Description
Hi,
I was using spring boot admin old version with spring boot 1.5.X and it worked great.
I've upgrade my env to use spring boot 2.3.1 version and I can't access spring boot admin ui.
My env consist of dockerized microservices, all running behind nginx server with only https access.
I'm also using eureka server to fetch the micro-service's data.
i'm trying to access the SBA container in http mode.
in the browser's network I see a 'Mixed-content' warning and
https://admin/assets/img/favicon.png net::ERR_NAME_NOT_RESOLVED when trying to access some local resource.
an access to the main end point returns response of 200 but when trying to get .js and .css resources from /assets path it fails/
the configuration in nginx.conf:
location /{
proxy_pass http://admin:9090/;
}
when I opened in internal port to the SBA container, thus passing around the nginx, the SBA UI is working fine.
my SBA configuration has no security settings and uses the most basic config.
also, I use spring boot 2.2.7 version with 2.2.4 spring boot admin version
SBA application properties:
eureka.client.register-with-eureka=false
eureka.client.fetch-registry=true
eureka.client.registry-fetch-interval-seconds=5
eureka.instance.lease-renewal-interval-in-seconds=10
eureka.client.serviceUrl.defaultZone=http://127.0.0.1:9000/eureka/
server.forward-headers-strategy=native
I have tried:
- setting the spring boot admin ui to use only https
- configuring nginx with X-Farward... params
- setting spring.boot.admin.ui.public-url=http://admin:9090/
- trying to set SBA:
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
there are no errors in SBA logs.
attached are the warning and errors that I see in Chrome
your help is very much appriciated.
Thank you in advance
Alex
Activity
joshiste commentedon Aug 18, 2020
For the request to
/:AlexBatt commentedon Aug 18, 2020
thanks for your response:
BTW, i'm able to get response from the /actuator/health end point of the spring admin, but not from the '/' end point
attached request from browser of one of the resources,(no-response available)
the request to the '/' end point is successfull:
request:
response:
SBA and nginx are running from docker, I used 'curl -X GET http://admin:9090/' to get the response:
<title>Spring Boot Admin</title><script lang=javascript src=sba-settings.js></script><script src=assets/js/chunk-vendors.0e6b1cce.js></script><script src=assets/js/chunk-common.049209f1.js></script><script src=assets/js/sba-core.f798fb1b.js></script>this is the same response when accessing '/' end point from browser.
Thansk,
Alex
joshiste commentedon Aug 18, 2020
... I need the requests from nginx to the admin server to analyze the issue ...
suryach commentedon Aug 19, 2020
The same thing happened to me too and I was missing the below directive in Nginx conf:
proxy_set_header X-Forwarded-Port $server_port;AlexBatt commentedon Aug 19, 2020
thanks @suryach for your reply, but unfortunately that didn't work as well.
@joshiste I'm looking into nginx server logs and the only response that I can see from SBA is this:
172.28.100.171 - - [19/Aug/2020:17:47:54 +0300] "GET / HTTP/1.1" 200 1070 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
if you can suggest any other way to get a responce from nginx when calling SBA, please let me know.
