prowler-cloud
[via ECS] ALB has no health checks when trying to access the UI & Public IP not showing UI either
Steps to Reproduce
I'm using Terraform to provision Prowler on AWS.
Expected behavior
To lunch open the UI from the load balancer or without the load balancer using the public IP from my running task definition.
This is a working version in an EC2 β
Actual Result with Screenshots or Logs
This is the error from the load balancer that causing the health check to the UI to fail. Even without the ALB I'm still unable to load via a public IP.
How did you install Prowler?
Docker (docker pull toniblyx/prowler)
Environment Resource
- ECR
- ECS
- FARGATE
- Security group
- VPC
OS used
MacOS and Windows
Prowler version
image versions are pulled from the docker.
Pip version
n/a
Context
-
[x] I've successfully implemented Prowler in an EC2 instance, by running the CURL commands and docker compose in from the official repository.
-
[ ] However, I am looking to run the same via Terraform in AWS using an ECS. I have provisioned a link to my testing repo for assistance.
[https://github.com/wellhrd/JustProwler](url)
Hi @wellhrd,
As you say, you're using Docker (docker pull toniblyx/prowler) as your installation method. Just to inform you, this method doesnβt install the full application in a way that supports more complex setups like ECS. Support for that environment is limited at the moment.
Weβd recommend starting by testing Prowler locally using Docker Compose. That way, you can get familiar with how the app behaves in a containerized environment that's supported.
Could you try this and let us know if this works for you?
Hello @HugoPBrito Well actually I got it to run locally, the problem is when the images are pushed to the ECR and tagged I am unable to get the UI to load.
I am sorry for the confusion. When the infrastructure is provisioned, I actually do a **push** of the images to the **ECR** on AWS not a _(docker pull) _
The tags are based on how the output of the docker images. So, for example - valkey got the tagged as
7-alpine3.19 add this would be reflected in my task definitions.
Hi @wellhrd,
Before a target in the target group is deregistered because the health check fails, it shows some message, try to catch it to understand what's going on.
If you are not able to do it for some reason, use a wider code range to understand what's going on, like 200-499 for example, so even if it's failing, the ALB will maintain it running and you can check what's going on.
Have you checked the UI container logs? It's also possible the container is not running properly for some reason and that's why the health check is not working.
@HugoPBrito Here are screenshots of the errors and logs respectively.
Push Commands for the images were successful
Status of the task definition... UI keeps failing
Disabled the load balancer in the terraform
Added VPC flow logs, this is without the ALB being enabled -- The ENI is not showing up under network interfaces in this region. US-E-1
Only failed task currently
hi @wellhrd . You need to add a /health endpoint in the UI and point the load balancer to it.
// ui/app/api/health/route.ts ` import { NextResponse } from "next/server";
export async function GET() { return NextResponse.json({ status: "healthy" }, { status: 200 }); } `
And in the ALB configuration point it to this endpoint
` resource "aws_lb_target_group" "public" { name = "${var.name_prefix}-public-tg" port = 3000 protocol = "HTTP" vpc_id = var.vpc_id target_type = "ip"
health_check { enabled = true healthy_threshold = 2 interval = 30 matcher = "200" path = "/api/health" port = "traffic-port" protocol = "HTTP" timeout = 5 unhealthy_threshold = 3 }
tags = merge(var.tags, { Name = "${var.name_prefix}-public-tg" }) } `
@chaithanya009
Thank you. Got the health check working without modifying the docker image file. Just to now get the API and UI to communicate with each other in the ECR/ECS.
Currently using the method of service_connect_configuration
Hi @wellhrd, sorry for the late reply.
Have you managed to make prowler help or you need more assistance? If you need anything else we're here to help you π
Greetings @HugoPBrito, that's okay. You're right on time.
We got the ALB to connect to the UI via port 3000. Essentially this made the ALB "HEALTHY"
As of now i am still unable to sign up since there are errors when trying to sign-up.
These are changes to the code not listed in the current repo:
-
Variables.tf - uncommented this line and added
:3000at the end. -
{ name = "NEXTAUTH_URL", value = "http://New-Prowler-ALB-102086939.us-east-1.elb.amazonaws.com:3000" }, -
Tried this image for the
UI>> prowlercloud/prowler-ui:2becf45 -
And since API has
workerandworker- beatwe used this new image >> https://hub.docker.com/r/prowlercloud/prowler-api
Please see the following screens:
Healthy ALB
Error when click sign up
CloudWatch Logs:
Hi @wellhrd,
Our images are ready for the docker compose solution and because of this, they are built with some specific variables pointing between services.
