Admin UI not found

Hi. I think there is no need to change the config-map per module.

Have you tried accessing the landing page and/or the linked modules - Admin etc. after restarting the MOSIP modules? Is there still an error? Is is the same error ?

Have you also checked MOSIP cluster pods using kubectl?
kubectl get pods -A

Hi @rcsampang

We already restarted, but on the landing page it still uses the old domain which is admin.epldtcloudlab.com

kubectl get pods -A
shows all pods are running

After editing the config map did you rerun kubectl apply -f global_configmap.yaml ?

If not, run it and restart the MOSIP services again.

Hi @rcsampang

We had applied it first using kubectl apply -f global_configmap.yaml
then restarted all mosip services.

But on the landing page it still redirecting to the old URL
if we manually go to admin.mosipnginx.epldtcloudlab.com then it returns a no web page found error.

Try restarting nginx

Hi @rcsampang

We already tried to restart nginx but same issue.
We are currently on the process of uninstalling & installing external/mosip services.
Will let you know once we finish.

Hi @rcsampang

We already reinstall Mosip Modules & External, but still same issue for admin portal

Hmmmn, it should be running by now since all the pods are running without errors.

Can we look at logs of your admin pods?

kubectl get pods -A | grep admin

kubectl describe (pod name) -n (namespace)

kubectl logs (pod name)

Another aspect we should look at is did you install Wireguard? If you did, are the clients you are using to access the host have their public key listed in Wireguard server? Are the clients configured to access the MOSIP cluster?

https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines

A Wireguard bastion host (Wireguard server) provides secure private channel to access MOSIP cluster. The host restricts public access, and enables access to only those clients who have their public key listed in Wireguard server. Wireguard listens on UDP port51820.

Hi @rcsampang

kubectl get pods -A | grep admin

no issue found when describing pods same with their logs
when accessing the admin portal, this issue shows, any idea what causing the api-internal to fails?


We didn’t use a wireguard since we have a VPN connection to access the cluster securely.

Good morning. If MOSIP cluster is working fine as shown in all pods running without error, then it is possible that it is an nginx configuration problem. It is also possible that there are issues in the VPN connection. Being that the case, I won’t be of any help to you.

My last piece of advice is to look at strict-origin-when-cross-origin . I don’t know much about it but it may apply to your installation.

Example Nginx configuration for adding cross-origin resource sharing (CORS) support to reverse proxied APIs Example Nginx configuration for adding cross-origin resource sharing (CORS) support to reverse proxied APIs · GitHub

Also, can you access and login to your Rancher cluster? Have you imported MOSIP cluster into it? If you did, explore the pods there, it shows other information that may be useful.

One last thing, how did you install nginx? did you use apt? or did you use the script in K8s-infra github? Assuming you are using MOSIP v.1.2.0.1-B3 https://github.com/mosip/k8s-infra/blob/v1.2.0.1-B3/mosip/on-prem/nginx/install.sh

Hi @rcsampang

Can we get a sample nginx config that you have done? so we could use it as a reference, you may modify the domain for security.

We use the script to install the nginx using MOSIP v.1.2.0.1-B3

I used the sample nginx.conf.sample provided in the K8s-infra github https://github.com/mosip/k8s-infra/blob/v1.2.0.1-B3/mosip/on-prem/nginx/nginx.conf.sample

The file would change slightly once you have run the script, it will insert the info you provided during the prompts.

I made sure the file nginx.conf.sample is in the same directory with the script install.sh before I run it.

Now that I looked at it again, I remembered that it is important that stream module is loaded:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_stream_module.so;

@karlxix after global configmap update did we redeployed the config server?

So basically how it works is:
While we deploy Config server we copy the gkobal config map to the config-server namespace abd then use the values to be provided to all the mosip services via config server.

So , below is the sequesntial steps:

  1. make changes in configmap.
  2. redeploy config-server
  3. restart mosip modules

Also, also that you were able to access the index page that means the nginx is configured properly and working. The cross origin failure happens due to use of multiple domains in the installation.
cc. @rcsampang

1 Like

@karlxix please update the current status of env with respect to nginx and config map so that we will be in a better position to advice.

Hi @ckm007 / @rcsampang

We already apply the new global config-map then reinstall mosip/external services.

