Develop Reference

Reverse proxy partially works on docker swarm

I setup a docker swarm with 3 nodes :
s1 : manager + worker
s2 : worker
s3 : worker
I deployed a nginx as a reverse proxy to a docker swarm service on each node with publishing port as mode=host to get the real ip. Nginx works "fine", i'am able to serve static content, use over https, etc ...
The part which doesn't work is the reverse_proxy :
if the nginx and the service are on the same node, everything works
if the nginx and the service aren't one the same node, i can only GET / because others requests ( like /css/style.css ) will fails with 499 ( from nginx point )
nginx network is an overlay network swarm-scopped and ip forwarding is enabled.
Here is my nginx configuration :
server {
listen 80;
server_name service.foo.bar;
location / {
proxy_pass http://service:80;
}
}
server {
listen 443 ssl;
server_name service.foo.bar;
ssl_certificate /ssl/service.foo.bar/fullchain.pem;
ssl_certificate_key /ssl/service.foo.bar/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://service:80;
}
}
Here is how i deployed my nginx :
docker service create --name nginx --mount /etc/nginx/nginx.conf:/etc/nginx/nginx.conf --mode=global --publish mode=host,published=80,target=80 --publish mode=host,published=443,target=443 --network nginx nginx
If i curl the node who hosts the service :
* TCP_NODELAY set
* Connected to service.foo.bar port 80 (#0)
> GET /app/polyfills.d92dcdb0a986e964fec8.js HTTP/1.1
> Host: service.foo.bar
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.21.6
< Date: Mon, 13 Jun 2022 15:38:36 GMT
< Content-Type: application/javascript
< Content-Length: 257750
< Connection: keep-alive
< cache-control: public, immutable, max-age=604800
< expires: Mon, 20 Jun 2022 15:38:36 GMT
< permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self "https://haveibeenpwned.com" "https://2fa.directory"), usb=(), vr=()
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< x-xss-protection: 0
<
/*! For license information please see polyfills.d92dcdb0a986e964fec8.js.LICENSE.txt */
[...]
If i curl a node which doesn't host the service :
* TCP_NODELAY set
* Connected to service.foo.bar port 80 (#0)
> GET /app/polyfills.d92dcdb0a986e964fec8.js HTTP/1.1
> Host: service.foo.bar
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.21.6
< Date: Mon, 13 Jun 2022 15:38:25 GMT
< Content-Type: application/javascript
< Content-Length: 257750
< Connection: keep-alive
< cache-control: public, immutable, max-age=604800
< expires: Mon, 20 Jun 2022 15:38:25 GMT
< permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self "https://haveibeenpwned.com" "https://2fa.directory"), usb=(), vr=()
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< x-xss-protection: 0
<
* transfer closed with 257750 bytes remaining to read
* Closing connection 0
curl: (18) transfer closed with 257750 bytes remaining to read
nginx log say :
nginx.0.scembp2e9iqp#s3 | 2022/06/13 15:38:36 [warn] 23#23: *114 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/5/00/0000000005 while reading upstream, client: #ip, server: service.foo.bar, request: "GET /app/polyfills.d92dcdb0a986e964fec8.js HTTP/1.1", upstream: "http://10.0.4.56:80/app/polyfills.d92dcdb0a986e964fec8.js", host: "service.foo.bar"
My nodes are connected each others over wireguard, this is my routing table :
default via #ip dev ens3
#ip dev ens3 scope link
10.252.1.0/24 dev wg0 proto kernel scope link src 10.252.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.19.0.0/16 dev docker_gwbridge proto kernel scope link src 172.19.0.1
Here is my wireguard configuration :
[Interface]
Address = 10.252.1.1/24
ListenPort = 51820
PrivateKey = ***
[Peer]
PublicKey = ***
AllowedIPs = 10.252.1.2/32
Endpoint = #s2
[Peer]
PublicKey = ***
AllowedIPs = 10.252.1.3/32
Endpoint = #s3
This is my firewall configuration :
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
-F INPUT
-F DOCKER-USER
-F FILTERS
-A INPUT -i lo -j ACCEPT
-A INPUT -j FILTERS
-A DOCKER-USER -i ens3 -j FILTERS
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FILTERS -p icmp --icmp-type echo-request -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FILTERS -p udp --dport 51820 -j ACCEPT
-A FILTERS -s 10.252.1.0/24 -j ACCEPT
-A FILTERS -j REJECT --reject-with icmp-port-unreachable
COMMIT
Any ideas ? Am i missing something ?