when I tried to with old version of SBA 1.X then I got the below response in nginx logs
[19/Aug/2020:17:02:05 +0300] "GET /api/journal?stream HTTP/1.1" 499 0 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:02:05 +0300] "GET /core.css HTTP/1.1" 200 190387 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:02:06 +0300] "GET /all-modules.css HTTP/1.1" 200 8235 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:02:06 +0300] "GET /api/applications HTTP/1.1" 200 2752 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:02:06 +0300] "GET /applications/views/applications-list.html HTTP/1.1" 200 4869 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:02:06 +0300] "GET /img/favicon.png HTTP/1.1" 200 528 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:02:06 +0300] "GET /api/notifications/filters HTTP/1.1" 404 140 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:02:36 +0300] "GET /api/journal?stream HTTP/1.1" 200 5 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:03:10 +0300] "GET /api/journal?stream HTTP/1.1" 200 5 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:03:18 +0300] "GET /api/journal?stream HTTP/1.1" 200 5 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
[19/Aug/2020:17:03:21 +0300] "GET /api/journal?stream HTTP/1.1" 502 537 "https://11.111.11.11/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
Thanks,
Alex
joshiste commentedon Aug 19, 2020
still need the headers ... may be you can get them by tapping the wire using
tcpdump?AlexBatt commentedon Aug 19, 2020
this is the tcpdump when making the call;
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
19:31:39.715753 IP 172.28.100.171.53611 > ea47b4290f83.https: Flags [S], seq 565453952, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
19:31:39.715762 IP 172.28.100.171.53613 > ea47b4290f83.https: Flags [S], seq 2203925305, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
19:31:39.715806 IP ea47b4290f83.https > 172.28.100.171.53611: Flags [S.], seq 564360380, ack 565453953, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
19:31:39.715824 IP ea47b4290f83.https > 172.28.100.171.53613: Flags [S.], seq 2289004342, ack 2203925306, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
19:31:39.717765 IP localhost.35474 > 127.0.0.11.40305: UDP, length 45
19:31:39.719140 IP ea47b4290f83.46568 > pqe-dc-00.voicelab.local.domain: 6968+ PTR? 171.100.28.172.in-addr.arpa. (45)
19:31:39.793315 IP pqe-dc-00.voicelab.local.domain > ea47b4290f83.46568: 6968 NXDomain 0/1/0 (104)
19:31:39.793563 IP 127.0.0.11.domain > localhost.35474: 6968 NXDomain 0/1/0 (104)
19:31:39.797408 IP 172.28.100.171.53611 > ea47b4290f83.https: Flags [.], ack 1, win 1025, length 0
19:31:39.797731 IP localhost.55452 > 127.0.0.11.40305: UDP, length 41
19:31:39.798095 IP ea47b4290f83.43154 > pqe-dc-00.voicelab.local.domain: 33664+ PTR? 11.0.0.127.in-addr.arpa. (41)
19:31:39.798521 IP 172.28.100.171.53613 > ea47b4290f83.https: Flags [.], ack 1, win 1025, length 0
19:31:39.798979 IP pqe-dc-00.voicelab.local.domain > ea47b4290f83.43154: 33664 NXDomain* 0/1/0 (128)
19:31:39.799097 IP 127.0.0.11.domain > localhost.55452: 33664 NXDomain* 0/1/0 (112)
19:31:39.799385 IP localhost.33924 > 127.0.0.11.40305: UDP, length 41
19:31:39.799642 IP ea47b4290f83.49180 > pqe-dc-00.voicelab.local.domain: 18663+ PTR? 25.64.10.1.in-addr.arpa. (41)
19:31:39.800851 IP 172.28.100.171.53613 > ea47b4290f83.https: Flags [P.], seq 1:518, ack 1, win 1025, length 517
19:31:39.800869 IP ea47b4290f83.https > 172.28.100.171.53613: Flags [.], ack 518, win 237, length 0
19:31:39.810679 IP ea47b4290f83.https > 172.28.100.171.53611: Flags [P.], seq 1:2113, ack 518, win 237, length 2112
19:31:39.818937 IP ea47b4290f83.https > 172.28.100.171.53613: Flags [P.], seq 1:2113, ack 518, win 237, length 2112
19:31:39.893414 IP 172.28.100.171.53611 > ea47b4290f83.https: Flags [.], ack 2113, win 1025, length 0
19:31:39.894421 IP 172.28.100.171.53611 > ea47b4290f83.https: Flags [P.], seq 518:525, ack 2113, win 1025, length 7
