Install OpenBalena with NGINX

Hi,

I’m trying to install open Balena in my server where I already have a NGINX inverse proxy. I would like to know if there is a way to config OpenBalena with NGINX instead of haproxy?
Does anyone try it? any advice?

Best regards,

Hi,

openBalena maintainer here :grinning:

The HAproxy component in openBalena is handling more than just HTTPS and host-based service routing; the VPN traffic also comes in on port 443 and is detected and redirected which NGINX may not be able to do.

If you look in the openBalena repo, you will see that the HAproxy container is built from source, so perhaps modifying the config to push connections for this SNI off to your existing NGINX (on a different port) would be the best best?

Regards.

Thanks a lot for your answer. I’ll check but I have never use haproxy so I really dont know how to do it. After some investigation I will come back to you.

OK - it’s quite straightforward and the existing config in the repo will probably be enough to help, or at least put you on the right track :+1:

hold on, as NGNIX is already running on the port 443, I might have to stop it instead of pushing the connections off. so maybe Just replace my NGINX completely? I mean I dont see how it will be possible to have both and also, It wont make sense?

Can I forward request from port 80 to start using HTTPS in haproxy?

You would need to stop NGINX listening on 443 and 80 - this is where we bind them in openBalena: https://github.com/balena-io/open-balena/blob/17419557a5580f915c31b90826b0479b1b42aaff/compose/services.yml#L154

Say you have NGINX bound to 8080 and 8443 instead, then you would add a frontend/backend to the HAproxy configuration to handler your existing sites and have them sent to localhost:8080 or localhost:8443 – the config for HAproxy can be seen here: https://github.com/balena-io/open-balena/blob/master/src/haproxy/haproxy.cfg

1 Like

Hi @richbayliss,
I decided to keep it simple for the moment so I use a server taht has no other reverse proxy or so. I installed al required stuff and I got:

request to https://api.dev.xxx.fr/login_ failed, reason: Hostname/IP doesn’t match certificate’s altnames: “Host: api.dev.xxx.fr. is not in the cert’s altnames: DNS:.openbalena.local"
FetchError: request to https://api.dev.xxx.fr/login_ failed, reason: Hostname/IP doesn’t match certificate’s altnames: "Host: api.dev.xxx.fr. is not in the cert’s altnames: DNS:
.openbalena.local”
at ClientRequest. (/usr/local/lib/node_modules/balena-cli/node_modules/node-fetch/index.js:133:11)
It was hald good news because my Cli was communicating with my OpenBalena server. I try to change the Domain with the -d in the quickstart script, with no result, so I just modified locally the Domain value to my real Domain.

and guess what?? still nop working… but now I run out of ideas. The latest error prompt is:

BalenaRequestError: Request error: Unauthorized
BalenaRequestError: Request error: Unauthorized
    at /usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/request.js:197:17
From previous event:
    at /usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/request.js:189:62
From previous event:
    at Object.exports.send (/usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/request.js:188:8)
    at Object.exports.authenticate (/usr/local/lib/node_modules/balena-cli/node_modules/balena-sdk/build/auth.js:144:20)
    at exports.login (/usr/local/lib/node_modules/balena-cli/node_modules/balena-sdk/build/auth.js:180:20)
    at runCallback (timers.js:810:20)
    at tryOnImmediate (timers.js:768:5)
    at processImmediate [as _immediateCallback] (timers.js:745:5)
From previous event:
    at Object.authenticate (/usr/local/lib/node_modules/balena-cli/build/utils/patterns.js:28:10)
    at doLogin (/usr/local/lib/node_modules/balena-cli/build/actions/auth.js:85:33)
    at doLogin (/usr/local/lib/node_modules/balena-cli/build/actions/auth.js:101:20)
    at <anonymous>

If you need help, don't hesitate in contacting our support forums at
https://forums.balena.io

For CLI bug reports or feature requests, have a look at the GitHub issues or
create a new one at: https://github.com/balena-io/balena-cli/issues/

I am sure I’m putting the write password. so… any help here?

