Cannot start mender server 2.3.0 (error 400/Bad Request from openresty at login time)

vrubiolo · June 5, 2020, 9:31pm

Hi everyone,

First, thanks to the whole Mender team for a great product! I am currently evaluating it but from what I see in terms of ease of use, code repositories and documentation, Mender is very pleasing to work with. Great job !

I am writing because I am attempting to deploy the demo server. It comes up but I cannot login: the screen stays on the login page and the debugger shows me one of the XHR failed with a 400/Bad Gateway error at the openresty level:

This is the 2.3.0 integration tag, as described by the docs but I get the same behavior when I pick up the integration repo HEAD (which I have at 196d744bab2c52e23926506171ef6a3c1151cdae).

I am running inside an Ubuntu bionic VM managed using Vagrant (VirtualBox provider) to match the suggested OS version. I have Docker version 19.03.9, build 9d988398e7 and docker-compose version 1.25.5, build 8a1c60f6.

All containers appear to look fine:

vagrant@ubuntu-bionic:~/integration-2.3.0$ ./demo ps
               Name                              Command                  State                    Ports              
----------------------------------------------------------------------------------------------------------------------
integration230_mender-api-gateway_1   /entrypoint.sh                   Up             0.0.0.0:443->443/tcp, 80/tcp    
integration230_mender-conductor_1     /srv/start_conductor.sh          Up (healthy)   0.0.0.0:8080->8080/tcp, 8090/tcp
integration230_mender-create-         /usr/bin/workflows --confi ...   Up             8080/tcp                        
artifact-worker_1                                                                                                     
integration230_mender-deployments_1   /entrypoint.sh --config /e ...   Up             8080/tcp                        
integration230_mender-device-auth_1   /usr/bin/deviceauth --conf ...   Up             8080/tcp                        
integration230_mender-                /usr/local/bin/docker-entr ...   Up             9200/tcp, 9300/tcp              
elasticsearch_1                                                                                                       
integration230_mender-gui_1           /entrypoint.sh nginx             Up             80/tcp                          
integration230_mender-inventory_1     /usr/bin/inventory --confi ...   Up             8080/tcp                        
integration230_mender-mongo_1         docker-entrypoint.sh mongod      Up             27017/tcp                       
integration230_mender-redis_1         /redis/entrypoint.sh             Up             6379/tcp                        
integration230_mender-useradm_1       /usr/bin/useradm --config  ...   Up             8080/tcp                        
integration230_mender-workflows-      /usr/bin/workflows --confi ...   Up             8080/tcp                        
server_1                                                                                                              
integration230_minio_1                /usr/bin/docker-entrypoint ...   Up (healthy)   9000/tcp                        
integration230_storage-proxy_1        /usr/local/openresty/bin/o ...   Up             0.0.0.0:9000->9000/tcp

I have the required entries in /etc/hosts:

vagrant@ubuntu-bionic:~/integration-2.3.0$ cat /etc/hosts
127.0.0.1       localhost

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost   ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
127.0.1.1       ubuntu-bionic   ubuntu-bionic
127.0.0.1 s3.docker.mender.io
127.0.0.1 docker.mender.io

And I don’t see any error messages when everything comes up:

vagrant@ubuntu-bionic:~/integration-2.3.0$ ./demo up
Starting the Mender demo environment...
Creating network "integration230_mender" with the default driver
Creating integration230_mender-redis_1                  ... done
Creating integration230_mender-gui_1                    ... done
Creating integration230_mender-elasticsearch_1 ... done
Creating integration230_mender-mongo_1         ... done
Creating integration230_minio_1                ... done
Creating integration230_mender-workflows-server_1       ... done
Creating integration230_mender-useradm_1                ... done
Creating integration230_mender-create-artifact-worker_1 ... done
Creating integration230_mender-inventory_1              ... done
Creating integration230_mender-conductor_1              ... done
Creating integration230_mender-device-auth_1            ... done
Creating integration230_storage-proxy_1                 ... done
Creating integration230_mender-deployments_1            ... done
Creating integration230_mender-api-gateway_1            ... done
Creating a new user...
****************************************

Username: mender-demo@example.com
Login password: <redacted>

****************************************
Please keep the password available, it will not be cached by the login script.
Mender demo server ready and running in the background. Copy credentials above and log in at https://localhost
Press Enter to show the logs.
Press Ctrl-C to stop the backend and quit.

I can provide more logs on request (I have the full output of ./demo logs but this is hits the body limit of 32k characters).

