How to use Ngnix as a reverse proxy to access OpenShift (OKD) 4.X?

Latest response

How to use Ngnix as a reverse proxy to access OpenShift (OKD) 4.X?

I've tried hundreds of setups for the reverse proxy (Nginx) and they all fail with the error "Application is not available" when we access the oauth-openshift.apps.mbr.some.dm route.

NOTE: This problem does not occur if we access this route directly (without using Reverse Proxy). Perhaps some information necessary for the route to be resolved is not being sent.

This is the basic configuration template we are using...

server {
    access_log /var/log/nginx/apps.mbr.some.dm-access.log;
    error_log /var/log/nginx/apps.mbr.some.dm-error.log;
    server_name *.apps.mbr.some.dm;

    location / {
        proxy_pass https://10.2.0.18:443;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For https://$subdomain.apps.mbr.some.dm$request_uri;
    }

    listen 443;
    ssl_certificate /etc/letsencrypt/live/apps.mbr.some.dm/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apps.mbr.some.dm/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

We also tested these parameters and got some problems as you can see below...

server {
    [...]
    location / {
        [...]
        proxy_ssl_certificate /etc/nginx/backend_ss_certs/apps.mbr.some.dm.crt;
        proxy_ssl_certificate_key /etc/nginx/backend_ss_certs/apps.mbr.some.dm.key;
        proxy_ssl_trusted_certificate /etc/nginx/backend_ss_certs/apps.mbr.some.dm.crt.key.pem;
        proxy_ssl_ciphers HIGH:!aNULL:!MD5;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_server_name on;
        proxy_ssl_session_reuse on;
        proxy_ssl_verify on;
        [...]
    }
    [...]
}

The certificates apps.mbr.some.dm.crt, apps.mbr.some.dm.key, apps.mbr.some.dm.crt.key.pem are the self-signed certificates used by OpenShift (OKD) to allow access to resources (HTTPS). However if we try to use these certificates with the reverse proxy (Nginx) the following error happens ("Bad Gateway")...

2021/07/22 17:36:11 [error] 6999#6999: *1 upstream SSL certificate verify error: (21:unable to verify the first certificate) while SSL handshaking to upstream, client: 177.25.231.233, server: ~^(?<subdomain>.+)\.apps\.mbr\.brlight\.net$, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.2.0.18:443/favicon.ico", host: "oauth-openshift.apps.mbr.some.dm", referrer: "https://oauth-openshift.apps.mbr.some.dm/oauth/authorize?client_id=console&redirect_uri=https%3A%2F%2Fconsole-openshift-console.apps.mbr.some.dm%2Fauth%2Fcallback&response_type=code&scope=user%3Afull&state=ff6f3064"

NOTA: We tested the apps.mbr.some.dm.crt and apps.mbr.some.dm.crt.key.pem certificates using curl and both worked perfectly.


PLUS: We couldn't define a way to diagnose/observe (logs) about what goes wrong when the request arrives the route oauth-openshift.apps.mbr.some.dm . I think this would help us figure out what's going wrong.


IMPORTANT: Hello Red Hat! A constructive criticism... We are very concerned of using this product on our customers due to the appalling difficulty in finding solutions to simple problems like the one presented here. We are practically giving up from this product and opting offer another one from another company. This is really worrying... =[

Responses

People!

We confirm that the problem "Application is not available" only occurs in the route "oauth-openshift" ( oauth-openshift.apps.mbr.some.dm ) can any human being say why this problem is occurring specifically for this route?

NOTE: If we log into the "oauth-openshift" route using an SSH tunnel, for example, we can use all other resources via reverse proxy

[]'s

MORE INFORMATION HERE: https://github.com/openshift/okd/discussions/784

Same issue here (using Traefik)

Only the oauth-openshift route is affected. I tried everything. With OKD 4.7.0-0.okd-2021-07-03-190901

@Eduardo Lúcio Amorim Costa Did you find a solution / workaround ?

The solution for Nginx is to add proxy_ssl_name $host;

There doesn't seem to be any equivalent for Traefik ATM.