We have now reconfigured the DNS you may try it here
landing page > https://mosipnginx.epldtcloudlab.com/
Admin portal > https://admin.mosipnginx.epldtcloudlab.com/

configmap from config-server

configmap from admin

Here is our nginx configuration
192.168.60.9 is the private IP of our mosip nginx, other IP are mosip clusters

user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_stream_module.so;

events {
    worker_connections 768;
    multi_accept on;
}

http {

    ##
    # Basic Settings
    ##
    proxy_buffer_size  128k;
    proxy_buffers  4 256k;
    proxy_busy_buffers_size 256k;
    client_max_body_size 30m; # Biometrics may there in the request.

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    #include /etc/nginx/mime.types;
    #default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    #ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log error;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    # Comment out these lines, otherwise the default servers and settings in these locations will also get imported
    #include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites-enabled/*;

    upstream myPublicIngressUpstream {
        server 192.168.60.10:30080;
                server 192.168.60.11:30080;
                server 192.168.60.12:30080;
                server 192.168.60.13:30080;
                server 192.168.60.14:30080;
                server 192.168.60.15:30080;
                server 125.5.228.67:30080;
    }

    upstream myInternalIngressUpstream {
        server 192.168.60.10:31080;
                server 192.168.60.11:31080;
                server 192.168.60.12:31080;
                server 192.168.60.13:31080;
                server 192.168.60.14:31080;
                server 192.168.60.15:31080;

    }

    upstream myMinioIngressUpstream {
        server 192.168.60.10:30900;
                server 192.168.60.11:30900;
                server 192.168.60.12:30900;
                server 192.168.60.13:30900;
                server 192.168.60.14:30900;
                server 192.168.60.15:30900;

    }

    ssl_certificate /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/privkey.pem;

    server{
        listen 192.168.60.9:9000 ssl;

        location / {
            proxy_pass                      http://myMinioIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
        }
    }

    server{
        listen 192.168.60.9:443 ssl default;

        location /v1/packetcreator/ {
            proxy_pass                      http://myInternalIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
            proxy_connect_timeout           600;
            proxy_send_timeout              600;
            proxy_read_timeout              600;
            send_timeout                    600;
        }

        location / {
            proxy_pass                      http://myInternalIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
        }
    }


     # this server section is for  accessing MOSIP API's publically over the internet.
     # initially the same remains commented till the testing and improvement and customisation is in progress.
     # once after go-live call the same section neded to be  uncommented
    server{
        listen 443 ssl;
        server_name mosipnginx.epldtcloudlab.com;

        location / {
            proxy_pass                      http://myPublicIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
        }
    }
}

stream {
    # this section of servers is for tcp proxying
    # add multiple servers one for each port, and proxy them to mosip cluster internal loadbalancer
    # like postgres, activemq, etc
    upstream myPostgresIngressUpstream {
      server 192.168.60.10:31432;
                server 192.168.60.11:31432;
                server 192.168.60.12:31432;
                server 192.168.60.13:31432;
                server 192.168.60.14:31432;
                server 192.168.60.15:31432;

    }

    upstream myActivemqIngressUpstream {
      server 192.168.60.10:31616;
                server 192.168.60.11:31616;
                server 192.168.60.12:31616;
                server 192.168.60.13:31616;
                server 192.168.60.14:31616;
                server 192.168.60.15:31616;

    }

    server{
        listen 192.168.60.9:5432;
        proxy_pass myPostgresIngressUpstream;
    }
    server{
        listen 192.168.60.9:61616;
        proxy_pass myActivemqIngressUpstream;
    }
}

@karlxix is the installations script followed properly ?

  1. Can see there is no public domain mentioned in public server section.
    https://github.com/mosip/k8s-infra/blob/main/mosip/on-prem/nginx/nginx.conf.sample#L142
    As part of script below is the prompt which will ask for comma seperated publically available domains:
    Give list of (comma seperated) publicly exposing domain names (without any whitespaces). Ex: api.sandbox.xyx.net, prereg.sandbox.xyz.net, resident.sandbox.xyz.net, esignet.sandbox.xyz.net etc : "
  2. Also in the same server section can see that public ip is not mentioned. This is asked as part of install.sh prompts.
    https://github.com/mosip/k8s-infra/blob/main/mosip/on-prem/nginx/nginx.conf.sample#L141
1 Like

@karlxix also can you share yous dns mapping details. Can see same mapping is done for public as well as private domains.
Private: api-internal.mosipnginx.epldtcloudlab.com
Public: api.mosipnginx.epldtcloudlab.com

1 Like

Hi @ckm007

Here is the DNS Mapping, currently they are accessible online for troubleshooting purposes. they all point to the Mosip nginx IP.

