I have a Django app for whose static files need to be served by nginx. I want the app to be accessible through OpenVPN for which I'm using OpenVPN. Both the nginx container and the django container are in the same pod. My limited understanding is that it would be enough to run VPN in the background in the nginx container and it should successfully route requests to the backend using localhost because they're in the same pod. But this doesn't seem to be working.
My vpn config looks like this:
client
dev tun
proto udp
remote <server_ip> 1194
# Push all traffic through the VPN - from stackoverflow answer
redirect-gateway def1
# except these two k8s subnets - from stackoverflow answer
route 10.43.0.0 255.255.0.0 net_gateway
route 10.42.0.0 255.255.0.0 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
here I added @anemyte's suggestion from here about the routes (also using Calico).
Routing is configured in nginx using this config snippet:
upstream hello_django {
server localhost:8080;
}
server {
listen 80;
server_tokens off;
server_name _;
# Django Static Files - routes beginning with /static/
location /static {
add_header Access-Control-Allow-Origin *;
add_header Cache-Control public;
add_header Pragma public;
add_header Vary Accept-Encoding;
#alias /app/web_static;
root /var/www/;
}
location /static/admin/ {
add_header Access-Control-Allow-Origin *;
add_header Cache-Control public;
add_header Pragma public;
add_header Vary Accept-Encoding;
root /var/www/;
}
location / {
proxy_pass http://hello_django;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Cache-Control public;
add_header Pragma public;
add_header Vary Accept-Encoding;
}
}
and a deployment file is similar to what @anemyte wrote.
I keep getting:
[warn] 13#13: *5 upstream server temporarily disabled while connecting to upstream, client: 11.254.0.15, server: _, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8080/"
[error] 13#13: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 11.254.0.15, server: _, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8080/"
127.0.0.1:8080? Also, what is the ultimate goal of this? It looks like a xy problem to me. – Delayedaction127.0.0.1:8080because its container is within the same pod and without turning on the VPN everything works fine. The requests get through. So I'm pretty sure its VPN related and not a xy problem. My problem is that I don't have enough knowledge around VPN to decipher what is wrong. Maybe the server config that I haven't posted here, I simply don't know... – Knackwurstcurl http://127.0.0.1:8080/when VPN is up/down, analyze packets withtcpdump, check routes just in case. Routes is what VPN is changing and if I understand you well (that you're running a VPN client, not server, in that pod), you probably don't need that, so try removingredirect-gatewayandroutedirectives from that config. – Delayedaction