ngx-socket-io connected false but flask_socketio logs show 200 OK

Any tips to debug would help, this is just the basic implementation.
I am using the exact tutorial as here to setup the ngx socket client:
https://www.npmjs.com/package/ngx-socket-io
flask-socketio for the server
https://flask-socketio.readthedocs.io/en/latest/
Server-side shows no error, but the registered handler methods to emit/receive seem blind.
Server Logs:
127.0.0.1 - - [28/Jan/2021 10:58:51] "GET /socket.io/?EIO=3&transport=polling&t=NT8Dtbg HTTP/1.1" 200 418 0.000640
(12285) accepted ('127.0.0.1', 37400)
fa1a1d40bbc349c384a121302ef567c7: Received request to upgrade to websocket
127.0.0.1 - - [28/Jan/2021 10:58:51] "GET /socket.io/?EIO=3&transport=polling&t=NT8Dtcd&sid=fa1a1d40bbc349c384a121302ef567c7 HTTP/1.1" 200 235 0.000408
127.0.0.1 - - [28/Jan/2021 10:58:51] "GET /socket.io/?EIO=3&transport=polling&t=NT8DtdE&sid=fa1a1d40bbc349c384a121302ef567c7 HTTP/1.1" 200 235 0.000268
fa1a1d40bbc349c384a121302ef567c7: Upgrade to websocket successful
5002732d42184ba6b453e7d4f35e864e: Received packet PING data None
5002732d42184ba6b453e7d4f35e864e: Sending packet PONG data None
Client logs:
config: {url: "http://127.0.0.1:5000/", options: {…}}
emptyConfig: {url: "", options: {…}}
eventObservables$: {}
ioSocket: Socket
acks: {}
connected: false
disconnected: true
flags: {}
ids: 0
io: Manager
autoConnect: true
backoff: Backoff {ms: 1000, max: 5000, factor: 2, jitter: 0.5, attempts: 0}
connecting: [Socket]
decoder: Decoder {reconstructor: null, _callbacks: {…}}
encoder: Encoder {}
encoding: false
engine: Socket {secure: false, agent: false, hostname: "127.0.0.1", port: "5000", query: {…}, …}
lastPing: Thu Jan 28 2021 11:00:56
Server code (no print)
#socketio.on('connect')
def test_connect():
print('\n\nClient connected')
Why can't I get the connection working? Thanks

Double check npm/python environment of current versions of socketio and engineio.
https://github.com/miguelgrinberg/python-socketio
d7e95928d73c42fab431e94ce2df40fc: Sending packet OPEN data {'sid': 'd7e95928d73c42fab431e94ce2df40fc', 'upgrades': ['websocket'], 'pingTimeout': 60000, 'pingInterval': 25000}
Client connected
d7e95928d73c42fab431e94ce2df40fc: Sending packet MESSAGE data 0

portquiz.net dlp test with python

I am trying to get a response from portquiz.net when probing port 80. For example, if we do this:
curl portquiz.net:80
we get the response:
Port 80 test successful!
Here is the python code:
import socket
server = "portquiz.net"
port = 80
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((server, port))
response = s.recv(1024)
print(repr(response))
With this code I get no response, the script just seems to hang.
Is this an issue with my code or is it something to do with portquiz's server?