I have looked on the forum for help, esp. on this thread but nothing matched my issue. In particular, I can run openresty fine manually and I don’t see any 132 error code.

One thing which might be worth mentioning: I am redirecting port 443 in the VM to 4343 on the host. This means that when I reach https://localhost:4343, I first get an error as I am redirected to https://localhost/ui/login. I have to manually edit my URL to be https://localhost:4343/ui/#/login to reach the login page (and, subsequently, the Bad Request error).

Would someone know what is causing this error? I can provide more information if needed.

Thanks much for your time!

Edit: added missing screen captures

peter · June 8, 2020, 3:31pm

Hi Vrubiolo!

thanks so much! and thanks for trying Mender.
Out of the box the demo works on 443, is it really important to run it on 4343? I figured, if it is demo maybe it is not worth the fight?

cheers,
peter

vrubiolo · June 8, 2020, 7:54pm

Hi @peter,

Thanks for your message! I don’t have a particular stance on 4343, it’s just that running inside the Virtualbox VM I have to open port 443 to make it accessible to the outside world.

Port redirections for port numbers smaller than 1024 mandate additional priviledges, as Vagrant tells me when it starts (this was an attempt to map port 443 on the guest to 443 on the host machine running the VM):

==> default: You are trying to forward to privileged ports (ports <= 1024). Most                                       
==> default: operating systems restrict this to only privileged process (typically                                     
==> default: processes running as an administrative user). This is a warning in case                                   
==> default: the port forwarding doesnt work. If any problems occur, please try a                                     
==> default: port higher than 1024.

This is also mentioned in the Vagrant doc itself:

host (int) - The port on the host that you want to use to access the port on the guest. This must be greater than port 1024 unless Vagrant is running as root (which is not recommended).

At this point, I was still running as myself and not root so the redirection 443<->443 did not work (silent fail). I can retry running vagrant as root to test if this is really the cause of the issue. It’s important for me to know as the demo server is the first step before trying the production setup instructions.

peter · June 8, 2020, 8:35pm

all right. I would start with editing docker-compose.demo.yml file and change the port mapping for api-gateway:

     mender-api-gateway:
         ports:
            - "4343:443"

peter

vrubiolo · June 8, 2020, 8:58pm

Hi again @peter,

Thanks for your continued support. I tried what you suggested but unfortunately I have the same error:

I have checked the change is in:

vagrant@ubuntu-bionic:~/integration-2.3.0$ git diff -U5
diff --git a/docker-compose.yml b/docker-compose.yml
index 62e452e..b00480c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -38,10 +38,12 @@ services:
     mender-api-gateway:
         image: mendersoftware/api-gateway:2.1.0
         extends:
             file: common.yml
             service: mender-base
+        ports:
+          - "4343:443"
         networks:
             - mender
         # critical - otherwise nginx may not detect
         # these servers and exits with 'upstream server not found'
         depends_on:

The process list also reports the port as being effectively redirected:

vagrant@ubuntu-bionic:~/integration-2.3.0$ ./demo ps
                     Name                                   Command                  State                             Ports                       
---------------------------------------------------------------------------------------------------------------------------------------------------
integration230_mender-api-gateway_1              /entrypoint.sh                   Up             0.0.0.0:443->443/tcp,0.0.0.0:4343->443/tcp, 80/tcp
integration230_mender-conductor_1                /srv/start_conductor.sh          Up (healthy)   0.0.0.0:8080->8080/tcp, 8090/tcp                  
integration230_mender-create-artifact-worker_1   /usr/bin/workflows --confi ...   Up             8080/tcp                                          
integration230_mender-deployments_1              /entrypoint.sh --config /e ...   Up             8080/tcp                                          
integration230_mender-device-auth_1              /usr/bin/deviceauth --conf ...   Up             8080/tcp                                          
integration230_mender-elasticsearch_1            /usr/local/bin/docker-entr ...   Up             9200/tcp, 9300/tcp                                
integration230_mender-gui_1                      /entrypoint.sh nginx             Up             80/tcp                                            
integration230_mender-inventory_1                /usr/bin/inventory --confi ...   Up             8080/tcp                                          
integration230_mender-mongo_1                    docker-entrypoint.sh mongod      Up             27017/tcp                                         
integration230_mender-redis_1                    /redis/entrypoint.sh             Up             6379/tcp                                          
integration230_mender-useradm_1                  /usr/bin/useradm --config  ...   Up             8080/tcp                                          
integration230_mender-workflows-server_1         /usr/bin/workflows --confi ...   Up             8080/tcp                                          
integration230_minio_1                           /usr/bin/docker-entrypoint ...   Up (healthy)   9000/tcp                                          
integration230_storage-proxy_1                   /usr/local/openresty/bin/o ...   Up             0.0.0.0:9000->9000/tcp

I truly think the port redirection is the problem given that, following your suggestion, I ran vagrant as root to enable port 443 redirection and this worked. The setup is pretty cumbersome for day to day use (have to run vagrant as root) but I was able to login and successfully onboarded the virtual device :

Nice UI and very slick onboarding process w/ the toolips btw, impressive!

