Hi. I think there is no need to change the config-map per module.
Have you tried accessing the landing page and/or the linked modules - Admin etc. after restarting the MOSIP modules? Is there still an error? Is is the same error ?
Have you also checked MOSIP cluster pods using kubectl?
kubectl get pods -A
Hi @rcsampang
We already restarted, but on the landing page it still uses the old domain which is admin.epldtcloudlab.com
kubectl get pods -A
shows all pods are running
After editing the config map did you rerun kubectl apply -f global_configmap.yaml ?
If not, run it and restart the MOSIP services again.
Hi @rcsampang
We had applied it first using kubectl apply -f global_configmap.yaml
then restarted all mosip services.
But on the landing page it still redirecting to the old URL
if we manually go to admin.mosipnginx.epldtcloudlab.com then it returns a no web page found error.
Try restarting nginx
Hi @rcsampang
We already tried to restart nginx but same issue.
We are currently on the process of uninstalling & installing external/mosip services.
Will let you know once we finish.
Hmmmn, it should be running by now since all the pods are running without errors.
Can we look at logs of your admin pods?
kubectl get pods -A | grep admin
kubectl describe (pod name) -n (namespace)
kubectl logs (pod name)
Another aspect we should look at is did you install Wireguard? If you did, are the clients you are using to access the host have their public key listed in Wireguard server? Are the clients configured to access the MOSIP cluster?
https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines
A Wireguard bastion host (Wireguard server) provides secure private channel to access MOSIP cluster. The host restricts public access, and enables access to only those clients who have their public key listed in Wireguard server. Wireguard listens on UDP port51820.
Hi @rcsampang
kubectl get pods -A | grep admin
no issue found when describing pods same with their logs
when accessing the admin portal, this issue shows, any idea what causing the api-internal to fails?
We didn’t use a wireguard since we have a VPN connection to access the cluster securely.
Good morning. If MOSIP cluster is working fine as shown in all pods running without error, then it is possible that it is an nginx configuration problem. It is also possible that there are issues in the VPN connection. Being that the case, I won’t be of any help to you.
My last piece of advice is to look at strict-origin-when-cross-origin . I don’t know much about it but it may apply to your installation.
Example Nginx configuration for adding cross-origin resource sharing (CORS) support to reverse proxied APIs Example Nginx configuration for adding cross-origin resource sharing (CORS) support to reverse proxied APIs · GitHub
Also, can you access and login to your Rancher cluster? Have you imported MOSIP cluster into it? If you did, explore the pods there, it shows other information that may be useful.
One last thing, how did you install nginx? did you use apt? or did you use the script in K8s-infra github? Assuming you are using MOSIP v.1.2.0.1-B3 https://github.com/mosip/k8s-infra/blob/v1.2.0.1-B3/mosip/on-prem/nginx/install.sh
Hi @rcsampang
Can we get a sample nginx config that you have done? so we could use it as a reference, you may modify the domain for security.
We use the script to install the nginx using MOSIP v.1.2.0.1-B3
I used the sample nginx.conf.sample provided in the K8s-infra github https://github.com/mosip/k8s-infra/blob/v1.2.0.1-B3/mosip/on-prem/nginx/nginx.conf.sample
The file would change slightly once you have run the script, it will insert the info you provided during the prompts.
I made sure the file nginx.conf.sample is in the same directory with the script install.sh before I run it.
Now that I looked at it again, I remembered that it is important that stream module is loaded:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_stream_module.so;
@karlxix after global configmap update did we redeployed the config server?
So basically how it works is:
While we deploy Config server we copy the gkobal config map to the config-server namespace abd then use the values to be provided to all the mosip services via config server.
So , below is the sequesntial steps:
Also, also that you were able to access the index page that means the nginx is configured properly and working. The cross origin failure happens due to use of multiple domains in the installation.
cc. @rcsampang
@karlxix please update the current status of env with respect to nginx and config map so that we will be in a better position to advice.
Hi @ckm007 / @rcsampang
We already apply the new global config-map then reinstall mosip/external services.
We have now reconfigured the DNS you may try it here
landing page > https://mosipnginx.epldtcloudlab.com/
Admin portal > https://admin.mosipnginx.epldtcloudlab.com/
configmap from config-server
configmap from admin
Here is our nginx configuration
192.168.60.9 is the private IP of our mosip nginx, other IP are mosip clusters
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_stream_module.so;
events {
worker_connections 768;
multi_accept on;
}
http {
##
# Basic Settings
##
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 30m; # Biometrics may there in the request.
