as a frontend for different projects. Every nginx container has a unique domain linked to it. Nginx is running on port 80. Every project has a separate docker-compose (traefik also has a separate docker-compose).
What I'm trying to accomplish:
Proxy all of the containers to traefik and add new ones on the go (new services are stopped/started all the time). Make traefik automatically redirect to HTTPS and contact the appropriate nginx container based on the hostname in order to serve the website.
Question: Is this even possible to do? I've been trying to figure it out for the past day or so but I can't get everything to work. Either the redirect doesn't work or if it does it returns 404.
Managed to find a guide that covers this:
https://chriswiegman.com/2019/10/serving-your-docker-apps-with-https-and-traefik-2/
To extend what the guide pointed to, the magic sauce is in LABELS. It can be broken down to this:
# Setup HTTP
# tells traefik that cany HTTP connection needs to be re-directed to HTTPS
- "traefik.http.middlewares.mysite-https.redirectscheme.scheme=https"
# 'web' (or any name) can be defined my traefik entrypoints. Web is port 80.
- "traefik.http.routers.mysite-http.entrypoints=web"
# tells to route incoming connections to 'mysitesdomain.com' to this service
- "traefik.http.routers.mysite-http.rule=Host(`mysitesdomain.com`)"
# Maps the above 'middleware' called 'mysite-https'
- "traefik.http.routers.mysite-http.middlewares=mysite-https#docker"
# Setup HTTPS
- "traefik.http.routers.mysite.entrypoints=web-secure"
- "traefik.http.routers.mysite.rule=Host(`mysitesdomain.com`)"
- "traefik.http.routers.mysite.tls=true"
- "traefik.http.routers.mysite.tls.certresolver=default"
What seems to be missing the loadbalancer definition.
- "traefik.http.services.replica_service.loadbalancer.server.port=80" # "80" is the container's incoming port.

How to filter requests so that apache handles them and not tomcat?

For various reasons I want to shutdown my server after a certain period of idle time. I am running Tomcat 8.5.29 and Apache2 (not sure the version) on Debian 4.9.88. I wrote a script to look at the last time Tomcat had an access. I only have one app on the server and it is at "http://hostname/source/". My problem is that there are number of webserver vulnerabilities out there and I am getting a constant flow of requests to:
"GET / HTTP/1.1"
"POST /GponForm/diag_Form?images/ HTTP/1.1"
"GET /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer HTTP/1.1"
"POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1"
What I would like to do is stop anything that doesn't begin with "/source" from even getting to tomcat. I presume that a rewrite or something in Apache can do it, but I am not sure how the requests get to Tomcat in the first place.
Any ideas?
There are two possible ways for requests to reach Tomcat:
The probes send requests directly to the Tomcat port (typically port 8080). You can fix this by restricting Tomcat's listening address to the loopback address, by adding the attribute address="127.0.0.1" to the corresponding Connector element in conf/server.xml. Or you can just block port 8080 in your firewall.
The requests are forwarded from Apache to Tomcat via a reverse proxy configuration in Apache. This means there is a line such as the following in one of the Apache configuration files:
ProxyPass / http://127.0.0.1:8080/
If you add an explicit path prefix to both arguments, you can restrict which requests are passed to Tomcat:
ProxyPass /source http://127.0.0.1:8080/source
This ensures that only requests that begin with "/source" are forwarded to Tomcat.
Some Apache configurations use the AJP protocol instead of HTTP for proxying, but the same reasoning applies.

Monit only using HTTP for HTTPS website

I'm trying to monitor a VHost on the local Apache instance via Monit. The same domain accepts both http and https traffic, so I wanted to monitor both.
Also, the IP that the domain resolves to goes to a server that load balances the traffic between the current Apache instance and another server running Apache. I need Monit to monitor the local instance, and I was hoping to avoid adding any records in the /etc/hosts file, so I was thinking that Monits config setting with http headers [] would suffice, and I think it is (Just monitoring localhost, but setting the headers Host to the vhost domain).
Anyways, the main problem I seem to be running into, is even though I configure Monit to monitor the host via both http and https protocols, it monitors both hosts via just http, however the port is set to 443 for the one I need using https protocol.
The Monit config file for Apache is:
check process httpd with pidfile /var/run/httpd/httpd.pid
start program = "/bin/systemctl restart httpd.service" with timeout 60 seconds
stop program = "/bin/systemctl stop httpd.service"
check host localhost with address localhost
if failed
port 80
protocol http
with http headers [Host: www.domain.com, Cache-Control: no-cache]
and request / with content = "www.domain.com"
then restart
if failed
port 443
protocol https
with http headers [Host: www.domain.com, Cache-Control: no-cache]
and request / with content = "www.domain.com"
then restart
if 5 restarts within 5 cycles
then timeout
And here's the Monit status for that check:
[root#server enabled-monitors]# monit status localhost
The Monit daemon 5.14 uptime: 14m
Remote Host 'localhost'
status Connection failed
monitoring status Monitored
port response time FAILED to [localhost]:443/ type TCPSSL/IP protocol HTTP
port response time 0.001s to [localhost]:80/ type TCP/IP protocol HTTP
data collected Tue, 26 Apr 2016 10:44:32
So it's fairly obvious to me that the https is failing because its still trying to use port HTTP, even though I have protocol https in the configuration.
Any input would be much appreciated. I have a feeling this may be a bug, and ill create an issue in the Monit Github repo, but I wan't to make sure it's not something silly that I overlooked.
Thank you!
Late reply here, but I thought I would still post for readers who stumbled upon the same issue.
The problem seems to be not with Monit using port HTTP despite check configured for HTTPS. It always reports HTTP protocol in status (a display bug).
The real issue is likely with Monit not supporting SNI for SSL, so it ignores the with http headers [Host: www.domain.com ... in your https check. Thus the check fails because Monit is actually testing https://localhost.
I've filed bug with Monit developers here.

502 Bad Gateway - Nginx

I am receiving:
14201#0: *16 connect() failed (111: Connection refused) while connecting to
upstream, client: 22.222.222.222, server: myserver.com, request: "GET
/favicon.ico HTTP/1.1", upstream: "https://70.88.100.212:7081/favicon.ico",
host: "myserver.com", referrer: "https://myserver.com/"
From a sub domain of my server. Now I've looked and know its not an issue of fpm because this happened when I was installing gitlab in a separate subdomain git.myserver.com. My plesk controller said their was a configuration issue and suggested to run a configure script which than broke my sub domain.
Here is the thing - git.myserver.com is still accessible, it actually just broke the myserver.com instead. I am not to sure what is going on what I have looked through my /etc/nginx/conf.d/*.conf and everything seems correct.
The layout of that file is:
include /etc/nginx/plesk.conf.d/server.conf;
include /etc/nginx/plesk.conf.d/vhosts/*.conf;
include /etc/nginx/plesk.conf.d/forwarding/*.conf;
include /etc/nginx/plesk.conf.d/webmail.conf;
Any suggestions?
UPDATE
70.88.100.212 is the primary server - I have multiple domains pointed there and webspaces built. Those are still accessible fine.
Check if your port 7081 is listening on ip 70.88.100.212.
Try this command :
netstat -ntlpu
In your Nginx conf it should be:
location / {
proxy_pass http://70.88.100.212:7081/;