This message was deleted Rancher Users #rke2

Join Slack

This message was deleted.

# rke2

adamant-kite-43734

11/08/2024, 6:24 PM

This message was deleted.

creamy-pencil-82913

11/08/2024, 7:03 PM

What do you mean “connect directly to a node”

creamy-pencil-82913

11/08/2024, 7:04 PM

The way ingress works, it matches the request based on the hostname in the http request or TLS SNI header. So if you are making requests against the node, it’s not going to serve you the cert or content for rancher - because you’re not making a connection and request against the hostname configured for the Rancher ingress. You’re making a connection and request against the node.

clever-memory-65528

11/08/2024, 7:04 PM

I am trying to connect directly to my-rancher-1, instead of via my-rancher (load balancer).

creamy-pencil-82913

11/08/2024, 7:05 PM

You’re getting the ingress default cert because your request doesn’t match the rancher ingress. so you get the default backend.

clever-memory-65528

11/08/2024, 7:08 PM

Well, the load balance is not receiving any cert so far. My understanding was that it should be showing the cert loaded by the Rancher.

clever-memory-65528

11/08/2024, 7:10 PM

Mind you this is my first Rancher HA installation.

clever-memory-65528

11/08/2024, 7:13 PM

At present, I do not have evidence that my Load Balancer is working, hence my trying to backtrack.

creamy-pencil-82913

11/08/2024, 7:13 PM

generally you don’t want to set up the load-balancer for SSL offload, since that is handled by the ingress. How did you set up the load balancer?

creamy-pencil-82913

11/08/2024, 7:13 PM

you just want it to pass TCP traffic directly to the nodes or pods

clever-memory-65528

11/08/2024, 7:15 PM

As a docker module on my-rancher.my.org, running under podman (all boxes are RHEL 9).

clever-memory-65528

11/08/2024, 7:22 PM

Since I have been having problems getting anything on my load balancer, I presently have the config scaled back to only my-rancher-1 ...

Copy code

worker_processes 4;
worker_rlimit_nofile 40000;

events {
    worker_connections 8192;
}

http {
    upstream rancher {
        server <http://my-rancher-1.my.org:80;|my-rancher-1.my.org:80;>
    }

    map $http_upgrade $connection_upgrade {
        default Upgrade;
        ''      close;
    }

    server {
        listen 443 ssl http2;
        server_name <http://my-rancher-1.my.org|my-rancher-1.my.org>;
        ssl_certificate /etc/pki/nginx/my-rancher-chain.cer;
        ssl_certificate_key /etc/pki/nginx/private/my-rancher.key;

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass <http://rancher>;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
            proxy_read_timeout 900s;
            proxy_buffering off;
        }
    }

    server {
        listen 80;
        server_name <http://my-rancher-1.my.org|my-rancher-1.my.org>;
        return 301 https://$server_name$request_uri;
    }
}

creamy-pencil-82913

11/08/2024, 7:25 PM

yeah don’t do that

creamy-pencil-82913

11/08/2024, 7:25 PM

you’re offloading everything to your nginx lb and trying to send the Rancher ingress only paintext traffic on port 80?

creamy-pencil-82913

11/08/2024, 7:26 PM

You want a super simple TCP load balancer that sends 80 to 80 and 443 to 443 without mucking with anything.

clever-memory-65528

11/08/2024, 7:30 PM

That's why I was trying to check if the Rancher installation was working before moving onto the load balancer, as I have zero confidence it was working.

hundreds-evening-84071

11/08/2024, 7:32 PM

this is an example you can try: https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/infrastructure-setup/nginx-load-balancer#create-nginx-configuration

clever-memory-65528

11/08/2024, 8:19 PM

doesn't seem to like that one...

Copy code

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/11/08 20:15:27 [emerg] 1#1: unexpected "}" in /etc/nginx/nginx.conf:39
nginx: [emerg] unexpected "}" in /etc/nginx/nginx.conf:39

clever-memory-65528

11/08/2024, 8:20 PM

(I think that was the first config I tried.)

17 Views

Open in Slack

Previous Next