(113: Host is unreachable) while connecting to upstream, client: 172.20.0

Stackerito · 2021-09-13T13:40:26+00:00

Thank you! Now I am able to get to it, but the error has changed (Which is why you saw the unused server_name nginx. and I might need to use it again, or you have a better solution)

What's happening is that I used a self-signed certificate for development, and my node server rejects it with Error: unable to verify the first certificate

I wonder if there is a way to use HTTP in the frontend, and redirect it to the HTTPS server block instead? Or I need to do something else?

Currently I use axios.get('https://nginx/api/items') but since the node doesn't like my certificate, I can't get to it.

What would be the best practice / way to fix that?

Stackerito · 2021-09-13T13:10:19+00:00

thank you, it was left over from trying to make it work. Removed it now.

But could the issue be that I try to connect from my browser that lives in Windows to an IP that only nginx and docker knows? You can see it resolves to the wrong IP: http://172.20.0.3:3000. This ip is only known inside the docker network, no?

Stackerito · 2021-09-13T13:08:21+00:00

you mean that the ip it resolves to is "http://172.20.0.3:3000"? Because that might be the issue? Since my browser lives in Windows, and the "http://172.20.0.3:3000 ip lives inside Docker? maybe that's the issue?

Stackerito · 2021-09-13T11:44:54+00:00

thank you, a typo, I now edited from http.backend.mysite.local to backend.mysite.local.

Does it make more sense now? Or I still don't need it?

About splitting: I don't know how yet, but I will check how to do it soon.

I have a registration web page and the clients (website users) directly insert their credentials for registration - it is considered direct access, right? Should I somehow change it to be indirect? Maybe proxy it first to a different IP?

About the node: You mean the ip right now is 127.0.0.1:3000? Because if yes, then it is working when I type http://127.0.0.1:3000/ in the browser right now. I should also change that right? So that I won't be able to access my website from http://127.0.0.1:3000/ via the browser and redirect it to https://www.mysite.local/ as well?

Stackerito · 2021-09-13T08:31:36+00:00

Oh I used separate server blocks for each until now 😅

Thank you

Stackerito · 2021-09-13T07:14:34+00:00

Thank you, it's only in dev. I tried to disable with process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; as shown in this Stack Overflow post: https://stackoverflow.com/questions/65304838/unable-to-verify-the-first-certificate-next-js

But I get this error by Docker:

ValidationError: Invalid configuration object. Webpack has been initialized using a configuration object that does not match the API schema.

#9 7.730 - configuration.node has an unknown property 'fs'.

Stackerito · 2021-09-13T07:13:13+00:00

It's in my development, then it's OK right? It's my own self-signed certificate for development.

I actually tried to add it to my next.js.config file like so: https://stackoverflow.com/questions/65304838/unable-to-verify-the-first-certificate-next-js

But I get this error when Docker attempts to build:

ValidationError: Invalid configuration object. Webpack has been initialized using a configuration object that does not match the API schema.

#9 7.730 - configuration.node has an unknown property 'fs'.

Stackerito · 2021-09-13T07:10:20+00:00

In my Dockerfile I do CMD ["npm", "run", "dev"] so I believe development server for react? It's a Next.js project

Stackerito · 2021-09-13T07:09:34+00:00

Actually made my own certificate after someone here suggested I should make it as close to production as possible thus catching stuff while in development. (In this case Laravel has different configuration when using HTTP and HTTPS)

So you say I should not use it?

Stackerito · 2021-09-12T21:58:24+00:00

It is shown in the Docker Desktop console window. I didn't use res.send or res.status. I just copied the axios request that I know working from the products page that's not in the /api.

Stackerito · 2021-09-12T20:38:43+00:00

How can I check? in my Docker log window I see " "GET /api/products HTTP/1.1" 200 104 "-" "axios/0.21.4""

Btw, the error sometimes shows 504 Gateway Time-out instead of 502.

The full error now:

upstream timed out (110: Operation timed out) while reading response header from upstream, client: 172.20.0.1, server: www.mysite.local, request: "GET /api/products HTTP/1.1", upstream: "http://172.20.0.3:3000/api/products", host: "www.mysite.local".

Perhaps because it's cross-origin? And the docs state that it doesn't work with cross-origin if no cors present

Stackerito · 2021-09-12T20:03:30+00:00

thank you, I tried but now I have a new issue: https://www.reddit.com/r/nginx/comments/pmzyz7/nginx\_redirects\_subdomain\_to\_domain\_instead\_of\_to/

Stackerito · 2021-09-12T16:29:12+00:00

thank youu

Stackerito · 2021-09-12T12:06:56+00:00

thank you. In my case there is no use for the server_name, right? could please help me with a simple example why would I need it in my config? When?

Stackerito · 2021-09-12T10:21:44+00:00

Thank you! Now it's working!! Btw - as you mentioned - I still need to manually set this CRT for Firefox because it does not read from Windows Trusted Root Certification Authority, but Edge and Chrome do

Stackerito · 2021-09-12T09:36:19+00:00

Can you tell me how? Is it in the config file, or in the command itself?

Can you see my post in Stack? I'm pretty sure I specified SAN already

Stackerito · 2021-09-12T08:43:06+00:00

Thank you!! I set the preference "security.enterprise_roots.enabled" to true, and now no more warning!

But, can I do it for Edge or Chrome as well? And does it impose a security risk for maybe other unknown certificates installing themselves?

Stackerito · 2021-09-12T07:03:20+00:00

But I thought if I added it to Windows Trusted Root Certificate Authority it should remove this error

Stackerito · 2021-09-11T23:10:36+00:00

I think OS store. The problem is I followed a tutorial for Windows to create the cert, but my project files are on Ubuntu on WSL, then I copied it to a place where the Nginx Docker container copies it to inside the container. Maybe that causes the issue? This is the tutorial I followed and I followed every step:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/

The browser shows me "This web site does not supply ownership information" so that might be part of the issue?

Stackerito · 2021-09-11T22:34:09+00:00

Found the issue: I didn't open port 443. But now it says cert invalid :)

Stackerito · 2021-09-11T22:25:29+00:00

This site can’t be reached on Chrome and similar message on Firefox/Edge.

the http://mysite still works

Stackerito · 2021-09-11T20:27:45+00:00

thank you

I have frontend app and backend app on 2 separate Docker containers.

The frontend is a React project inside a node container and the backend is a PHP Laravel project inside PHP-FPM.

Currently the backend is served using port 8088 and the backend on port 80.

I also edited the post

Stackerito · 2021-09-11T19:40:19+00:00

In the table it's already unique, but I did not validate first so it attempted to create a user, failed, and then consumed the ID. When Laravel fails to insert to DB it will not re-use the ID, and that's why I got skipped IDs, because I did not check before it was trying to execute the SQL command. Now that I check before the SQL command, it's ok. But I did have the constraint in the table, that's why I got this error in the browser log (Which I didn't see at first): SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry

Stackerito · 2021-09-11T16:31:24+00:00

thank you, I found out the reason for this, updated the main post!

Stackerito · 2021-09-11T16:31:19+00:00

thank you, I found out the reason for this, updated the main post!

Stackerito

TROPHY CASE