Fingers, that is an HTTP server, so you need to make a GET request to it. As soon as you connect it is waiting for you to send data, that is why it hangs.
You can do this more easily with an HTTP library, however, if you want to use socket here is the code, with example run:
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ cat test.py
import socket
server = "portquiz.net"
port = 80
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((server, port))
# Send HTTP GET request to /
s.send('GET / HTTP/1.1\r\nHOST: {}\r\n\r\n'.format(server).encode())
response = s.recv(1024)
print(repr(response))
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ python test.py
b'HTTP/1.1 200 OK\r\nDate: Sun, 21 Jul 2019 22:25:32 GMT\r\nServer: Apache/2.4.29 (Ubuntu)\r\nVary: Accept-Encoding\r\nContent-Length: 2747\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n\n<html>\n<head>\n<title>Outgoing Port Tester</title>\n<style type="text/css">\nbody {\n\tfont-family: sans-serif;\n\tfont-size: 0.9em;\n}\n</style>\n\n</head>\n\n<body>\n<h1>Outgoing port tester</h1>\n\nThis server listens on all TCP ports, allowing you to test any outbound TCP port.\n\n<p>\nYou have reached this page on port <b>80</b>.<br/>\n</p>\n\nYour network allows you to use this port.\n(Assuming that your network is not doing advanced traffic filtering.)\n\n<p>\nNetwork service: http<br/>\nYour outgoing IP: 207.135.66.186</p>\n\n<h2>Test a port using a command</h2>\n\n<pre>\n$ telnet portquiz.net 80 \nTrying ...\nConnected to portquiz.net.\nEscape character is \'^]\'.\n</pre>\n<pre>\n$ nc -v portquiz.net 80 \nConnection to portquiz.net 80 port [tcp/daytime] succeeded!\n</pre>\n<pre>\n$ curl portquiz.net:80 \nPort 80 test successful!\nYour IP: 207.135.66.186</pre>\n<pre>\n$ wget -q'
Further thoughts on this, it looks like the sight might be looking for a CURL header when to determine which version - either HTML, or TEXT - that it sends. It may behoove you to specify the same header after the "HOST: " header that CURL does so the response is easier to parse.
For the example of it with a curl header, and how I figured out what to put there:
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ curl portquiz.net:80 -vvvv
* Rebuilt URL to: portquiz.net:80/
* Hostname was NOT found in DNS cache
* Trying 52.47.209.216...
* Connected to portquiz.net (52.47.209.216) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: portquiz.net
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 21 Jul 2019 22:34:36 GMT
* Server Apache/2.4.29 (Ubuntu) is not blacklisted
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 49
< Content-Type: text/html; charset=UTF-8
<
Port 80 test successful!
Your IP: 207.135.66.186
* Connection #0 to host portquiz.net left intact
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ cat test.py
import socket
server = "portquiz.net"
port = 80
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((server, port))
get_request = "GET / HTTP/1.1\r\nHOST: {}\r\n" \
"User-Agent: curl/7.35.0\r\n\r\n".format(server)
s.send(get_request.encode())
response = s.recv(1024)
print(repr(response))
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ python test.py
b'HTTP/1.1 200 OK\r\nDate: Sun, 21 Jul 2019 22:34:47 GMT\r\nServer: Apache/2.4.29 (Ubuntu)\r\nContent-Length: 49\r\nContent-Type: text/html; charset=UTF-8\r\n\r\nPort 80 test successful!\nYour IP: 207.135.66.186\n'