19:31:39.894735 IP ea47b4290f83.https > 172.28.100.171.53611: Flags [F.], seq 2113, ack 525, win 237, length 0
19:31:39.895347 IP 172.28.100.171.53611 > ea47b4290f83.https: Flags [F.], seq 525, ack 2113, win 1025, length 0
19:31:39.895374 IP ea47b4290f83.https > 172.28.100.171.53611: Flags [.], ack 526, win 237, length 0
19:31:39.903466 IP 172.28.100.171.53613 > ea47b4290f83.https: Flags [.], ack 2113, win 1025, length 0
19:31:39.903661 IP 172.28.100.171.53613 > ea47b4290f83.https: Flags [P.], seq 518:525, ack 2113, win 1025, length 7
19:31:39.903669 IP 172.28.100.171.53613 > ea47b4290f83.https: Flags [F.], seq 525, ack 2113, win 1025, length 0
19:31:39.903875 IP ea47b4290f83.https > 172.28.100.171.53613: Flags [F.], seq 2113, ack 526, win 237, length 0
19:31:39.904692 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [S], seq 485226826, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
19:31:39.904740 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [S.], seq 2444366861, ack 485226827, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
19:31:39.977484 IP 172.28.100.171.53611 > ea47b4290f83.https: Flags [.], ack 2114, win 1025, length 0
19:31:39.985873 IP 172.28.100.171.53613 > ea47b4290f83.https: Flags [.], ack 2114, win 1025, length 0
19:31:39.987422 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [.], ack 1, win 1025, length 0
19:31:39.988851 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [P.], seq 1:518, ack 1, win 1025, length 517
19:31:39.988889 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [.], ack 518, win 237, length 0
19:31:39.997062 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [P.], seq 1:2113, ack 518, win 237, length 2112
19:31:40.082465 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [.], ack 2113, win 1025, length 0
19:31:40.083724 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [P.], seq 518:644, ack 2113, win 1025, length 126
19:31:40.084257 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [P.], seq 2113:2355, ack 644, win 237, length 242
19:31:40.167771 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [P.], seq 644:1344, ack 2355, win 1024, length 700
19:31:40.168174 IP ea47b4290f83.35396 > _admin_1._default.websm: Flags [S], seq 1179647305, win 29200, options [mss 1460,sackOK,TS val 3645049111 ecr 0,nop,wscale 7], length 0
19:31:40.168275 IP _admin_1._default.websm > ea47b4290f83.35396: Flags [S.], seq 202953222, ack 1179647306, win 28960, options [mss 1460,sackOK,TS val 3645049111 ecr 3645049111,nop,wscale 7], length 0
19:31:40.168293 IP ea47b4290f83.35396 > _admin_1._default.websm: Flags [.], ack 1, win 229, options [nop,nop,TS val 3645049111 ecr 3645049111], length 0
19:31:40.168352 IP ea47b4290f83.35396 > _admin_1._default.websm: Flags [P.], seq 1:658, ack 1, win 229, options [nop,nop,TS val 3645049111 ecr 3645049111], length 657
19:31:40.168375 IP _admin_1._default.websm > ea47b4290f83.35396: Flags [.], ack 658, win 237, options [nop,nop,TS val 3645049111 ecr 3645049111], length 0
19:31:40.168752 IP localhost.54717 > 127.0.0.11.40305: UDP, length 41
19:31:40.169009 IP 127.0.0.11.domain > localhost.54717: 38605 1/0/0 PTR _admin_1._default. (115)
19:31:40.173277 IP _admin_1._default.websm > ea47b4290f83.35396: Flags [P.], seq 1:1196, ack 658, win 237, options [nop,nop,TS val 3645049116 ecr 3645049111], length 1195
19:31:40.173302 IP ea47b4290f83.35396 > _admin_1._default.websm: Flags [.], ack 1196, win 251, options [nop,nop,TS val 3645049116 ecr 3645049116], length 0
19:31:40.173666 IP _admin_1._default.websm > ea47b4290f83.35396: Flags [F.], seq 1196, ack 658, win 237, options [nop,nop,TS val 3645049116 ecr 3645049116], length 0
19:31:40.173780 IP ea47b4290f83.35396 > _admin_1._default.websm: Flags [F.], seq 658, ack 1197, win 251, options [nop,nop,TS val 3645049116 ecr 3645049116], length 0
19:31:40.173840 IP _admin_1._default.websm > ea47b4290f83.35396: Flags [.], ack 659, win 237, options [nop,nop,TS val 3645049116 ecr 3645049116], length 0
19:31:40.173921 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [P.], seq 2355:3646, ack 1344, win 248, length 1291
