I'm using GKE's MultiClusterIngress to set up a load balancer that routes traffic to the closest GKE cluster. The load balancer set up by MultiClusterIngress advertises HTTP/3 (QUIC) support in the alt-svc header. However when using curl with --http3, I am unable to connect:
* Connect socket 5 over QUIC to [redacted]:443
* connect to [redacted] port 443 failed: Failure when receiving data from the peer
* Failed to connect to [redacted] port 443 after 127 ms: Failure when receiving data from the peer
If I query the created load balancer using gcloud, I see that it has quicOverride set to NONE, which according to the docs means that it should support QUIC.
How do I get QUIC working?
I was hitting the load balancer using its IP address instead of using a valid DNS name. Setting up DNS and using that works as expected.
If somebody is familiar with how QUIC works, I'd love to understand why setting the Host header is not sufficient to set up a connection.
Related
I am setting up a Virtual Machine node.js server at Google Cloud Platform. I have set up SSH keys so that I can log into my VM. I can successfully log into my VM using SSH-in-browser and start my server.
I can't access my public IP address through Chrome. I get this message:
This site can’t provide a secure connection.
When I try to connect to the IP within SSH-in-browser, I get the following:
$ curl -vso /dev/null --connect-timeout 5 34.68.254.120:8080
* Trying 34.68.254.120:8080...
* connect to 34.68.254.120 port 8080 failed: Connection refused
* Failed to connect to 34.68.254.120 port 8080: Connection refused
* Closing connection 0
I'm new at this. Any ideas would be appreciated. Thanks!
Edit1: Some more details --
Linux VM
port 8080 ingress is open on the firewall
I'm using OSLogin (`enable-oslogin = TRUE' 'enable-oslogin-sk = FALSE')
I can successfully log into console with both SSH-in-Browser and PuTTY, and I can start my server on port 8080
In both, I get the error above when I try to connect to the IP address
EDIT:
Follow below steps to fix “This Site Can’t Provide a Secure Connection” Error :
This error typically indicates a problem with either your browser’s configuration or the SSL certificate on your site.
1) Your local environment doesn’t have an SSL certificate.
2) Outdated SSL caches in the browser : (This is one of the more popular causes. Web browsers store SSL certificates in a cache, much
like other data. This means they don’t have to verify the certificate
every time you visit a site, which speeds up browsing. However, if
your SSL certificate changes and the browser is still loading an
older, cached version, it can cause this error to pop up).
3) Incorrect time and date settings on your computer.
4) Rogue browser extensions.
5) Overzealous antivirus software.
6) An invalid or expired SSL certificate.
If your firewall rules prevent external access:
Check your firewall rules with the following command: gcloud compute firewall-rules list with this, you can review the VPC where
the VM instance was migrated; and if it has allowed the Ingress TCP:
22 Port.
If this firewall rule is missing, you can add the firewall rule in the GCP console -> VPC Networks ->select your VPC network _Click on
the firewall rules to double check that the tcp: 22 port is allowed.
If the issue still is ongoing after checking the firewall rules, you
can follow this guide to start troubleshooting SSH connection.
I have created a webpage with clojure and it works perfectly on ec2 on port 8555 with ssl. It also works in the docker container in the same ec2 machine.
It does not work in a fargate container in front of an nlb. I have my dns on the load balancer. The private ip of the running container is also healthy and the security group has an inbound rule for 8555
If i invoke the site: https://www.doppelkopf.me:8555
Secure Connection Failed
An error occurred during a connection to www.doppelkopf.me:8555. SSL peer was unable to negotiate an acceptable set of security parameters.
Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
If i invoke without ssl, i get at least an encrypted hello world:
http://www.doppelkopf.me:8555
Does ssl need to initiate a connection as well? Do i maybe need nat-gateway? My certicate is in my container.
I do not know why, but this suddenly worked, when i changed the port from 8555 to 443 with ssl.
So the current issue I have is that before I was able to connect properly to my rabbitMQ cluster that was hosted on AWS MQ. After I changed its IP visibility to private I had to create some configuration to access the cluster from outside the VPC.
Current example of how the cluster is accessed:
mq.example.com -> Load balancer (w/target group to cluster host IP & TLS port 5671) in public VPC -> Cluster in private VPC.
I've done the same thing for the web console. Now the web console works perfectly, so the issue isn't necessarily with the load balancing or a certificate issue. I then checked out if the issue could be with the code I wrote, but that is also not the case since sometimes from inside the services it connects, but sometimes it then doesn't. It throws the error: "Socket closed abruptly during opening handshake".