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
#ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log error;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
# Comment out these lines, otherwise the default servers and settings in these locations will also get imported
#include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
upstream myPublicIngressUpstream {
server 192.168.60.10:30080;
server 192.168.60.11:30080;
server 192.168.60.12:30080;
server 192.168.60.13:30080;
server 192.168.60.14:30080;
server 192.168.60.15:30080;
server 125.5.228.67:30080;
}
upstream myInternalIngressUpstream {
server 192.168.60.10:31080;
server 192.168.60.11:31080;
server 192.168.60.12:31080;
server 192.168.60.13:31080;
server 192.168.60.14:31080;
server 192.168.60.15:31080;
}
upstream myMinioIngressUpstream {
server 192.168.60.10:30900;
server 192.168.60.11:30900;
server 192.168.60.12:30900;
server 192.168.60.13:30900;
server 192.168.60.14:30900;
server 192.168.60.15:30900;
}
ssl_certificate /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/privkey.pem;
server{
listen 192.168.60.9:9000 ssl;
location / {
proxy_pass http://myMinioIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
server{
listen 192.168.60.9:443 ssl default;
location /v1/packetcreator/ {
proxy_pass http://myInternalIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
location / {
proxy_pass http://myInternalIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
# this server section is for accessing MOSIP API's publically over the internet.
# initially the same remains commented till the testing and improvement and customisation is in progress.
# once after go-live call the same section neded to be uncommented
server{
listen 443 ssl;
server_name mosipnginx.epldtcloudlab.com;
location / {
proxy_pass http://myPublicIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
}
stream {
# this section of servers is for tcp proxying
# add multiple servers one for each port, and proxy them to mosip cluster internal loadbalancer
# like postgres, activemq, etc
upstream myPostgresIngressUpstream {
server 192.168.60.10:31432;
server 192.168.60.11:31432;
server 192.168.60.12:31432;
server 192.168.60.13:31432;
server 192.168.60.14:31432;
server 192.168.60.15:31432;
}
upstream myActivemqIngressUpstream {
server 192.168.60.10:31616;
server 192.168.60.11:31616;
server 192.168.60.12:31616;
server 192.168.60.13:31616;
server 192.168.60.14:31616;
server 192.168.60.15:31616;
}
server{
listen 192.168.60.9:5432;
proxy_pass myPostgresIngressUpstream;
}
server{
listen 192.168.60.9:61616;
proxy_pass myActivemqIngressUpstream;
}
}
@karlxix is the installations script followed properly ?
@karlxix also can you share yous dns mapping details. Can see same mapping is done for public as well as private domains.
Private: api-internal.mosipnginx.epldtcloudlab.com
Public: api.mosipnginx.epldtcloudlab.com
Hi @ckm007
Here is the DNS Mapping, currently they are accessible online for troubleshooting purposes. they all point to the Mosip nginx IP.
Here is the newest nginx configuration mentioning those public domains
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_stream_module.so;
events {
worker_connections 768;
multi_accept on;
}
http {
##
# Basic Settings
##
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 30m; # Biometrics may there in the request.
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
#ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log error;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
# Comment out these lines, otherwise the default servers and settings in these locations will also get imported
#include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
upstream myPublicIngressUpstream {
server 192.168.60.10:30080;
server 192.168.60.11:30080;
server 192.168.60.12:30080;
server 192.168.60.13:30080;
server 192.168.60.14:30080;
server 192.168.60.15:30080;
server 125.5.228.67:30080;
}
upstream myInternalIngressUpstream {
server 192.168.60.10:31080;
server 192.168.60.11:31080;
server 192.168.60.12:31080;
server 192.168.60.13:31080;
server 192.168.60.14:31080;
server 192.168.60.15:31080;
}
upstream myMinioIngressUpstream {
server 192.168.60.10:30900;
server 192.168.60.11:30900;
server 192.168.60.12:30900;
server 192.168.60.13:30900;
server 192.168.60.14:30900;
server 192.168.60.15:30900;
}
ssl_certificate /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/privkey.pem;
server{
listen 192.168.60.9:9000 ssl;
location / {
proxy_pass http://myMinioIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
server{
listen 192.168.60.9:443 ssl default;
location /v1/packetcreator/ {
proxy_pass http://myInternalIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
location / {
proxy_pass http://myInternalIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
# this server section is for accessing MOSIP API's publically over the internet.
# initially the same remains commented till the testing and improvement and customisation is in progress.
# once after go-live call the same section neded to be uncommented
server{
listen 443 ssl;
server_name api.mosipnginx.epldtcloudlab.com prereg.mosipnginx.epldtcloudlab.com resident.mosipnginx.epldtcloudlab.com;
location / {
proxy_pass http://myPublicIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
}
stream {
# this section of servers is for tcp proxying
# add multiple servers one for each port, and proxy them to mosip cluster internal loadbalancer
# like postgres, activemq, etc
upstream myPostgresIngressUpstream {
server 192.168.60.10:31432;
server 192.168.60.11:31432;
server 192.168.60.12:31432;
server 192.168.60.13:31432;
server 192.168.60.14:31432;
server 192.168.60.15:31432;
}
upstream myActivemqIngressUpstream {
server 192.168.60.10:31616;
server 192.168.60.11:31616;
server 192.168.60.12:31616;
server 192.168.60.13:31616;
server 192.168.60.14:31616;
server 192.168.60.15:31616;
}
server{
listen 192.168.60.9:5432;
proxy_pass myPostgresIngressUpstream;
}
server{
listen 192.168.60.9:61616;
proxy_pass myActivemqIngressUpstream;
}
}
Do we have two interfaces in the nginx server?
this is now okay, we reinstall everything from scratch.