How to use Ngnix as a reverse proxy to access OpenShift (OKD) 4.X?
I've tried hundreds of setups for the reverse proxy (Nginx) and they all fail with the error "Application is not available" when we access the oauth-openshift.apps.mbr.some.dm route.
NOTE: This problem does not occur if we access this route directly (without using Reverse Proxy). Perhaps some information necessary for the route to be resolved is not being sent.
This is the basic configuration template we are using...
server {
access_log /var/log/nginx/apps.mbr.some.dm-access.log;
error_log /var/log/nginx/apps.mbr.some.dm-error.log;
server_name ~^(?<subdomain>.+)\.apps\.mbr\.some\.dm$;
location / {
proxy_pass https://10.2.0.18:443;
proxy_set_header Host $subdomain.apps.mbr.some.dm;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.some.dm/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.some.dm/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
We also tested these parameters and got some problems as you can see below...
server {
[...]
location / {
[...]
proxy_ssl_certificate /etc/nginx/backend_ss_certs/apps.mbr.some.dm.crt;
proxy_ssl_certificate_key /etc/nginx/backend_ss_certs/apps.mbr.some.dm.key;
proxy_ssl_trusted_certificate /etc/nginx/backend_ss_certs/apps.mbr.some.dm.crt.key.pem;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_server_name on;
proxy_ssl_session_reuse on;
proxy_ssl_verify on;
[...]
}
[...]
}
The certificates apps.mbr.some.dm.crt, apps.mbr.some.dm.key, apps.mbr.some.dm.crt.key.pem are the self-signed certificates used by OpenShift (OKD) to allow access to resources (HTTPS). However if we try to use these certificates with the reverse proxy (Nginx) the following error happens ("Bad Gateway")...
2021/07/22 17:36:11 [error] 6999#6999: *1 upstream SSL certificate verify error: (21:unable to verify the first certificate) while SSL handshaking to upstream, client: 177.25.231.233, server: ~^(?<subdomain>.+)\.apps\.mbr\.brlight\.net$, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.2.0.18:443/favicon.ico", host: "oauth-openshift.apps.mbr.some.dm", referrer: "https://oauth-openshift.apps.mbr.some.dm/oauth/authorize?client_id=console&redirect_uri=https%3A%2F%2Fconsole-openshift-console.apps.mbr.some.dm%2Fauth%2Fcallback&response_type=code&scope=user%3Afull&state=ff6f3064"
NOTA: We tested the apps.mbr.some.dm.crt and apps.mbr.some.dm.crt.key.pem certificates using curl and both worked perfectly.
PLUS: We couldn't define a way to diagnose/observe (logs) about what goes wrong when the request arrives the route oauth-openshift.apps.mbr.some.dm . I think this would help us figure out what's going wrong.
0 Answers