search

basecamp / kamal

Deploy web apps anywhere.
https://kamal-deploy.org
MIT License
10.98k stars 423 forks source link

Unable to use Kamal2 with CF and Hertzner #1104

Open zaddy6 opened 1 day ago

zaddy6 commented 1 day ago 
# Name of your application. Used to uniquely configure containers.
service: cowriter-api

# Name of the container image.
image: xxx-service-staging

# Deploy to these servers.
servers:
  web:
    - xxx
    - xxx
  # job:
  #   hosts:
  #     - 192.168.0.1
  #   cmd: bin/jobs

# Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server).
# If using something like Cloudflare, it is recommended to set encryption mode 
# in Cloudflare's SSL/TLS setting to "Full" to enable end-to-end encryption. 
proxy:
  ssl: false
  forward_headers: true
  # kamal-proxy connects to your container over port 80, use `app_port` to specify a different port.

# # Credentials for your image host.
registry:
  server: xxxx.dkr.ecr.us-east-1.amazonaws.com
  username: AWS
  password: 
    - KAMAL_REGISTRY_PASSWORD

# Configure builder setup.
builder:
  arch: amd64
  dockerfile: "./Dockerfile"
  context: "./"

env:
  secret:
    - MONGO_USERNAME

I have created a LB on Hertzner and added both servers, I have also added a proxied A record pointing to the LB server on cloudflare however I get a website down error

image

Although visiting the server IP for both the LB and Hosts works without issues

tuladhar commented 6 hours ago

In which port is Hetzner LB listening on? Are targets behind Hetzner LB healthy? What's mode is SSL/TLS setting on Cloudflare?

zaddy6 commented 4 hours ago
  1. LB is listening on port 80
  2. Yes
  3. Mode is set to Full (Not strict) on CF
navidemad commented 4 hours ago

deploy.yml:

# Note: If using Cloudflare, set encryption mode in SSL/TLS setting to "Full" to enable CF-to-app encryption. 
proxy:
  ssl: true
  host: api.foobar.com
  # Proxy connects to your container on port 80 by default.
  app_port: 3000 # if you use thruster remove this line, if you don't use thruster set this line

You have then to setup DNS records with proxy toggle checked (A with ipv4 and AAAA with the ipv6 without the /64) Then on cloudfare dns, you will have to create two records: A with @ if it's the full domain, or just "api" if it's a subdomain, and as value you set your IPv4 AAAA with @ if it's the full domain, or just "api" if it's a subdomain, and as value you set your IPv6 (remove the /64

Then commit your changes, and kamal deploy. Additionnal i add the gem "cloudflare-rails" to my production environement group in my Gemfile.

zaddy6 commented 3 hours ago

This config wouldnt work as SSL: True only works if you are deploying to a single server, in my case I am deploying to 3 servers, and then all 3 are under a single hertzner LB