Hi, I am using the TYK quickstart and need to enable SSL
I put the SSL config in both tyk.conf and tyk_analytics.conf. However the TYK gateway does not start unless i remove the below ssl config from the tyk.conf file.
Same issue also happens when i update the connetionstring in tyk.conf to https.i.e. “connection_string”: “https://mydomain.com:3000”. It seems the only way to get the TYK gateway to start when i do docker restart is to remove the ssl config block below AND make sure connection string is “http” and not https.
I tried both ssl config options below but it does not accept it.
How can i see the log from the gateway no logs are available in /var/logs/…
Yes json file validates ok.
The SSL certs are in the folder /etc/ssl/certs which is already mounted in the container (when i login to the container i can successfully do: “cat /etc/ssl/certs/STAR_mydomain_com.crt”
Can you please advice where/how i can get the logs? looked in /var/log and used the command: sudo journalctl -fu docker.service
I got the certificate converted to PEM format now. Now I am able to login to the dashboard using https.
However there still some issues on the Gateway error:
time=“Jul 28 18:26:09” level=error msg=“Request failed: Get https://mydomain.com:3000/register/node: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”
time=“Jul 28 18:26:01” level=error msg=“Policy request failed: Get https://mydomain.com:3000/system/policies: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”
Yes i am running the dashboard on port 3000 (I didnt change the port settings).
Currently I am able to login on a browser from a remote machine to the dashboard via the https url (on port 3000). When i curl from the docker host machine i get a response from the dashboard. When i use Postman from a remote machine i am able to get a response from the dashboard. I am able to ping the dashboard from the gateway container… But when i curl from the gateway container it just timesout.
Ok, the fact the ping works is promising. But if the curl fails between containers that’s a worry. Just because docker container apps can be accessed from outside doesn’t mean they can interact with one another.
The issue might be the listening domain, if you’ve set a domain name on the host the dashboard might be being really strict - have you tried curling the dashboard domain instead of the container name?
after some time troubleshooting i discovered its an issue with port forwarding between the host and the container.
when running tcpdump all requests from remote hosts are routed as follows:
remote host:43792 > Docker Host:3000 >
Docker host:43792 > Dashboard_container:3000
And the reverse happens for the response.
But all requests from the gateway container to dashboard end up like this:
Gateway:42345 > Docker Host:3000
To resolve this i added the required port forwarding rule
sudo iptables -t nat -A PREROUTING -s 172.18.0.5 -p tcp --dport 3000 -j DNAT --to-destination 172.18.0.2
Now the gateway is able to reach the dashboard container.
However I am now getting the error:
time=“Jul 30 08:12:25” level=error msg=“Request failed: Get https://mydomain:3000/register/node: x509: certificate signed by unknown authority”.
Now looking into the intermediate certificates…
Good to hear, You can use self signed certs, but yu need to add them to your OS trusted certificate store (in this case you need to mount it into the docker container)