Comments (15)
engrun
commented on May 28, 2024
1
That's odd — so to clarify, you are accessing the ELB using HTTPS (eg https://ci.example.com/), and you are getting a redirect?
-> https: yes, getting a redirect: yes
So you may have to re-deploy the concourse using BOSH manually
This is a path we are not going to take.
(One of the "weaknesses" of Concourse is failing to provide a detailed install instructions for the most common cloud providers).
And btw, that's why we see concourse-up as a very nice tool!
However
I assumed that, when forwarding the ELB to a HTTPS endpoint (webnode in our case) with a self-signed cert, the ELB would not allow this.
But, we tried, and it works.
That is, without terminating SSL at the ELB
So
Browser -> HTTPS -> ELB -> HTTPS -> webnode
from concourse-up.
peterellisjones
commented on May 28, 2024
Hi Engrun,
This is not currently implemented and is something we'd like to implement at some point. However you can currently do this manually by following these steps:
- deploy concourse-up using the
custom-domainflag - create your certificate in AWS for that domain
- create an ELB in AWS and attach the certificate
- point the ELB at the Concourse web node
- update the DNS settings in route 53 to point at the ELB rather than directly at the web node
cheers,
Pete
from concourse-up.
engrun
commented on May 28, 2024
Thanks for the tip. We had been discussing the same approach. However, running concourse-up help deploy no such flag, custom-domain, is listed?
And now concourse-up has generated a self-signed certificate.
We probably need to disable this. I guess the loadbalancer will not accept the self-signed certificate?
from concourse-up.
engrun
commented on May 28, 2024
I have already run with the domain flag. I guess that's what you meant.
from concourse-up.
peterellisjones
commented on May 28, 2024
oops yeah domain not custom-domain
The load balancer can be used with a certificate you will need to manually generate in AWS Certificate Manager
from concourse-up.
engrun
commented on May 28, 2024
Yes, I understand I have to generate the certificate and use that with the ELB.
However, when running concourse-up, a self-signed certificate is generated. (not by AWS). When pointing the ELB to the webnode, the webnode has a certificate that is not "trusted". My question is whether the ELB will accept this self-signed certificate. I guess I will find out :)
My initial thought was to perhaps terminate SSL at the ELB
from concourse-up.
peterellisjones
commented on May 28, 2024
Yes you will need to terminate SSL on the ELB and forward unencrypted traffic to the Concourse web node on port 80
On 9 November 2017 at 18:15:40, Rune Engseth ([email protected]) wrote:
Yes, I understand I have to generate the certificate and use that with the ELB.
However, when running concourse-up, a self-signed certificate is generated. (not by AWS). When pointing the ELB to the webnode, the webnode has a certificate that is not "trusted". My question is whether the ELB will accept this self-signed certificate. I guess I will find out :)
My initial thought was to perhaps terminate SSL at the ELB
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
from concourse-up.
engrun
commented on May 28, 2024
hi
We have tried to configure this now.
You say we should forward the ELB for concourse-web on port 80.
This does not work as concourse will redirect to https.
Proved by (request webnode on port 80 directly)
curl -H 'Host: ci.example.com' -H 'X-Forwarded-Proto: https' 54.x.x.x.
This yields
HTTP/1.1 301 Moved Permanently
Location: https://ci.example.com/
from concourse-up.
engrun
commented on May 28, 2024
To sum up.
I think the problem is that concourse-up enforces a self-signed certificate, and cannot, as of now, be configured to use port 80.
from concourse-up.
peterellisjones
commented on May 28, 2024
That's odd — so to clarify, you are accessing the ELB using HTTPS (eg https://ci.example.com/), and you are getting a redirect?
from concourse-up.
peterellisjones
commented on May 28, 2024
It looks like Concourse always redirects to https when a cert is provided
So you may have to re-deploy the concourse using BOSH manually with the TLS bind port set to null, or by removing the tls cert and key from the BOSH manifest
http://bosh.io/jobs/atc?source=github.com/concourse/concourse&version=3.6.0#p=tls_bind_port
https://github.com/concourse/concourse/blob/master/jobs/atc/templates/atc_ctl.erb#L101-L104
from concourse-up.
JasonMorgan
commented on May 28, 2024
@engrun can you display your ELB configuration? Specifically I'm curious if you had to tell it to trust the self signed cert or if just ignored SSL errors by default.
from concourse-up.
JasonMorgan
commented on May 28, 2024
Just as an addition to my last note, there is no requirement to give the ELB the self signed cert. This configuration works like a charm.
from concourse-up.
JasonMorgan
commented on May 28, 2024
That being said once I had the ELB running I wasn't able to intercept containers. Is anyone else running into this?
from concourse-up.
walked
commented on May 28, 2024
@JasonMorgan I'm about to go down this path myself; did you ever get intercept working? I saw this:
If you're using an AWS ELB, you have to make sure that the protocol forwarding to concourse:web on port 8080 is ssl and not https.
Curious if you got there with an ELB; just getting my pre-planning ducks in a row before I start doing all my deployment work.
from concourse-up.
Related Issues (20)
- GCP deployment fails on credhub job HOT 6
- Unable to get concourse info HOT 1
- Adding support for DigitalOcean HOT 2
- deployment name is too long. 12 character limit HOT 6
- What is the process for moving to Control Tower? HOT 4
- Grafana config HOT 5
- Timeout when trying to provision new workers on GCP HOT 2
- Add support for Windows HOT 1
- Concourse-Up failing to deploy to GCP HOT 12
- What roles are needed for the GCP service account?
- Configure GCP region? HOT 1
- dns challenge clean up fails on GCP HOT 2
- dns resolution on mac is broken while concourse-up is trying to create letsencryp cert HOT 2
- 0.20.0 release notes typo HOT 2
- renew-cert fails HOT 15
- InfluxDB has default retention policy resulting in out of disk on web node HOT 4
- Suggestion: Incorporate one more ops-file to add two web-nodes to overcome single point of failure of single web node
- Credhub login failure related to CA certs HOT 11
- upgrade to 0.20.1 fails HOT 15
- GCP empty bucket name HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from concourse-up.