19:31:40.298482 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [.], ack 3646, win 1025, length 0
19:31:44.721129 ARP, Request who-has ea47b4290f83 tell gateway, length 28
19:31:44.721171 ARP, Reply ea47b4290f83 is-at 02:42:ac:12:00:02 (oui Unknown), length 28
19:31:44.721526 IP localhost.44512 > 127.0.0.11.40305: UDP, length 41
19:31:44.722025 IP ea47b4290f83.38824 > pqe-dc-00.voicelab.local.domain: 55640+ PTR? 1.0.18.172.in-addr.arpa. (41)
19:31:44.725956 IP pqe-dc-00.voicelab.local.domain > ea47b4290f83.38824: 55640 NXDomain 0/1/0 (111)
19:31:44.726125 IP 127.0.0.11.domain > localhost.44512: 55640 NXDomain 0/1/0 (111)
19:32:45.231942 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [P.], seq 3646:3677, ack 1344, win 248, length 31
19:32:45.232140 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [F.], seq 3677, ack 1344, win 248, length 0
19:32:45.315048 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [.], ack 3678, win 1025, length 0
19:32:45.315078 IP 172.28.100.171.53615 > ea47b4290f83.https: Flags [F.], seq 1344, ack 3678, win 1025, length 0
19:32:45.315183 IP ea47b4290f83.https > 172.28.100.171.53615: Flags [.], ack 1345, win 248, length 0
19:32:50.241137 ARP, Request who-has gateway tell ea47b4290f83, length 28
19:32:50.241231 ARP, Reply gateway is-at 02:42:c0:cd:d1:f3 (oui Unknown), length 28
joshiste commentedon Aug 19, 2020
... stil no headers ... please write the dump to a file (using
-wparameter). You can view the dump using wiresharkAlexBatt commentedon Aug 19, 2020
attaching pcap files.
SBA.zip
)
the information seems to be encrypted in the wireshark, i'll try to find a way to decrypt it
thanks,
joshiste commentedon Aug 20, 2020
the request to the admin server didn't contain any
X-Forwarded-headers.I guess your nginx config is not correct.
AlexBatt commentedon Aug 23, 2020
@joshiste thanks for your help. I was finally able to make it work.
I've added to nginx.conf
location /myPredefinedLocation/ {
proxy_set_header Host $host;
proxy_pass http://admin:9090/;
}
and in addition:
in SBA application.properites set the
spring.boot.admin.ui.public-url=<machine_ip>/myPredefinedLocation
The difference from 1.X SBA version is that when accessing some .css/.js resource the ip was copied with the localtion defined in ngnix.conf, where in the latest ver it just used the ip.
for example:
working scenario:
https:////assets/css/chunk-common.d9ab30d2.css
https://11.11.111.11/predefinedLocation/assets/css/chunk-common.d9ab30d2.css
non-working scenario:
https:////assets/css/chunk-common.d9ab30d2.css
https://11.11.111.11/assets/css/chunk-common.d9ab30d2.css
not sure why this was changed...
Thanks,
Alex
joshiste commentedon Sep 21, 2020
Glad you made it. I'm closing this issue now.
wojciechGaudnik commentedon Oct 6, 2022
Hi,
I'm struggling with this setup, my current configs,
temporarily without https:
nginx:
location /admin-service/ {
proxy_set_header Host $host;
proxy_pass http://localhost:8666/;
}
spring-boot-admin:
spring.boot.admin.ui.publicUrl: "http://vb/admin-service"
server.forward-headers-strategy: native
Now when I'm trying to log into:
http://vb/admin-service/login
page is open and I'm putting my credentials but the redirect is going to:
Location: http://vb/
so Admin is not loaded. But when I'm opening
http://vb/admin-service/
after the previous login, it's working.
So the issue is somewhere with this redirection I believe, but I have no clue what to do. I tried all kind of:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
Any suggestion will be helpful.
Greetings
ps
I found temporary solution like that:
proxy_redirect http://vb/ http://vb/admin-service/;
royremi commentedon Apr 26, 2023
have you ever make it work? I have the same issue here
wojciechGaudnik commentedon Apr 27, 2023
Hi royremi,
yes, I changed only enginx reverse proxy
location /all-services/ {
proxy_pass https://localhost:8000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
rewrite /all-services/ /all-services break;
}
and it work, but only from out site of the vb