Looking at the Javascript error at login time (a syntax error about an unexpected character, I’d have to rebuild the Docker image to have the debug info to know more), I think it might be that the URL contains a port number/indication and a parser might be choking on it ?

tranchitella · June 9, 2020, 8:53am

@vrubiolo

The Javascript error happens because the “400 Bad Request” response from nginx contains an HTML page (the one which is displayed in the Response tab of the Developer Tools in one of your screenshots), while the UI tries to parse it as JSON.

Can you please paste here the logs from the api-gateway and useradm containers when hitting the 400 Bad Request response?

vrubiolo · June 9, 2020, 9:21am

Hi @tranchitella,

Thanks for your help here.

Here are the end of the logs you requested (I have more but I am hitting the forum character limit. Let me know if you want specific bits there):

api-gateway:

mender-api-gateway_1             | -- reload
mender-api-gateway_1             | 2020/06/09 09:06:29 [warn] 1#1: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/var/www/mendersoftware/cert/cert.crt"
mender-api-gateway_1             | 172.18.0.1 - mender-demo@example.com [09/Jun/2020:09:06:29 +0000] "POST /api/management/v1/useradm/auth/login HTTP/1.1" 401 76 "-" "curl/7.58.0" "-" request ID "68155e9e-f7ea-46c2-b99f-edcf5469ad9e" 0.105
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:06:59 +0000] "GET /ui HTTP/1.1" 301 191 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.000
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:07 +0000] "GET /ui/env.js HTTP/1.1" 200 294 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.001
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:07 +0000] "GET /ui/assets/img/loginlogo.png HTTP/1.1" 200 4584 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.001
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:09 +0000] "GET /ui/env.js HTTP/1.1" 200 294 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.000
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:09 +0000] "GET /ui/ HTTP/1.1" 200 308 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.002
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:09 +0000] "GET /ui/main.js.map HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.006
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:11 +0000] "GET /ui/ HTTP/1.1" 200 308 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.000
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:11 +0000] "GET /ui/main.js?21463e76c79f7a491c4f HTTP/1.1" 200 538572 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.074
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:11 +0000] "GET /ui/main.css?21463e76c79f7a491c4f HTTP/1.1" 200 24198 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.077
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:11 +0000] "GET /ui/env.js HTTP/1.1" 200 294 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.078
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:12 +0000] "GET /ui/main.js.map HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.006
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:12 +0000] "GET /ui/assets/img/loginlogo.png HTTP/1.1" 200 4584 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.011
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:07:13 +0000] "GET /ui/favicon.ico HTTP/1.1" 200 459 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.001
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:13:45 +0000] "GET /ui/ HTTP/1.1" 200 308 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.001
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:13:45 +0000] "GET /ui/main.css?21463e76c79f7a491c4f HTTP/1.1" 200 24198 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.004
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:13:46 +0000] "GET /ui/main.js?21463e76c79f7a491c4f HTTP/1.1" 200 538580 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.062
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:13:46 +0000] "GET /ui/env.js HTTP/1.1" 200 294 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.051
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:13:46 +0000] "GET /ui/assets/img/loginlogo.png HTTP/1.1" 200 4584 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.000
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:13:46 +0000] "GET /ui/main.js.map HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.005
mender-api-gateway_1             | 10.0.2.2 - - [09/Jun/2020:09:13:46 +0000] "GET /ui/favicon.ico HTTP/1.1" 200 459 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.011
mender-api-gateway_1             | 10.0.2.2 - mender-demo@example.com [09/Jun/2020:09:13:49 +0000] "POST /api/management/v1/useradm/auth/login HTTP/1.1" 400 179 "https://localhost:4343/ui/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-" request ID "-" 0.000

useradm:

