kamal icon indicating copy to clipboard operation
kamal copied to clipboard
verified publisher icon basecamp

Unable to use Kamal2 with CF and Hertzner

Open zaddy6 opened this issue 1 year ago • 4 comments 

# Name of your application. Used to uniquely configure containers.
service: cowriter-api

# Name of the container image.
image: xxx-service-staging

# Deploy to these servers.
servers:
  web:
    - xxx
    - xxx
  # job:
  #   hosts:
  #     - 192.168.0.1
  #   cmd: bin/jobs

# Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server).
# If using something like Cloudflare, it is recommended to set encryption mode 
# in Cloudflare's SSL/TLS setting to "Full" to enable end-to-end encryption. 
proxy:
  ssl: false
  forward_headers: true
  # kamal-proxy connects to your container over port 80, use `app_port` to specify a different port.


# # Credentials for your image host.
registry:
  server: xxxx.dkr.ecr.us-east-1.amazonaws.com
  username: AWS
  password: 
    - KAMAL_REGISTRY_PASSWORD

# Configure builder setup.
builder:
  arch: amd64
  dockerfile: "./Dockerfile"
  context: "./"

env:
  secret:
    - MONGO_USERNAME

I have created a LB on Hertzner and added both servers, I have also added a proxied A record pointing to the LB server on cloudflare however I get a website down error

image

Although visiting the server IP for both the LB and Hosts works without issues

zaddy6 avatar Oct 12 '24 16:10 zaddy6

In which port is Hetzner LB listening on? Are targets behind Hetzner LB healthy? What's mode is SSL/TLS setting on Cloudflare?

tuladhar avatar Oct 13 '24 18:10 tuladhar

  1. LB is listening on port 80
  2. Yes
  3. Mode is set to Full (Not strict) on CF

zaddy6 avatar Oct 13 '24 20:10 zaddy6

deploy.yml:

# Note: If using Cloudflare, set encryption mode in SSL/TLS setting to "Full" to enable CF-to-app encryption. 
proxy:
  ssl: true
  host: api.foobar.com
  # Proxy connects to your container on port 80 by default.
  app_port: 3000 # if you use thruster remove this line, if you don't use thruster set this line

You have then to setup DNS records with proxy toggle checked (A with ipv4 and AAAA with the ipv6 without the /64) Then on cloudfare dns, you will have to create two records: A with @ if it's the full domain, or just "api" if it's a subdomain, and as value you set your IPv4 AAAA with @ if it's the full domain, or just "api" if it's a subdomain, and as value you set your IPv6 (remove the /64

Then commit your changes, and kamal deploy. Additionnal i add the gem "cloudflare-rails" to my production environement group in my Gemfile.

navidemad avatar Oct 13 '24 21:10 navidemad

This config wouldnt work as SSL: True only works if you are deploying to a single server, in my case I am deploying to 3 servers, and then all 3 are under a single hertzner LB

zaddy6 avatar Oct 13 '24 21:10 zaddy6

I'd try removing the proxy section as instructed: https://github.com/basecamp/kamal/blob/main/lib/kamal/cli/templates/deploy.yml#L17

miharekar avatar Oct 15 '24 08:10 miharekar