Can I put ipfs-cluster-service upstream from nginx proxy?

I would like to run ipfs-cluster-service upstream from nginx proxy. The reason I want to do this is because I’m using dokku to manage app lifecycles, and I would like to use dokku to provision a docker container for ipfs-cluster-service.

I’m successfully running kubo as a dokku app. I’m also running ipfs-cluster-service as a separate dokku app. Because dokku uses docker, kubo and ipfs-cluster-service are communicating via docker network.

The problem I’m running into at the moment is getting ipfs-cluster-ctl to authenticate with ipfs-cluster-service via the nginx proxy.

I have not enabled SSL termination on the nginx proxy, as I know ipfs-cluster-service restapi handles SSL itself. I’m using a self-signed certificate.

Here’s an error I get when I force http.

ipfs-cluster-ctl -f --host '/ip4/redacted/tcp/9094' --basic-auth 'redacted:redacted' status
An error occurred:
  Code: 400
  Message: Client sent an HTTP request to an HTTPS server.

And here’s there error I get when I force https

ipfs-cluster-ctl -s --host '/ip4/redacted/tcp/9094' --basic-auth 'redacted:redacted' status
2023-07-10T21:54:40.323-0800    ERROR   apiclient       client/lbclient.go:104  reached maximum number of retries without success, retries: 1
An error occurred:
  Code: 0
  Message: Get "https://redacted:9094/pins?local=false&filter=&cids=": http: server gave HTTP response to HTTPS client

I can’t win using either method!

I’m sure the request in both methods is reaching the nginx proxy server. I see output in the access log with my ip address and HTTP 400 errors.

redacted - redacted [11/Jul/2023:05:56:54 +0000] "GET /pins?local=false&filter=&cids= HTTP/1.1" 400 59 "-" "Go-http-client/1.1"
redacted - - [11/Jul/2023:05:57:04 +0000] "\x16\x03\x01\x015\x01\x00\x011\x03\x03\x02N\x96Y\xA9J3\xB7\xA42\x88\x1A\x02\xE3\xA482\xB5u\xAE\xDCh\xA2\xC1\xD9\x07[\xDF\x88\x19\xF6Q \xE7\xF6\xEDm\xC9l\x06" 400 659 "-" "-"

I realized in writing this topic that my requests are not reaching ipfs-cluster-service. Or rather, I am not seeing restapilog logs in ipfs-cluster-service’s console output in the same way that I see them in a separate, known working cluster without docker/dokku. This might be where things are going wrong. I will do more digging and report back.

First of all, does it work when using curl ?

I don’t know how you have configured nginx, but I’m guessing that unless you are doing tcp-proxying directly, you won’t be able to talk https to the cluster service. Perhaps nginx doesn’t know how to talk https to the upstream server. The normal thing is to do ssl termination in nginx, if nginx is going to be there anyways.

Potentially, nginx is trying to make an HTTP request to the HTTPs server, or your client is trying to make an HTTPs request to the HTTP nginx. That is probably happening if you are doing http-proxying instead of tcp proxying.