We Keep Coding

Why does the query service in my Wikibase installed through Docker not contain content added to the main wikibase store?

We've installed wikibase-docker with an Apache server in front of it to handle SSL and proxy two vhosts to the ports from Docker.
api.example.com (to http://127.0.0.1:8181)
query.example.com (to http://127.0.01:8282/)
In the log from the wdqs-updater I see:
org.wikidata.query.rdf.tool.rdf.Munger$BadSubjectException: Unrecognized subjects: [https://api.example.com/entity/statement/Q12-caba1d44-46d5-8598-9185-784a75e4cebb, https://api.example.com/entity/statement/Q12-4c77991e-4674-5301-75f1-5b494612b56b, https://api.example.com/wiki/Special:EntityData/Q12, https://api.example.com/entity/Q12].
Expected only sitelinks and subjects starting with http://wikibase.svc/wiki/Special:EntityData/ and [http://wikibase.svc/entity/]
The 'wikibase.svc' name is used in the docker-compose.yml file and is the internal docker name.
To get the MediaWiki search working I had to update ${DOLLAR}wgServer = WebRequest::detectServer() in LocalSettings.php.template to have the value "https://api.example.com"
What do I need to change to make it work? All references to wikibase.svc in the docker-compose.yml file? Or something else?
I already tried updating WIKIBASE_HOST= for the wdqs-updater container, but that didn't seem to help.

In docker-compose you have a list of variables that work perfectly on a localhost. When you need to deploy it in production you need to change few variables to define the public hostname, Ip and SSL. I did setup a nginx setup to manage the hostname and SSL certificate.
In my setup I have 1 hostname per service, my Nginx that forward the request to the right port number all the wikibase on the same machine.
My query service setting for nginx add the ssl certificate and forward to the port 8282 the request sent to https://query.example.com
On my production machine I "just" need to replaxe example.com by personaldata.io.
server {
listen 80;
server_name query.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name query.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/query.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/query.example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
access_log /var/log/nginx/query.example.com.log;
location / {
proxy_pass http://127.0.0.1:8282;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-forwarded-host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
The variables I had to change on my setup:
QS_PUBLIC_SCHEME_HOST_AND_PORT=https://qs.example.com:443 # Public domain name and port
WIKIBASE_SCHEME=https
WIKIBASE_HOST=wiki.example.com
QS_PUBLIC_SCHEME_HOST_AND_PORT=https://qs.example.com:443
WB_PUBLIC_SCHEME_HOST_AND_PORT=https://wiki.example.com:443
WIKIBASE_SCHEME_AND_HOST=https://wiki.example.com

HTTPS SSL certificate does not work on NGINX

I have two docker containers running on AWS elastic beanstalk. One container has my web application(django) and the other has my NGINX server. I have a positiveSSL certificate verified for my domain name, after configuring my NGINX to accept HTTPS and it seems like the website refuses to connect over HTTPS and only works on HTTP
I have my AWS security groups open to accept traffic from port 443 and my certificate is valid so I can only assume I am not setting my nginx correctly
upstream app {
server app:8000;
}
server {
listen 443 ssl;
server_name mysite.com www.mysite.com;
ssl_certificate /app/ssl/mysite_chain.crt;
ssl_certificate_key /app/ssl/mysite.key;
location / {
proxy_pass http://app;
proxy_ssl_session_reuse on;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location /staticfiles/ {
alias /app/staticfiles/;
}
}
server {
listen 80;
location / {
proxy_pass http://app;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /staticfiles/ {
alias /app/staticfiles/;
}
}
Everything is working fine when I use normal HTTP and I don't get any logs from NGINX on HTTPS for some reason. The only message I get is from my browser saying the 'site can't be reached' and that the 'website refused the connection'. Is there something obvious here I am missing?

Nginx Proxy uploading to s3?

I am using nginx proxy to force all traffic through HTTPS. However, I have a page (/upload) which posts to /upload-downloadable which then uploads the users files using a stream to aws (bucketname.s3.eu-west-1.amazonaws.com)
It uploads as I can see it on AWS s3 bucket, but doesn't respond back to the server to tell the user? Works without the proxy perfectly, but not with my current config.
So it does Client -> AWS, but AWS->Server/Client doesn't work.
Any ideas?
upstream site {
server 127.0.0.1:1337;
}
upstream project {
server localhost:27017;
}
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name tryhackme.com;
error_page 502 /down.html;
location /down.html {
root /var/www/html;
}
#error_page 500 502 503 504 /var/www/html/down.html;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
#proxy_pass http://127.0.0.1:28017;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 3600;
proxy_pass http://localhost:1337/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

Api Gateway connection with Elastic Beanstalk (client-side SSL Certificate)

