search

Avature / kong-docker-compose

:satellite: Kong API Gateway distribution used by Avature organization, includes some extra security features, Kong's UI and configuration database
Other
13 stars 4 forks source link

Impossible to operate the gateway in production #1

Open sergechantave84 opened 1 year ago

sergechantave84 commented 1 year ago

@matiasditada @mnofresno @gonzadc @jcvincenti Good morning I have a problem on the deployment of konga in production. If you can help me that would be great.

Here are my configs:

.env file BASE_HOST_DOMAIN=api-dev.espylid.com

By executing the following curl request in the container ( docker exec -it api-gateway2-nginx-1 /bin/sh ): curl -i -X GET --url http://kong:8000/a/ok return 200 response of my microservice

But By executing the following curl request in the container: curl -i -X GET --url http://gateway.api-dev.espylid.com/a/ok return 404 response

And By executing curl -i -X GET --url http://gateway.api-dev.espylid.com return 200 response

This is my /etc/nginx/conf.d/gateway.conf in Nginx container

server {
  listen 80;
  include /etc/nginx/conf.d/server_hosts/gateway-url.conf;
  return 301 https://$host$request_uri;
  location / {
    proxy_pass http://kong:8000/;
    error_log /var/log/gateway_error.log;
  }
}

server {
  listen 443 ssl;

  client_max_body_size 100M;

  include /etc/nginx/conf.d/server_hosts/gateway-url.conf;
  include /etc/nginx/conf.d/sslCertificates.conf;
  proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

  location / {
    proxy_pass http://kong:8000/;
    error_log /var/log/gateway_error.log;
  }

  location /admin-api {
    return 404;
  }
}

And my /etc/nginx/conf.d/server_hosts/gateway-url.conf

server_name gateway.api-dev.espylid.com kong-gateway;

The config looks good, but it doesn't work. I haven't changed anything in docker-compose.yml

Please, can you tell me what I missed here?

mnofresno commented 1 year ago

Thank you for reaching out. In order to resolve the issue you are experiencing, kindly ensure that you have the following configuration parameter set correctly:

HOST_SERVICE_SEPARATOR=.

Additionally, it is important to confirm that the DNS A record is correctly configured to point from "*.api-dev.espylid.com" to the same host, "api-dev.espylid.com".

Please verify these settings and let us know if the issue persists. Feel free to provide any additional details or logs that could help us further investigate the problem.

sergechantave84 commented 1 year ago

@mnofresno : Thank you for your reply

Voici la variable dans .env: HOST_SERVICE_SEPARATOR=.

api-dev.espylid.com is the vhost defined in nginx on the server, listening on port 80/443

There is a proxy that points it to 127.0.0.1:3080 where 127.0.0.1:3080 denotes the nginx container listening on port 3080/3443

server {
    listen              80;
    server_name         api-dev.espylid.com;

    location / {
#        auth_basic           "Admin area";
#        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#        proxy_cookie_path / "/; secure; HttpOnly; SameSite=lax";
        proxy_pass  http://127.0.0.1:3080;
    }
}

I also realized that there are quite a few problems. From the nginx container: docker exec -it api-gateway2-nginx-1 /bin/sh

My /etc/hosts

127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.144.3   8b2871be1eff

gateway.api-dev.espylid.com admin.api-dev.espylid.com konga.api-dev.espylid.com does not defined

And When modifying the docker-compose.yml files, the modifications are not supported in container. You have to enter the container to modify the config of the docker ngnix server

mnofresno commented 1 year ago

There is a proxy that points it to 127.0.0.1:3080 where 127.0.0.1:3080 denotes the nginx container listening on port 3080/3443

Where is that proxy defined? I've searched trough our code and no proxy on that port is defined.

gateway.api-dev.espylid.com admin.api-dev.espylid.com konga.api-dev.espylid.com does not defined

They not need to be defined on nginx container's hosts file because your infrastructure should resolve to the server that is running docker-compose and the only service listening to 80/443 ports is the nginx container's service so an http/https request will be served up by that container and the Host header of the request will help nginx distinguish request coming to each of the 3 endpoints.

And When modifying the docker-compose.yml files, the modifications are not supported in container. You have to enter the container to modify the config of the docker ngnix server

To what modifications do you refer? Our Kong distribution is not meant to be modified that way.

Please make sure your infrastructure has the correct DNS A / CNAME records directed to the server that is running docker-compose.

What DNS infra do you use? Amazon's Route53 or any other?