mender-useradm_1                 | time="2020-06-08T20:46:46Z" level=info msg="User Administration Service, version unknown starting up" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:46:53Z" level=info msg="running migrations in single tenant mode" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:46:53Z" level=info msg="automigrate is ON, will apply migrations" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:46:53Z" level=info msg="migrating useradm" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:46:53Z" level=info msg="got info: '{0.1.0 2020-06-05 20:56:33.37 +0000 UTC}'" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:46:53Z" level=info msg="migration to version 0.1.0 skipped" db=useradm file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:46:53Z" level=info msg="setting up prod middleware" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:46:53Z" level=info msg="listening on :8080" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-08T20:47:33Z" level=warning msg="Failed to extract identity from header: unknown authorization method Basic" file=entry.go func="logrus.(*Entry).Logf" line=313 request_id=c3af7787-1f67-4d82-8ccd-b02ee2d62fe9
mender-useradm_1                 | time="2020-06-08T20:47:33Z" level=error msg=unauthorized file=entry.go func="logrus.(*Entry).Error" line=296 request_id=c3af7787-1f67-4d82-8ccd-b02ee2d62fe9
mender-useradm_1                 | time="2020-06-08T20:47:33Z" level=info msg="401 76329μs POST /api/management/v1/useradm/auth/login HTTP/1.0 - curl/7.58.0" file=entry.go func="logrus.(*Entry).Info" line=284 request_id=c3af7787-1f67-4d82-8ccd-b02ee2d62fe9
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="User Administration Service, version unknown starting up" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="running migrations in single tenant mode" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="automigrate is ON, will apply migrations" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="migrating useradm" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="got info: '{0.1.0 2020-06-05 20:56:33.37 +0000 UTC}'" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="migration to version 0.1.0 skipped" db=useradm file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="setting up prod middleware" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:05:56Z" level=info msg="listening on :8080" file=entry.go func="logrus.(*Entry).Logf" line=313
mender-useradm_1                 | time="2020-06-09T09:06:29Z" level=warning msg="Failed to extract identity from header: unknown authorization method Basic" file=entry.go func="logrus.(*Entry).Logf" line=313 request_id=68155e9e-f7ea-46c2-b99f-edcf5469ad9e
mender-useradm_1                 | time="2020-06-09T09:06:29Z" level=error msg=unauthorized file=entry.go func="logrus.(*Entry).Error" line=296 request_id=68155e9e-f7ea-46c2-b99f-edcf5469ad9e
mender-useradm_1                 | time="2020-06-09T09:06:29Z" level=info msg="401 103950μs POST /api/management/v1/useradm/auth/login HTTP/1.0 - curl/7.58.0" file=entry.go func="logrus.(*Entry).Info" line=284 request_id=68155e9e-f7ea-46c2-b99f-edcf5469ad9e

tranchitella · June 9, 2020, 10:20am

@vrubiolo

This is quite strange: the last line from api-gateway is the login which returns 400, bad request. The logs from useradm do not show the POST request to /login at 09:13:49, though. It seems it’s nginx which is blocking the request and providing back the 400 bad request response, but I don’t see why this should happen.

Would you share with me your Vagrant file and the exact commands you are typing to bring the virtual machine up and install Mender?

vrubiolo · June 9, 2020, 1:22pm

@tranchitella

Thanks for the analysis. Here is the Vagrantfile I am using (comments removed):

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/bionic64"
  config.vm.network "forwarded_port", guest: 443, host: 4343, host_ip: "127.0.0.1"
  config.vm.provider "virtualbox" do |vb|
    vb.memory = "3072"
  end
end

Then, after copying the Vagrantfile, just do a vagrant up and vagrant ssh to connect.

In the shell, install:

Docker using those instructions
Docker-Compose via these.

Then clone the mender repo to run the demo:

git clone -b 2.3.0 https://github.com/mendersoftware/integration.git integration-2.3.0
cd integration-2.3.0
./demo up

Connect to https://localhost:4343, you’ll be redirected to https://localhost/ui. Edit the URL to insert the port number again so that it ends up being https://localhost:4343/ui/#/login and enter your credentials to witness the problem.