I'm trying to connect Api Gateway with my api in Elastic Beanstalk. I want my api only accesible by Api Gateway and for this I use client-side SSL certificate authorization in backend (like this aws publication Link:http://docs.aws.amazon.com/es_es/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html). So my arquitecture is like this:
API GATEWAY->ELASTIC LOAD BALANCER->EC2 (ELASTIC BEANSTALK)
My EC2 machine have NGINX and Ruby.
The connections work like this:
API GATEWAY -> (80 PORT) -> ELASTIC LOAD BALANCER -> (443 PORT) -> NGINX -> RUBY
I am doing the client auth in NGINX.
When I access the Elastic Load Balancer using a browser, it shows 400 Bad Request - NGINX error: No required SSL certificate was sent (this is correct because I'm not sending the certificate). But when I access using Api Gateway and sending the client certificate I get the same error (I don't understand why).
When I configure the SSL connection in NGINX, I'm using SSL certificates signed by me (maybe this is the problem?)
Other posible cause for my problem is the port configuration in Elastic Load Balancer (in the picture). I have Backend Authentication: Disabled. Is this a problem?
Pictura Port Config ELB
My nginx configuration is:
upstream my_app {
server unix:///var/run/puma/my_app.sock;
}
log_format healthd '$msec"$uri"'
'$status"$request_time"$upstream_response_time"'
'$http_x_forwarded_for';
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl on;
ssl_certificate /etc/nginx/ssl/dev.crt;
ssl_certificate_key /etc/nginx/ssl/dev.key;
ssl_trusted_certificate /etc/nginx/ssl/api-gateway.pem;
ssl_client_certificate /etc/nginx/ssl/api-gateway.pem;
ssl_verify_client on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
if ($ssl_client_verify = FAILED) {
return 495;
}
if ($ssl_client_verify = NONE) {
return 402;
}
if ($ssl_client_verify != SUCCESS) {
return 403;
}
try_files $uri/index.html $uri #my_app;
location #my_app {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Client-IP $remote_addr;
proxy_pass http://my_app;
proxy_set_header X-Client-Verify $ssl_client_verify;
}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://my_app; # match the name of upstream directive which is defined above
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header gonzalo1 $ssl_client_verify;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

Amazon API Gateway does not support self-signed certificates for integration endpoints. Have you tried using a certificate from Amazon Certificate Manager or Let's Encrypt?

Rails 4 + Websocket-rails + Passenger + Nginx + Load balancer

I've added some features to a couple of our web apps that needs websocket-rails. Everything works fine in development, but I am not sure how to deploy all this in our production environment since it's a bit more complex.
The production setup:
1 server used as a Load balancer (Nginx).
2 servers used as web servers, where our rails apps run using Nginx and Passenger (both servers are identical).
Several other servers used by the app servers but I believe they are irrelevant for this question.
All sites are running on HTTPS.
Load balancer configs
Here's an example for one of the sites, the others have similar configs:
upstream example {
ip_hash;
server xx.xx.xx.xx:443;
server xx.xx.xx.xx:443;
}
server {
listen 80;
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/example.chained.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
server_name example.com;
rewrite ^(.*) https://www.example.com$1 permanent;
}
server {
listen 80;
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/example.chained.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
server_name www.example.com;
if ($ssl_protocol = "") {
rewrite ^ https://$server_name$request_uri? permanent;
}
client_max_body_size 2000M;
location /css { root /home/myuser/maintenance; }
location /js { root /home/myuser/maintenance; }
location /img { root /home/myuser/maintenance; }
location /fonts { root /home/myuser/maintenance; }
error_page 502 503 #maintenance;
location #maintenance {
root /home/myuser;
if ($uri !~ ^/maintenance/) {
rewrite ^(.*)$ /maintenance/example.html break;
}
}
location / {
proxy_pass https://example;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Web server configs
Again, here's an example for one of the sites, the others have similar configs:
server {
server_name example.com;
rewrite ^(.*) https://www.example.com$1 permanent;
}
server {
listen 80;
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/example.chained.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
root /var/www/example/public;
server_name www.example.com;
if ($ssl_protocol = "") {
rewrite ^ https://$server_name$request_uri? permanent;
}
client_max_body_size 2000M;
passenger_enabled on;
rails_env production;
passenger_env_var SECRET_KEY_BASE "SOME_SECRET";
}
What I've gathered so far:
I'll need to enable passenger sticky sessions
I'll need to create a location in the site's server section where the websocket server is listening to.
I'll need to override the concurrent requests of passenger for the websocket location to unlimited.
My Questions:
Do I have to enable the passenger sticky sessions also in the load balancer's configs? I am guessing this is only for the web servers.
How would the location section for the websocket server look like?
Do I have to create the websocket location section also on the load balancer?
Having the sticky sessions is enough to keep the various apps and servers in synch?
I have various apps running on each server and they should all receive the same notifications (socket messages) so they should all connect to the same websocket server (I'm guessing). Now that websocket-rails is part of their gemsets, won't each app try to spawn their own websocket server? If so, how do I prevent that and make them spawn only one in case none is running yet?
As you can see I am quite confused about how websocket-rails works with passenger and nginx in production so even if you don't have all the answers, any input is greatly appreciated!
UPDATE
I've tried the following on the load balancer:
upstream websocket {
server xx.xx.xx.xx:443;
server xx.xx.xx.xx:443;
}
location /websocket {
proxy_pass https://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade websocket;
proxy_set_header Connection Upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#also tried with this:
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
}
and on the app servers:
location /websocket {
proxy_pass https://www.example.com/websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade websocket;
proxy_set_header Connection Upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#also tried with this:
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
}
On the client side I connect to the url WebSocketRails('www.example.com/websocket'); and i get the following error:
WebSocket connection to 'wss://www.example.com/websocket' failed: Error during WebSocket handshake: Unexpected response code: 404
Any ideas?

I don't think you'll need passenger sticky sessions on the load balancer
This blog covers relevant WebSocket config for NGINX. You need the WebSocket config on the load balancer, and also on the web server if you want to pass the Upgrade and Connection headers to the rails app.