I am trying to get to work a single sign on of mattermost via gitlab in a container.
On the level of the host I forward port 443 into the container which works seamlessly.
I can access both gitlab and mattermost from outside.
However, single sign on fails just as a ‘telnet host-ip 443’ from within the container fails.
I could of course set 127.0.0.1 for both gitlab and mattermost in /etc/hosts but then I get a certificate mismatch with error “x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0”
When I add proxy_protocol=true on the second command I get an error even when accessing the web server which is clear (I would need to configure that).
The thing is, the host needs to forward 443 to 443 in the container, and for the single sign-on the container wants to access the host by addressing the FQDN.
So if I let it address the FQDN and therefore do a loop over the host, there would need to be a loop of 443 forwards which seems odd.
On the other hand, if I would add a SAN to the certificate so that I could redirect in /etc/hosts in the container, which address should I define in the SAN? AFAIK, adding localhost as a SAN to a certificate is not recommended.
May be interesting to try the proxy device with nat=true set. You’ll need your container to use a fixed address though ipv4.address.
I believe that when we setup our NAT rules, we try to setup a hairpin too which then handles such cases. Your manual NAT rule will only trigger when the traffic is coming in from eno8 which it isn’t when originating from the container.
I have set ipv4.address but trying with nat=true I get
david@nnwh:~$ lxc config device add gitlab h443gl proxy listen=tcp:0.0.0.0:443 connect=tcp:127.0.0.1:443 nat=true
Error: Invalid devices: Device validation failed for “h443gl”: Cannot listen on wildcard address “0.0.0.0” when in nat mode
Perhaps a solution could be not to use NAT but a bridge instead?
The disadvantage would be that the container would see the external IP address, which I would like to avoid if possible.
david@nnwh:~$ lxc config device add gitlab h443gl proxy listen=tcp:80.219.xxx.xxx:443 connect=tcp:127.0.0.1:443 nat=true
Error: Failed to start device “h443gl”: Proxy connect IP cannot be used with any of the instance NICs static IPs
If it is not working, maybe you changed something with IP tables? I have seen other users with similar problem where proxy did not work, they also made changes to IP tables rules. I am not able to help you with that (iptables) sorry.
Ok, this also works to access the server in the container (even though my original working setting seems more logical to me, but it doesn’t work with nat=true).
However, my main problem is still there. Interestingly, with this setup I am getting the same error like when I set the FQDN of my Gitlab to localhost in /etc/hosts inside the container:
{“level”:“error”,“ts”:1624622987.7921827,“caller”:“mlog/log.go:247”,“msg”:“Token request failed.”,“path”:“/signup/gitlab/complete”,“request_id”:“fq88dzmzqbndfbshpjqy75a47h”,“ip_addr”:“127.0.0.1”,“user_id”:“”,“method”:“GET”,“err_where”:“AuthorizeOAuthUser”,“http_code”:500,“err_details”:“Post "https://gitlab.example.com/oauth/token\”: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"}
So maybe one solution could be to add the now fixed IP of the container as a SAN to the certificate…
But isn’t there an easier way?