I think I believe where the issue may arise from, however I don't really have a proper view on how to solve it. I believe the issue has to do with the fact that the service has go through the load balancer first before it can connect to the rabbit cluster. I just don't know what to do about it and most documentation on amqplib is obscure as it is. I haven't found any (documented) similar issue with AWS MQ & a load balancer.
So my question, specifically is: How would I be able to resolve the fact that sometimes my services connect and don't connect to the cluster when they go through the load balancer?
Good to know: I use AWS MQ for rabbit, amqplib for the client connection, amqps as the protocol, web console works with the same setup but services don't.
For people who run into this issue later on I have found a solution:
When creating a Network Load Balancer to route traffic to your cluster you have to assign it a target group. Make sure to NOT DO THIS: Do not register both port 5671 (amqps) and 443 (web console) to the same target group. During routing issues will arise like this.
Instead do the following:
Create two target groups on aws EC2:
TG1: Register: TLS - 443 (web console)
TG2: Register: TLS - 5671 (amqps)
Your NLB that is configured to simple routing & alias for IPV4 connections then needs the following listeners:
Listener 1: TLS - 443 and assign it to TG1
Listener 2: TLS - 5671 and assign it to TG2
This should then make sure whenever you connect there is no confusion for the microservice you're trying to connect to the cluster.
You can then connect to your web console with your subdomain:
eg. webconsole.example.com
and to your services: eg. amqps://cluster.example.com:5671 as host (how your host is formatted depends on the library you're using for the clientside)
I am using WordPress Certified by Bitnami and Automattic, and one VM Instance running in Google Cloud Compute Engine.
I configured a free SSL certificate from Let's Encrypt for my website and also configured the Certbot Auto-Renewal script.
I tried using Cloudflare and I was receiving 5xx errors sometimes, mostly 522 timeout error. I stopped using the Cloudflare service, and I tried to configure a GCP load balancer for my VM Instance.
I created an Unmanaged Instance Group and I configured the HTTP protocol for my backend service with Cloud CDN Enabled in the load balancer, and for the Frontend, I configured an HTTP and HTTPS protocol and created a Google Managed SSL Certificate for the HTTPS protocol in my load balancer.
(The SSL certificate is ACTIVE)
I used this link to configure my load balancer in Google Cloud Platform:
https://docs.bitnami.com/google-templates/how-to/configure-lb-ssl-google-templates/
The problem is that I have 2 SSL Certificates and I get 502 Server Error:
*
"Error: Server Error The server encountered a temporary error and
could not complete your request. Please try again in 30 seconds."
*
I don't know how to solve this problem.
I just want to use a very basic and common configuration for my website.
I also want to know why I received a 522 timeout error from Cloudflare and how to solve it.
I need a quick response and appreciate your answers and help in advance.
I would advise you to follow 1 to create a HTTPS Load Balancer with the backend service 2. Once you create that, you can enable CDN 3.
Regarding the errors, Make sure that your backend instance is healthy and supports HTTP/2 protocol. You can verify this by testing connectivity to the backend instance using HTTP/2.
After you verify that the VM uses the HTTP/2 protocol, make sure your firewall setup allows the health checker and load balancer to pass through.
If there are no problems with the firewall setup, ensure that the load balancer is configured to talk to the correct port on the VM. I will also suggest you to walkthrough 4 for more steps that you can take to troubleshoot this issue.
I'm trying to set up Load balancing to my cluster that I created via container engine but I keep getting 502 Server Error.
Here is what I do.
I make sure that my service really runs taking this ip in kubernetes dashboard
I have only one instance group. So this belongs cluster
80 port is open for every instance in Firewall rules
I created a load balancer with this configuration. As you can see I set the only instance group I got, also I set up health check. The health check is http endoint /api/ping/ that returns HTTP 200 with body "pong". But I keep getting 502 ERROR. I understand it happens because health check doesn't pass. Apperently it's because when load balancer is sending request it's sending directly to instances, instead of to docker containers. If I go by ip of vm isntance where I host my cluster I will get nothing as well.
I want to do it so I could switch traffic between different clusters If I decide to create a new one, also I would be able to balance https traffic.
Maybe it will help someone so I will post the answer.
I created my pods via UI kubernetes using their consructor-form. When I used this form ports were not exposed to the host machine(Even I marked them as External ports). I wrote an yaml config and exposed ports there to host machine. After this balancer started working.
I used this block to expose 80 port to host machine
ports:
- containerPort: 80
hostPort: 80
protocol: TCP