By following many docs/tutorials I implemented SSL with Kernel and reverse proxy in my SF.
I made it work but the access point Url is as follow : https://mycluster.westeurope.cloudapp.azure.com:19081
before I implemented https, I had a CNAME mycustomdomain.com redirecting to mycluster.westeurope.cloudapp.azure.com which was working fine.
So now, I would like to know if there's a way to call http://mycustomdomain.com
and access the actual Uri. Is there a way with what I already have in place through probes/lbrules for example? Or do I have to implement an Application Gateway or use API management or something else?
Edit : LBRules+Probes
AppPortProbe : 44338 (backend ssl port in the SF)
FabricGatewayProbe : 19000
FabricHttpGatewayProbe : 19080
SFReverseProxyProbe : 19081
[Rule : Probe]
[AppPortLBRule (TCP/80 to TCP/19081) : 19081]
[LBHttpRule (TCP/19080) : 19080]
[LBRule (TCP/19000) : 19000]
[LBSFReverseProxyRule (TCP/19081 to TCP/44338) : 44338]
You question is too broad, there are too many questions that might bring many answers, I will try to answer with a few options:
In your scenario, to access the same url you should use https://mycustomdomain.com:19081 instead.
The problem here is, when you setup the cluster, the certificate used by the cluster is valid only for the domain 'mycluster.westeurope.cloudapp.azure.com' in your case your domain is not valid in the certificate used by SF and it will fail once you make any request to it.
You can skip certificate validation errors on your browser and continue. In your applications you could do the same, the problem is that is not a friendly way doing it.
To be able to use the domain without any conflicts, you have to register your own certificate created for the domain you own.
Because you are using reverse proxy, you also have to define the certificate in the cluster configuration, look for: reverseProxyCertificate in this link
For deploying applications using SSL will happen something similar, but in your application you can define the certificate you want to use on startup, in the cluster you have to define it in the cluster configuration.
You can find more information here:
Manage service fabric cluster security certificates
If the problem is the port, you have two options:
Create a 'Port forwarding' rule in the load balancer, to forward any
request in the port 80 to port 19081. You can find here how to do that with powershell.
Update the cluster/service configuration to listen in the port
80 instead of 19081. check it here
go to godaddy or whichever domain provider you use and add a transfert to your your azure domain : https://mycluster.westeurope.cloudapp.azure.com
Related
I am trying to add an advertiser link(paved.com) in my newsletter. Before adding to newsletter, I had to add that link to my custom domain, for that they (paved.com) had provided me with CNAME and it's value.
I add that to my DNS server, I am using aws's route53 as my dns server, so adding that was straightforward. But now, when I click on that link, it throws an unsupported protocol error i.e. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I have no clue how to debug this and I will really appreciate your time and help.
One thing I had tried was to issue a new certificate for the custom domain they had provided, but that also didn't work.
Commonly the error happens when the web browser and the web server don’t support a common SSL protocol version.
Did you check the tls version? try to force the tls version to 1.2 and have a try.
I basically tried to implement Netty's build in SSLHandler. I had no problems until i implemented the Client-Side SSL.
I tried everything out any neither of all tries actually checked an incoming certificate of a Server. I could basically connect me to invalid SSL Servers.
I only saw codes like these on the internet:
pipeline.addLast("ssl", SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE).build().newHandler(channel.alloc(), UserConnection.SERVER_API_DOMAIN, UserConnection.SERVER_CONNECTION_PORT));
Any Ideas?
If you pass in .trustManager(null) , you get the system default which should check certificates based on the default root certs you have on your system.
To quote docs https://netty.io/4.1/api/io/netty/handler/ssl/SslContextBuilder.html#trustManager-java.lang.Iterable-
:
Trusted certificates for verifying the remote endpoint's certificate, null uses the system default
Of course, you could also leave out the .trustManager(...) call altogether, since the default is null
I have multiple services at Internal.com/Services . As the name suggests this is an internal page, not accessible from outside.
I have setup a site, external.com, where i will add a Reverse Proxy rule to rewrite to Internal.com/Services.
The problem I have now is that different services in Internal.com are hosted like this:
interal.com/Services/oneService.svc
internal.com/Services/anotherService.svc
This is the exact mapping i need from external.com server
external.com/oneService.svc ---> interal.com/Services/oneService.svc
external.com/anotherService.svc ---> internal.com/Services/anotherService.svc
How can i achieve this when setting the reverse proxy rule in IIS?
Burned too many hours on this, but this solved it for me. Changing the .Net framework version for the application pool for the remote proxy site to 'no managed code'.
Notice that rewriting in my case only failed when it came to .svc files. Regular html worked fine.
https://webmasters.stackexchange.com/questions/66974/iis-reverse-proxy-failing-on-svc-pages-and-some-other-pages-works-fine-for-pla
I have implemented FCM for web using fcm documentation.
Everything'll be fine if I set url like : 'http://xxx' I have no error.
But when I set url : 'https://xxx..', I get error:
"Failed to register a ServiceWorker: An SSL certificate error occurred when fetching the script."
code: "messaging/failed-serviceworker-registration"
"Messaging: We are unable to register the default service worker. Failed to register a ServiceWorker: An SSL certificate error occurred when fetching the script. (messaging/failed-serviceworker-registration)."
Can anyone show me how to fix this error?
This is a general problem when wanting to test service workers in a local development environment without proper SSL certificates. It is not specific to Firebase Messaging but pertains to Service Workers in general.
Here is the solution I found when using Google Chrome: Testing Service workers locally with self-signed certificates
Unfortunately, I don't know yet how to circument the issue with other browsers, but probably there must be similar ways.
For Chrome, you need to start a new instance of Chrome, with some flags telling it to ignore SSL certificate errors for your local origin:
In Linux (and maybe Mac):
google-chrome --ignore-certificate-errors --unsafely-treat-insecure-origin-as-secure=https://127.0.0.1 --user-data-dir=/tmp/foo
The https://127.0.0.1 here is the location where your app (and service worker) is hosted locally. You might need to adjust this to use the appropriate port, if serving on a different port than the standard HTTPS port 443, e.g. https://127.0.0.1:3000, when serving your app over HTTPS on port 3000.
The --user-data-dir=/tmp/foo is necessary to start a new instance, with a new user profile, if another instance of Chrome is already running.
In Windows (might vary, depending on where your chrome.exe is):
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --ignore-certificate-errors --unsafely-treat-insecure-origin-as-secure=https://localhost:1123
Again, you might have to adjust the port.
Easier method that worked for me:
Just paste chrome://flags/#allow-insecure-localhost in your chrome browser, and Enable the setting that says something like "Allow invalid certificates for resources loaded from localhost."
I'm trying to load balance a cluster that is exposing port 7654. I've followed the instructions here. When following it exactly (creating the nginx cluster), it works fine, but when I try to apply it to my containers I can't get it to pass the health check. If I use kubectl to expose 7654 with LoadBalancer instead of NodePort, I'm able to connect, so it seems that the container is working fine. Does anyone have any advice for creating a load balancer?
According to https://cloud.google.com/compute/docs/load-balancing/health-checks#overview a successful health check "must return a valid HTTP response with code 200 and close the connection normally within the timeoutSec period". It's possible that your empty response wasn't closing the HTTP connection and adding HTML content caused your backend to close the connection.