search

wtsi-npg / sqyrrl

Sqyrrl - an HTTP server for files hosted in iRODS
GNU General Public License v3.0
0 stars 4 forks source link

Server is unhappy when starting with default `host` when inside a container #26

Closed jmtcsngr closed 6 months ago

jmtcsngr commented 7 months ago

Expect this will start listening and allow connections

docker run -it --name sqyrrl -p 443:3333 -v /conf:/conf "ghcr.io/wtsi-npg/sqyrrl:1.0.0" start --irods-env /conf/irods_environment.json --cert-file /conf/localhost.crt --key-file /conf/localhost.key --log-level trace

But when connecting from ouside docker it produces:

curl -k -vvv https://localhost/
*   Trying 127.0.0.1:443...                         
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2                                 
* ALPN, offering http/1.1                  
* TLSv1.0 (OUT), TLS header, Certificate Status (22):   
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):            
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0                               
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

Works with:

docker run -it --name sqyrrl -p 443:3333 -v /conf:/conf "ghcr.io/wtsi-npg/sqyrrl:1.0.0" start --irods-env /conf/irods_environment.json --cert-file /conf/localhost.crt --key-file /conf/localhost.key --log-level trace --host 0.0.0.0

produces:

curl -k -vvv https://localhost/
*   Trying 127.0.0.1:443...                         
* Connected to localhost (127.0.0.1) port 443 (#0) 
* ALPN, offering h2                                
* ALPN, offering http/1.1                          
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):                    
* TLSv1.3 (IN), TLS handshake, CERT verify (15):                        
* TLSv1.2 (IN), TLS header, Supplemental data (23):                                 
* TLSv1.3 (IN), TLS handshake, Finished (20):                                                             
* TLSv1.2 (OUT), TLS header, Finished (20):                                        
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):                        
* TLSv1.2 (OUT), TLS header, Supplemental data (23):                            
* TLSv1.3 (OUT), TLS handshake, Finished (20):
...
<html>
<head>
    <title>Sqyrrl</title>
</head>
<body>

<div id="content" class="ui text container">
    <h2>Sqyrrl Homepage</h2>

    <h3>Application version: 1.0.0</h3>

    <h2>You requested: /</h2>
</div>

</body>
</head>

I tried the 0.0.0.0 after I read this post about issues with getting a certificate https://github.com/pocketbase/pocketbase/issues/107#issuecomment-1193399902 I think it is a Go thing trying to resolve IP of host inside the container. Then being unhappy because the IP inside the container do not match things in the certificate. I don't know enough Go to get a full trace of what is happening with the cert and why connections are not stablished. The default for net.Dial is 0.0.0.0. Maybe we should keep that as default, instead of localhost. Or try to document it to help people.

kjsanger commented 7 months ago

The default for the uncontainerised server should be localhost, so that anyone using it as a personal iRODS portal doesn't suddenly start serving their data to the network. This certainly needs documenting.

kjsanger commented 7 months ago

I will update the Docker Compose file with that configuration, so that there's a working example of it.

kjsanger commented 6 months ago

Resolved