Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access API Server 502 after using HTTPS proxy #751

Open
wisheen opened this issue Jul 14, 2020 · 7 comments
Open

Access API Server 502 after using HTTPS proxy #751

wisheen opened this issue Jul 14, 2020 · 7 comments
Assignees
@zryfish
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/medium
Milestone
3.0.0

Comments

@wisheen
Copy link

wisheen commented Jul 14, 2020

General remarks

This form is to report bugs. For general usage questions refer to our Slack channel
KubeSphere-users

Describe the bug
Using Nginx as a reverse proxy, when configured for HTTPS access, All /api/xx requests report 502 errors, But /kapis/xxx are fine。Using ip:30880 is also correct。

For UI issues please also add a screenshot that shows the issue.

Versions used(KubeSphere/Kubernetes)
KubeSphere: 2.1.0
Kubernetes: (If KubeSphere installer used, you can skip this)

Environment
How many nodes and their hardware configuration:
3 masters: 2cpu/4g
3 nodes: 4cpu/16g

(and other info are welcomed to help us debugging)

To Reproduce
Steps to reproduce the behavior:

Expected behavior
A clear and concise description of what you expected to happen.
The console supports HTTPS proxy access
@wisheen wisheen added the kind/bug Categorizes issue or PR as related to a bug. label Jul 14, 2020
@leoendless
Copy link
Contributor

@zryfish Please help to resolve the problem.

@rayzhou2017 rayzhou2017 added this to the 3.0.0 milestone Jul 17, 2020
@rayzhou2017
Copy link
Contributor

Please check if it still exists in 3.0.0 @zryfish

@zryfish
Copy link
Member

zryfish commented Jul 23, 2020
edited
Loading

Can you give more specific details? What's ther error message, what's your proxy configuration looks like?

@wisheen
Copy link
Author

wisheen commented Jul 23, 2020

Nginx settings:

server {
    listen 443 ssl;
    server_name  kubesphere.xxxx.com;
    ssl_certificate /etc/nginx/certs/xxxx.com.pem;
    ssl_certificate_key /etc/nginx/certs/xxxx.com.key;
    add_header Strict-Transport-Security "max-age=0; includeSubDomains" always;
    resolver 100.100.2.138 100.100.2.136;

    location / {
        #dyups_shm_zone_size 10MB;
        proxy_redirect      off;
        proxy_http_version  1.1;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_set_header    X-Nginx-Proxy true;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_max_temp_file_size 0;
        proxy_connect_timeout      130;
        proxy_send_timeout         130;
        proxy_read_timeout         130;
        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;
        proxy_buffering            off;
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection "upgrade";

        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect http:// $scheme://;

        proxy_ssl_verify off;
        proxy_ssl_session_reuse on;

        proxy_pass  http://192.168.0.95:30880;
    }

}

Request:
https://kubesphere.xxx.com/infrastructure/nodes/master1

Request URL: https://kubesphere.xxxx.com/api/v1/nodes/master1
Request Method: GET
Status Code: 502 Bad Gateway
Remote Address: 192.168.0.95:443
Referrer Policy: no-referrer-when-downgrade
Connection: keep-alive
Content-Length: 16
Content-Type: text/plain; charset=utf-8
Date: Thu, 23 Jul 2020 14:17:05 GMT
Server: openresty/1.15.8.2
Strict-Transport-Security: max-age=0; includeSubDomains
Vary: Accept-Encoding
x-content-type-options: nosniff
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: keep-alive
content-type: application/json
Cookie: lang=en; currentUser=admin; kubesphere:sess.sig=qiwJX8EP9SGEndmzkCtbgtC4m0k; token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImFkbWluQGt1YmVzcGhlcmUuaW8iLCJpYXQiOjE1OTU1MTM2OTMsInVzZXJuYW1lIjoiYWRtaW4ifQ.ji1Wvgv5dU9xqiDG2vkwbgCT-qMlqTfyvjO28zmTk6o
Host: kubesphere.xxxx.com
Referer: https://kubesphere.xxxx.com/infrastructure/nodes/master1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/83.0.4103.61 Chrome/83.0.4103.61 Safari/537.36

@wisheen
Copy link
Author

wisheen commented Aug 26, 2020

The old version 2.0.2 is correct

@wisheen
Copy link
Author

wisheen commented Sep 16, 2020

It's problem with websocket setttings.

delete sesetion:

    server {
        # proxy_set_header    Upgrade $http_upgrade;
        # proxy_set_header    Connection "upgrade";
    }

or:

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        listen 443 ssl;
        ...
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection $connection_upgrade;
       ...
    }

@AnsNid
Copy link

AnsNid commented Oct 8, 2023

proxy_ssl_server_name on;

Leioy pushed a commit to Leioy/console that referenced this issue Sep 25, 2024
@EliChen95
feat: shared improvement (kubesphere#751)
d2eca12 
* feat: add interval hooks

Signed-off-by: elichen95 <[email protected]>

* fix: fix use actions bugs

Signed-off-by: elichen95 <[email protected]>

* feat: add Object input and properties input component

Signed-off-by: elichen95 <[email protected]>

* feat: add TimeSelector component

Signed-off-by: elichen95 <[email protected]>

* fix: fix detail left side styles

Signed-off-by: elichen95 <[email protected]>

* feat: export Inputs and TimeSelector components

Signed-off-by: elichen95 <[email protected]>

---------

Signed-off-by: elichen95 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zryfish zryfish

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/medium
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
5 participants
@zryfish @wisheen @leoendless @rayzhou2017 @AnsNid