Login to docker registry located in Gitlab

I created a docker registry and want to connect it with GitLab. I followed this documentation https://docs.gitlab.com/ce/user/project/container_registry.html. After that I tried to login to docker, but I received 401 or Access denied, do you know how to fix this ?
docker login url
Username: gitlab-ci-token
Password:
https://<url>/v2/: unauthorized: HTTP Basic: Access denied
docker login <url>
Username: knikolov
Password:
https://<url>/v2/: unauthorized: HTTP Basic: Access denied
docker login <url>
Username: knikolov
Password:
Error response from daemon: login attempt to https://<url>/v2/ failed with status: 401 Unauthorized
production.log
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:42:51 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:42:54 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:42:57 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:43:00 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:43:03 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:43:06 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:43:09 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:43:12 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:43:15 +0000
Started POST "/api/v4/jobs/request" for 172.17.0.1 at 2017-06-22 14:43:18 +0000
Started GET "/jwt/auth?account=knikolov&client_id=docker&offline_token=true&service=container_registry" for 172.17.0.1 at 2017-06-22 14:43:19 +0000
Processing by JwtController#auth as HTML
Parameters: {"account"=>"knikolov", "client_id"=>"docker", "offline_token"=>"true", "service"=>"container_registry"}
Completed 200 OK in 191ms (Views: 0.5ms | ActiveRecord: 5.7ms)
Started GET "/admin/logs" for 172.17.0.1 at 2017-06-22 14:43:21 +0000
Processing by Admin::LogsController#show as HTML
Form the registry log I received:
registry_1 | time="2017-06-25T17:34:31Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.7.3 http.request.host=<url> http.request.id=e088c13e-aa4c-4701-af26-29e12874519b http.request.method=GET http.request.remoteaddr=37.59.24.105 http.request.uri="/v2/" http.request.useragent="docker/17.03.1-ce go/go1.7.5 git-commit/c6d412e kernel/4.4.0-81-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.03.1-ce \\(linux\\))" instance.id=c8d463e0-cf04-48f5-8daa-d096b4e75494 version=v2.6.1
registry_1 | 172.17.0.1 - - [25/Jun/2017:17:34:31 +0000] "GET /v2/ HTTP/1.0" 401 87 "" "docker/17.03.1-ce go/go1.7.5 git-commit/c6d412e kernel/4.4.0-81-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.03.1-ce \\(linux\\))"
registry_1 | time="2017-06-25T17:34:32Z" level=info msg="token from untrusted issuer: \"omnibus-gitlab-issuer\""
registry_1 | time="2017-06-25T17:34:32Z" level=warning msg="error authorizing context: invalid token" go.version=go1.7.3 http.request.host=<url> http.request.id=ff0d15e4-3198-4d69-910b-50bc27dd02f2 http.request.method=GET http.request.remoteaddr=37.59.24.105 http.request.uri="/v2/" http.request.useragent="docker/17.03.1-ce go/go1.7.5 git-commit/c6d412e kernel/4.4.0-81-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.03.1-ce \\(linux\\))" instance.id=c8d463e0-cf04-48f5-8daa-d096b4e75494 version=v2.6.1
registry_1 | 172.17.0.1 - - [25/Jun/2017:17:34:32 +0000] "GET /v2/ HTTP/1.0" 401 87 "" "docker/17.03.1-ce go/go1.7.5 git-commit/c6d412e kernel/4.4.0-81-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.03.1-ce \\(linux\\))"
this is my config for my registry:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
auth:
token:
realm: https://<url>/jwt/auth
service: container_registry
issuer: gitlab-issuer
rootcertbundle: /certs/registry.crt
docker-compose.yml
registry:
restart: always
image: registry:2
ports:
- 127.0.0.1:5000:5000
environment:
- REGISTRY_STORAGE_DELETE_ENABLED=true
volumes:
- ./data:/var/lib/registry
- ./certs:/certs
- ./config.yml:/etc/docker/registry/config.yml
Gitlab docker-compose.yml
web:
image: 'gitlab/gitlab-ce:latest'
restart: always
hostname: '<gitlab_url>'
container_name: gitlab
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url '<gitlab_url>'
gitlab_rails['gitlab_shell_ssh_port'] = 2224
registry_external_url '<docker-registry_url>'
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "172.17.0.1"
gitlab_rails['smtp_domain'] = "<smtp_domain>"
gitlab_rails['gitlab_email_from'] = '<gitlab_email_from>'
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['registry_enabled'] = true
registry_nginx['ssl_certificate'] = '/etc/gitlab/ssl/docker.registry.crt'
registry_nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/docker.registry.key'
registry_nginx['proxy_set_headers'] = {
"Host" => "<dokcer-registry_url>"
}
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
ports:
- '127.0.0.1:5432:80'
- '2224:22'
volumes:
- '/home/gitlab/gitlab-ce/config:/etc/gitlab'
- '/home/gitlab/gitlab-ce/logs:/var/log/gitlab'
- '/home/gitlab/gitlab-ce/data:/var/opt/gitlab'
- '/home/docker-registry/data:/var/opt/gitlab/gitlab-rails/shared/registry'