Hi,

In the server, I add the debugging flag ‘export DEBUG=1’, restarted the server services ./scripts/compose stop and ./scripts/compose up -d. I tried to connect again. I try to log in again and had the following results:

SELF_SIGNED_CERT_IN_CHAIN: request to https://api.dev.xxx.fr/login_ failed, reason: self signed certificate in certificate chain
FetchError: request to https://api.dev.xxx.fr/login_ failed, reason: self signed certificate in certificate chain
at ClientRequest. (/usr/local/lib/node_modules/balena-cli/node_modules/node-fetch/index.js:133:11)
at emitOne (events.js:116:13)
at ClientRequest.emit (events.js:211:7)
at ClientRequest.emit (/usr/local/lib/node_modules/balena-cli/node_modules/raven/lib/instrumentation/http.js:51:23)
at TLSSocket.socketErrorListener (_http_client.js:401:9)
at emitOne (events.js:116:13)
at TLSSocket.emit (events.js:211:7)
at emitErrorNT (internal/streams/destroy.js:73:8)
at _combinedTickCallback (internal/process/next_tick.js:139:11)
at process._tickDomainCallback (internal/process/next_tick.js:219:9)
From previous event:
at new Fetch (/usr/local/lib/node_modules/balena-cli/node_modules/node-fetch/index.js:49:9)
at Fetch (/usr/local/lib/node_modules/balena-cli/node_modules/node-fetch/index.js:37:10)
at /usr/local/lib/node_modules/balena-cli/node_modules/fetch-ponyfill/fetch-node.js:15:12
at requestAsync (/usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/utils.js:333:7)
From previous event:
at requestAsync (/usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/utils.js:352:22)
at /usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/utils.js:402:12
at /usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/request.js:184:14
From previous event:
at Object.exports.send (/usr/local/lib/node_modules/balena-cli/node_modules/balena-request/build/request.js:183:89)
at Object.exports.authenticate (/usr/local/lib/node_modules/balena-cli/node_modules/balena-sdk/build/auth.js:144:20)
at exports.login (/usr/local/lib/node_modules/balena-cli/node_modules/balena-sdk/build/auth.js:180:20)
at runCallback (timers.js:810:20)
at tryOnImmediate (timers.js:768:5)
at processImmediate [as _immediateCallback] (timers.js:745:5)
From previous event:
at Object.authenticate (/usr/local/lib/node_modules/balena-cli/build/utils/patterns.js:28:10)
at doLogin (/usr/local/lib/node_modules/balena-cli/build/actions/auth.js:85:33)
at doLogin (/usr/local/lib/node_modules/balena-cli/build/actions/auth.js:101:20)
at

If you need help, don’t hesitate in contacting our support forums at
https://forums.balena.io

For CLI bug reports or feature requests, have a look at the GitHub issues or
create a new one at: https://github.com/balena-io/balena-cli/issues/

please some guidance here :cry:!!

Hi Andres, looking at the log Hostname/IP doesn’t match certificate’s altnames: "Host: api.dev.xxx.fr. is not in the cert’s altnames: DNS:_.openbalena.local” it seems like the certs are not correctly setup. It looks like you have changed the domain but the cert is from a previous configuration/old/default install as it is looking for openbalena.local. Did you start from scratch on this server, also perhaps you can describe the steps you have take during the setup as that would help us identify more easily where things have gone wrong.

hi @shaunmulligan,

I run the script ./scripts/quickstart -U <email@address> -P <password> -d mydomain.com, with my domain, but it was generating by default openbalena.local. Therefore, I change the script and set up my real domain. So Maybe that script that I run the first time, is making this go wrong?

In the messages above I change my real domain by xxx.

Its possible that running it the second time didn’t over write the original cert, could you inspect the cert on your host in /config/activate and see that it specifies the correct domain?

If you haven’t done anything on your openBalena instance yet, like provision devices or create releases, then perhaps the best option is to do rm -rf ./config and re-do the quickstart

I havent Im gonna try this. But this is in open-balena forlder?

Yup, in the directory you clone openBalena into.