Let me know if you need more information. If you are still having issues or don’t witness the problem, I can make it so that the VM is automatically provisioned instead of the manual installation steps so that we can make sure we share exactly the same setup.

vrubiolo · June 11, 2020, 9:04am

@tranchitella
Any news on your end? Do you need more assistance in reproducing the issue?

tranchitella · June 11, 2020, 3:04pm

@vrubiolo I believe the issue is here:

github.com

mendersoftware/mender-api-gateway-docker/blob/2.1.x/common.nginx.conf#L18


if ($http_origin = $scheme://$host) {
	set $origin_valid 1;
}
if ($http_origin = $scheme://$host:$server_port) {
	set $origin_valid 1;
}
if ($http_origin ~* ^((https?:\/\/)?(@ALLOWED_ORIGIN_HOSTS@))$) {
	set $origin_valid 1;
}
if ($origin_valid = 0) {
	return 400;
}

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

# additional headers for application security
add_header X-XSS-Protection "1; mode=block";
add_header Cache-Control "no-cache, no-store";
add_header Pragma "no-cache";

The API gateway verify if the HTTP origin is valid, and if the check fails it returns 400.
Can you please try to modify the ALLOWED_HOSTS env variable (for example in docker-compose.demo.yml) and add there the domain:port you are using to access the UI, which should by localhost:4343?

vrubiolo · June 14, 2020, 8:35pm

@tranchitella: thanks for looking into the issue and sorry for not replying sooner, I was delayed by other things. I will be able to try your suggestion and report back this coming week.

vrubiolo · June 15, 2020, 3:51pm

@tranchitella: I could try your suggestion and can report that the change did indeed solve the issue. Many thanks for your help! I can now successfully login to the server Web UI when port redirection is enabled.

For the record, here are the changes:

$ git diff
diff --git a/docker-compose.demo.yml b/docker-compose.demo.yml
index eb251f1..4ba3946 100644
--- a/docker-compose.demo.yml
+++ b/docker-compose.demo.yml
@@ -25,7 +25,7 @@ services:
             - ./certs/api-gateway/cert.crt:/var/www/mendersoftware/cert/cert.crt
             - ./certs/api-gateway/private.key:/var/www/mendersoftware/cert/private.key
         environment:
-            ALLOWED_HOSTS: localhost docker.mender.io
+            ALLOWED_HOSTS: localhost docker.mender.io localhost:4343
             HSTS_MAX_AGE: 0
 
     storage-proxy:
diff --git a/docker-compose.yml b/docker-compose.yml
index 62e452e..b00480c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -40,6 +40,8 @@ services:
         extends:
             file: common.yml
             service: mender-base
+        ports:
+          - "4343:443"
         networks:
             - mender
         # critical - otherwise nginx may not detect

It looks like this could be a useful addition to the demo server documentation. Are you accepting pull requests for such changes?

tranchitella · June 15, 2020, 4:03pm

Hello @vrubiolo, I’m glad to read we’ve solved your issue!
Yes, a pull request is very much welcome!

vrubiolo · June 16, 2020, 1:44pm

Thanks @tranchitella ! Are there any guidelines for doc contributions? I can see the general contribution ones but none for doc itself (style, etc).

Also, can I locally regenerate the doc itself with my changes? I see redeploy.sh in the mender-docs repo but it looks like this triggers a build within Github/Travis. Also I am not sure there are explanations on how to use it (sorry if I missed those instructions)

mirzak · June 16, 2020, 3:12pm

Are there any guidelines for doc contributions? I can see the general contribution ones but none for doc itself (style, etc).

Actually there is a PR which adds a style guide. So a very well timed question

Also, can I locally regenerate the doc itself with my changes? I see redeploy.sh in the mender-docs repo but it looks like this triggers a build within Github/Travis. Also I am not sure there are explanations on how to use it (sorry if I missed those instructions)

Unfortunately it will be difficult to build the docs locally. The docs are a combination of the mender-docs repository and other repositories (API section is generated from many micro services repositories).

We have a way of building this together, but right now it is in a private repository. We are doing some work in this area, and we will take a look if we can make this easier and also make it public.

vrubiolo · June 22, 2020, 12:37pm

Thanks for the feedback @mirzak, I’ll see what I can do w.r.t updating the docs w/o re-rendering them (or I’ll wait until the infrastructure to do that publically to be available if the timeframe works)

Topic		Replies	Views
Issue with cross server API access General Discussions	3	572	November 29, 2019
Demo server installation problem General Discussions	2	397	May 6, 2019
Demo Server 2.3.0 General Discussions	8	615	April 16, 2020
Cannot Access Storage Artifact on MenderServer 2.7.0 General Discussions integration	12	601	May 28, 2021
Mender 2.4 on-premise released: New automation features Announcements	9	478	April 6, 2021

Cannot start mender server 2.3.0 (error 400/Bad Request from openresty at login time)

Related Topics