Make sure the .crt file and .key file exists on the path specified here in gitlab.rb if not make the changes and restart gitlab with - sudo gitlab-ctl restart
external_url 'https://myrepo.xyz.com'
nginx['redirect_http_to_https'] = true
registry_external_url 'https://registry.xyz.com'
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/registry.xyz.com.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/registry.xyz.com.key"
More details available at - Appychip

It seems like you are not using the same RSA keypair for your Gitlab registry backend and your Docker setup.
Check your gitlab_rails['registry_key_path'] setting in Gitlab.rb and consult this very detailed guide.
https://m42.sh/gitlab-registry.html (unfortunately offline, backup copy here: https://github.com/ipernet/gitlab-docs/blob/master/gitlab-registry.md)

Make Sure that
The Drive on Docker is shared
(If the drive is not shared: Go to Docker and make the settings as Shared)
Username matches
Remove any domain name if included.
Try this

Issue sending metrics with statsd

I was using the following instructions to install and configure StatsD on a Graphite server:
https://www.digitalocean.com/community/tutorials/how-to-configure-statsd-to-collect-arbitrary-stats-for-graphite-on-ubuntu-14-04
Now that I have a server with StatsD running, I do not see the metrics being logged under /var/log/statsd/statsd.log when I am testing sending them from the command line. Here is what I see:
29 Oct 02:30:39 - server is up
29 Oct 02:47:49 - reading config file: /etc/statsd/localConfig.js
29 Oct 02:47:49 - server is up
29 Oct 14:16:45 - reading config file: /etc/statsd/localConfig.js
29 Oct 14:16:45 - server is up
29 Oct 15:36:47 - reading config file: /etc/statsd/localConfig.js
29 Oct 15:36:47 - DEBUG: Loading server: ./servers/udp
29 Oct 15:36:47 - server is up
29 Oct 15:36:47 - DEBUG: Loading backend: ./backends/graphite
29 Oct 15:36:47 - DEBUG: numStats: 3
The log stays at the last entry of 'numStats: 3', even though I keep entering different metrics at the command line.
Here are a sample of the metrics I entered:
echo "sample.gauge:14|g" | nc -u -w0 127.0.0.1 8125
echo "sample.gauge:10|g" | nc -u -w0 127.0.0.1 8125
echo "sample.count:1|c" | nc -u -w0 127.0.0.1 8125
echo "sample.set:50|s" | nc -u -w0 127.0.0.1 8125
Of interest, I see this under /var/log/statsd/stderr.log:
events.js:72
throw er; // Unhandled 'error' event
^
Error: listen EADDRINUSE
at errnoException (net.js:901:11)
at Server._listen2 (net.js:1039:14)
at listen (net.js:1061:10)
at Server.listen (net.js:1135:5)
at /usr/share/statsd/stats.js:383:16
at null.<anonymous> (/usr/share/statsd/lib/config.js:40:5)
at EventEmitter.emit (events.js:95:17)
at /usr/share/statsd/lib/config.js:20:12
at fs.js:268:14
at Object.oncomplete (fs.js:107:15)
Here is what my localConfig.js file looks like:
{
graphitePort: 2003
, graphiteHost: "localhost"
, port: 8125
, graphite: {
legacyNamespace: false
},
debug: true,
dumpMessages: true
}
Would anybody be able to shed some light as to where the problem lies?
Thanks!

There is a management interface available by default on port 8126: https://github.com/etsy/statsd/blob/master/docs/admin_interface.md
You likely have another service listening on that port in the same system.
Try this:
# localConfig.js
{
graphitePort: 2003
, graphiteHost: "localhost"
, port: 8125
, mgmt_port: 8127
, graphite: {
legacyNamespace: false
},
debug: true,
dumpMessages: true
}
See https://github.com/etsy/statsd/blob/master/exampleConfig.js#L28