How to use Ngnix as a reverse proxy to access OpenShift (OKD) 4.X?

[eduardolucioac]

How to use Ngnix as a reverse proxy to access OpenShift (OKD) 4.X?

I've tried hundreds of setups for the reverse proxy (Nginx) and they all fail with the error "Application is not available" when we access the oauth-openshift.apps.mbr.some.dm route.

NOTE: This problem does not occur if we access this route directly (without using Reverse Proxy). Perhaps some information necessary for the route to be resolved is not being sent.

This is the basic configuration template we are using...

server {
    access_log /var/log/nginx/apps.mbr.some.dm-access.log;
    error_log /var/log/nginx/apps.mbr.some.dm-error.log;
    server_name ~^(?<subdomain>.+)\.apps\.mbr\.some\.dm$;

    location / {
        proxy_pass https://10.2.0.18:443;
        proxy_set_header Host $subdomain.apps.mbr.some.dm;
        proxy_set_header X-Forwarded-For https://$subdomain.apps.mbr.some.dm$request_uri;
    }

    listen 443;
    ssl_certificate /etc/letsencrypt/live/apps.mbr.some.dm/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apps.mbr.some.dm/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

---

We also tested these parameters and got some problems as you can see below...

server {
    [...]
    location / {
        [...]
        proxy_ssl_certificate /etc/nginx/backend_ss_certs/apps.mbr.some.dm.crt;
        proxy_ssl_certificate_key /etc/nginx/backend_ss_certs/apps.mbr.some.dm.key;
        proxy_ssl_trusted_certificate /etc/nginx/backend_ss_certs/apps.mbr.some.dm.crt.key.pem;
        proxy_ssl_ciphers HIGH:!aNULL:!MD5;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_server_name on;
        proxy_ssl_session_reuse on;
        proxy_ssl_verify on;
        [...]
    }
    [...]
}

The certificates apps.mbr.some.dm.crt, apps.mbr.some.dm.key, apps.mbr.some.dm.crt.key.pem are the self-signed certificates used by OpenShift (OKD) to allow access to resources (HTTPS). However if we try to use these certificates with the reverse proxy (Nginx) the following error happens ("Bad Gateway")...

2021/07/22 17:36:11 [error] 6999#6999: *1 upstream SSL certificate verify error: (21:unable to verify the first certificate) while SSL handshaking to upstream, client: 177.25.231.233, server: ~^(?<subdomain>.+)\.apps\.mbr\.brlight\.net$, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.2.0.18:443/favicon.ico", host: "oauth-openshift.apps.mbr.some.dm", referrer: "https://oauth-openshift.apps.mbr.some.dm/oauth/authorize?client_id=console&redirect_uri=https%3A%2F%2Fconsole-openshift-console.apps.mbr.some.dm%2Fauth%2Fcallback&response_type=code&scope=user%3Afull&state=ff6f3064"

NOTA: We tested the apps.mbr.some.dm.crt and apps.mbr.some.dm.crt.key.pem certificates using curl and both worked perfectly.

---

PLUS: We couldn't define a way to diagnose/observe (logs) about what goes wrong when the request arrives the route oauth-openshift.apps.mbr.some.dm . I think this would help us figure out what's going wrong.

[eduardolucioac]

Well, from the lack of answers I can assume that OpenShift (OKD) is incapable to work behind a reverse proxy, right?

Thanks! =D

[pflaeging]

OKD behind haproxy or F5 is the standard :peter pfläging (gesendet von einem Gerät mit kleiner virtueller Tastatur und viel zu großen Fingern) ***@***.*** 📞+43 699 1410 7990 🏠 In den Jochen 49, A-2122 Ulrichskirchen, Austria 🌍 http://www.pflaeging.net/

…

Am 23.07.2021 um 19:24 schrieb Eduardo Lúcio Amorim Costa ***@***.***>:  Well, from the lack of answers I can assume that OpenShift (OKD) is incapable to work behind a reverse proxy, right? Thanks! =D — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[eduardolucioac]

Thank you Peter @pflaeging ! Do you have any clue as to why the error "Application is not available" occurs? Would you know how I can find out (basically logs) what is going wrong in OpenShift (OKD) for the "oauth-openshift.apps.mbr.some.dm" route? *Thank you very much! =D* Em sex., 23 de jul. de 2021 às 14:30, Peter Pflaeging < ***@***.***> escreveu:

…

OKD behind haproxy or F5 is the standard :peter pfläging (gesendet von einem Gerät mit kleiner virtueller Tastatur und viel zu großen Fingern) ***@***.*** 📞+43 699 1410 7990 🏠 In den Jochen 49, A-2122 Ulrichskirchen, Austria 🌍 http://www.pflaeging.net/ > Am 23.07.2021 um 19:24 schrieb Eduardo Lúcio Amorim Costa ***@***.***>: > >  > Well, from the lack of answers I can assume that OpenShift (OKD) is incapable to work behind a reverse proxy, right? > > Thanks! =D > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub, or unsubscribe. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#784 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABRX4JKEN5WHTIC5YD6JBULTZGRLRANCNFSM5AZHEE3Q> .

-- *Eduardo Lúcio* Tecnologia, Desenvolvimento e Software Livre LightBase Consultoria em Software Público ***@***.*** <[email protected]> *+55-61-3347-1949* - http://brlight.org <[email protected]> - *Brasil-DF* *Software livre! Abrace essa idéia!* *"Aqueles que negam liberdade aos outros não a merecem para si mesmos."* *Abraham Lincoln*

[eduardolucioac]

From Larry Brigman [email protected] (okd-wg)

"Application is not available" occurs when the endpoint you are trying to reach doesn't exist or is down.
Any of the layers pod/service/route. I would start at the route end and work inward.
A mis-spelling of the name and that would give you the same error.

[eduardolucioac]

Thank you so much for your help Larry!

About your considerations...

"Application is not available" occurs when the endpoint you are trying to reach doesn't exist or is down.
Any of the layers pod/service/route. I would start at the route end and work inward.
A mis-spelling of the name and that would give you the same error.

... we can say that...

[...]
This problem does not occur if we access this route directly (without using Reverse Proxy).
[...]

... , conclusion, the route in the URL is correct.

We can also say that this problem only occurs in the oauth-openshift.apps.mbr.some.dm route. In the console-openshift-console.apps.mbr.some.dm route, for example, it does not occur.

We believe this problem may be related to...

[...]
Perhaps some information necessary for the route to be resolved is not being sent.
[...]

We can also append that...

[...]
We couldn't define a way to diagnose/see (logs from the OpenShift cluster) what goes wrong when the request arrives the route oauth-openshift.apps.mbr.some.dm . I think this would help us figure out what's going wrong.
[...]

Finally, if we can at least know the actual causes of the "Application is not available" error, then we can know what is going wrong...

[eduardolucioac]

People!

We confirm that the problem "Application is not available" only occurs in the route "oauth-openshift" ( oauth-openshift.apps.mbr.some.dm ) can any human being say why this problem is occurring specifically for this route?

NOTE: If we log into the "oauth-openshift" route using an SSH tunnel, for example, we can use all other resources via reverse proxy

[]'s

[eduardolucioac]

Solution here!

https://github.com/eduardolucioac/okd_bare_metal#create-configuration-to-nginx-reverse-proxy-openshift-okd-nginx_reverse_proxy

[]'s