Here is the newest nginx configuration mentioning those public domains

user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_stream_module.so;

events {
    worker_connections 768;
    multi_accept on;
}

http {

    ##
    # Basic Settings
    ##
    proxy_buffer_size  128k;
    proxy_buffers  4 256k;
    proxy_busy_buffers_size 256k;
    client_max_body_size 30m; # Biometrics may there in the request.

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    #include /etc/nginx/mime.types;
    #default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    #ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log error;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    # Comment out these lines, otherwise the default servers and settings in these locations will also get imported
    #include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites-enabled/*;

    upstream myPublicIngressUpstream {
        server 192.168.60.10:30080;
                server 192.168.60.11:30080;
                server 192.168.60.12:30080;
                server 192.168.60.13:30080;
                server 192.168.60.14:30080;
                server 192.168.60.15:30080;
                server 125.5.228.67:30080;
    }

    upstream myInternalIngressUpstream {
        server 192.168.60.10:31080;
                server 192.168.60.11:31080;
                server 192.168.60.12:31080;
                server 192.168.60.13:31080;
                server 192.168.60.14:31080;
                server 192.168.60.15:31080;

    }

    upstream myMinioIngressUpstream {
        server 192.168.60.10:30900;
                server 192.168.60.11:30900;
                server 192.168.60.12:30900;
                server 192.168.60.13:30900;
                server 192.168.60.14:30900;
                server 192.168.60.15:30900;

    }

    ssl_certificate /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mosipnginx.epldtcloudlab.com/privkey.pem;

    server{
        listen 192.168.60.9:9000 ssl;

        location / {
            proxy_pass                      http://myMinioIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
        }
    }

    server{
        listen 192.168.60.9:443 ssl default;

        location /v1/packetcreator/ {
            proxy_pass                      http://myInternalIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
            proxy_connect_timeout           600;
            proxy_send_timeout              600;
            proxy_read_timeout              600;
            send_timeout                    600;
        }

        location / {
            proxy_pass                      http://myInternalIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
        }
    }


     # this server section is for  accessing MOSIP API's publically over the internet.
     # initially the same remains commented till the testing and improvement and customisation is in progress.
     # once after go-live call the same section neded to be  uncommented
    server{
        listen 443 ssl;
        server_name api.mosipnginx.epldtcloudlab.com prereg.mosipnginx.epldtcloudlab.com resident.mosipnginx.epldtcloudlab.com;

        location / {
            proxy_pass                      http://myPublicIngressUpstream;
            proxy_http_version              1.1;
            proxy_set_header                Upgrade $http_upgrade;
            proxy_set_header                Connection "upgrade";
            proxy_set_header                Host $host;
            proxy_set_header                Referer $http_referer;
            proxy_set_header                X-Real-IP $remote_addr;
            proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header                X-Forwarded-Proto $scheme;
            proxy_pass_request_headers      on;
        }
    }
}

stream {
    # this section of servers is for tcp proxying
    # add multiple servers one for each port, and proxy them to mosip cluster internal loadbalancer
    # like postgres, activemq, etc
    upstream myPostgresIngressUpstream {
      server 192.168.60.10:31432;
                server 192.168.60.11:31432;
                server 192.168.60.12:31432;
                server 192.168.60.13:31432;
                server 192.168.60.14:31432;
                server 192.168.60.15:31432;

    }

    upstream myActivemqIngressUpstream {
      server 192.168.60.10:31616;
                server 192.168.60.11:31616;
                server 192.168.60.12:31616;
                server 192.168.60.13:31616;
                server 192.168.60.14:31616;
                server 192.168.60.15:31616;

    }

    server{
        listen 192.168.60.9:5432;
        proxy_pass myPostgresIngressUpstream;
    }
    server{
        listen 192.168.60.9:61616;
        proxy_pass myActivemqIngressUpstream;
    }
}

Do we have two interfaces in the nginx server?

1 Like

this is now okay, we reinstall everything from scratch.