The Domain here is correct, however, the password is not. I’m just putting my password like this - p XXX****3!! and these 3 las characters are replaced by something else. Make any sense to you?

I delete and try 2 times, still no able to connect having these results with good and wrong authentication credentials:

SELF_SIGNED_CERT_IN_CHAIN: request to https://api.dev.shopline.fr/login_ failed, reason: self signed certificate in certificate chain

Additional information may be available by setting a DEBUG=1 environment
variable: “set DEBUG=1” on a Windows command prompt, “$env:DEBUG = 1” on
powershell, or “export DEBUG=1” on Linux or macOS.

If you need help, don’t hesitate in contacting our support forums at
https://forums.balena.io

For CLI bug reports or feature requests, have a look at the GitHub issues or
create a new one at: https://github.com/balena-io/balena-cli/issues/

I put aeasier password, so it is the same between the one I put when I call the script and the one you can see in ‘/config/activate’.

I also update the certificate on my CLI client and restarted docker.

I dont know whats going on.

You can see my API is available and reachable:

image

now is worst than before, is not connecting to the server.

Hi,

Can you confirm that you deleted the ./config directory and re-ran the ./scripts/quickstart with the correct details? I am just asking because it isn’t apparent above if this is the case. By default you would get a self-signed cert for the domain you configured in quickstart, so that is normal, but you have to manually make your system trust it; this is part of the documentation if you missed it :+1:

Also, is this domain publicly accessible? If so then you can get the OB instance to acquire a publicly trusted certificate with the -c option. This will only work if the domain is correctly setup and port 80 is publicly accessible and unfiltered. It does make the trust part above redundant though, so if it’s possible then it’s a good option.

1 Like

yes! I also copy the new certificate to my PC and restart the docker as it is explained in the documentation. The server is working, I sent you the image how I accessed it from Internet. again I change the real address to publish in this forum, I can give you the real one is there is any PM sys.

yes

and Nowwwwwwwwww isssssssss Working… so I guess it was the -c ?

Thanks for the update - yes, obtaining that publicly trusted certificate was the likely solution. It’s unclear whether you followed the steps previously to manually make your system trust the self-signed certificate but either way glad this is working for you and let us know if you have any further issues.

1 Like

hey!! Again I got stock, sorry.

So I fight a bit with my Asus Tinker S, but after a few rounds I won, so I’m able to see my device in the Balena devices and Balena device EUID.

Now, when I try to add the code, I got an error:

$ sudo balena deploy myApp --logs --source . --emulated
[Info] No “docker-compose.yml” file found at “/home/aburbanol/dev/balena/sense-snake”
[Info] Creating default composition with source: “/home/aburbanol/dev/balena/sense-snake”
[Info] Building for armv7hf/asus-tinker-board-s
[Build] Building services…
[Build] main Preparing…
[Info] Emulation is enabled
[Build] main Step 1/11 : FROM balenalib/asus-tinker-board-s-node:8-build AS base
[Build] main —> b15e43d941ef
[Build] main Step 2/11 : WORKDIR /usr/src/app
[Build] main —> Using cache
[Build] main —> 2a46a93489cd
[Build] main Step 3/11 : COPY package.json .
[Build] main —> Using cache
[Build] main —> 9691a80f5ca5
[Build] main Step 4/11 : RUN JOBS=MAX npm install --unsafe-perm --production
[Build] main —> Running in 6fb8a730ccf8
[Build] main standard_init_linux.go:211: exec user process caused “exec format error”
[Build] Built 1 service in 0:01
[Error] Deploy failed
The command ‘/bin/sh -c JOBS=MAX npm install --unsafe-perm --production’ returned a non-zero code: 1

Additional information may be available by setting a DEBUG=1 environment
variable: “set DEBUG=1” on a Windows command prompt, “$env:DEBUG = 1” on
powershell, or “export DEBUG=1” on Linux or macOS.

If you need help, don’t hesitate in contacting our support forums at
https://forums.balena.io

For CLI bug reports or feature requests, have a look at the GitHub issues or
create a new one at: https://github.com/balena-io/balena-cli/issues/

Any idea? what can it be?