In this case, UI image is built with the argument NEXT_PUBLIC_API_BASE_URL pointing to http://prowler-api:8080/api/v1. If you want to deploy Prowler APP using other method, you will need to build yourself the images pointing this public variables to your corresponding endpoints.
On the other side, I see you are using NEXTAUTH_URL env var but this variable is not valid, it should be AUTH_URL and this one has to point to your UI url.
Let me know if you need more help.
Thanks!
I'm at this same spot, I think.
Are we not able to pass ENV VARS with these arguments, @cesararroba ? I'm utilizing the latest docker containers, and passing the newer NEXT_PUBLIC_API_BASE_URL but still running into this same roadblock of Network Error. I'm not using service discovery, and instead using DNS/ALB for all endpoints, such as:
- ui =
https://prowler-ui.env.mydomain.cloud/ - api =
https://prowler-api.env.mydomain.cloud/
My health checks are all passing, and everything looks good. But when I click sign-up:
The interesting part here is that when I inspect in the console, everything is 200s.
My UI Terraform env vars:
environment = [
{ name = "PROWLER_UI_VERSION", value = var.prowler_ui_version },
{ name = "AUTH_URL", value = "https://${var.ui_domain}" },
{ name = "API_BASE_URL", value = "https://${var.api_domain}/api/v1" },
{ name = "NEXT_PUBLIC_API_BASE_URL", value = "https://${var.api_domain}/api/v1" },
{ name = "NEXT_PUBLIC_API_DOCS_URL", value = "https://${var.api_domain}/api/v1/docs" },
{ name = "AUTH_TRUST_HOST", value = "true" },
{ name = "DJANGO_BIND_ADDRESS", value = "0.0.0.0" },
{ name = "UI_PORT", value = tostring(var.ui_port) },
...
my API terraform env vars:
environment = [
# Core API settings
{ name = "PROWLER_API_VERSION", value = var.prowler_api_version },
{ name = "DJANGO_ALLOWED_HOSTS", value = "*" },
{ name = "DJANGO_BIND_ADDRESS", value = "0.0.0.0" },
{ name = "DJANGO_PORT", value = tostring(var.django_port) },
{ name = "DJANGO_DEBUG", value = "True" },
{ name = "DJANGO_SETTINGS_MODULE", value = var.django_settings_module },
{ name = "DJANGO_LOGGING_FORMATTER", value = var.django_logging_formatter },
{ name = "DJANGO_LOGGING_LEVEL", value = var.django_logging_level },
...
Hi @jheck90,
For variables with prefix NEXT_PUBLIC_ that's not valid, they need to be set on build time. You can read more about it on Next.js documentation: https://nextjs.org/docs/pages/guides/environment-variables#bundling-environment-variables-for-the-browser
We will include this in our documentation asap.
Thanks!
Hi @wellhrd,
Do you need any further assistance? If not I'll proceed to close the issue.
Hello @HugoPBrito, iHad moved away from the concept for a while. Can proceed to close unless absolutely necessary.
@jheck90 ikr, so close, so close man. But I will check back on the **NEXT_PUBLIC_**
@cesararroba I will do look to poke around again and give it another go which image and version did you use?
@jheck90 ikr, so close, so close man. But I will check back on the
**NEXT_PUBLIC_**
Got this working for my org. Took a few code changes to get a health check and encrypted use of valley.
@HugoPBrito looking for a way to get the API and UI docker images to communicate with an ECS (FARGATE) in AWS, any suggestions?
Observations:
- Worker-beat is failing since the admin user is not properly being created from the API docker container
@HugoPBrito looking for a way to get the
API and UI docker imagesto communicate with an ECS (FARGATE) in AWS, any suggestions?Observations:
- Worker-beat is failing since the admin user is not properly being created from the API docker container
https://github.com/jheck90/prowler-terraform/blob/main/prowler_worker_beat.tf
Check out line 56-58. I think originally I was just passing the command but through troubleshooting found it wasn't working without also doing the entry point.
Also checkout my dockerfiles/ I had to custom write my images
Hi @wellhrd,
I'm sorry for the late reply. Did you manage to set it up?
Hello, @HugoPBrito thanks. Will take a final crack at it before this month end as my free tier credits expiring then. π
Hello, @HugoPBrito thanks. Will take a final crack at it before this month end as my free tier credits expiring then. π
Perfect and GL! We'll be here if you need anything π
Hi @wellhrd,
Any updates on this? If not I'll procede to close the issue.