Kamal: Are you trying to open an SSL connection to a non-SSL Puma?

valasek · October 22, 2024, 1:11pm

Using Kamal 2.2.2 and Rails 7.2.1. After running kamal deploy I am getting

INFO [53229d8c] Running **docker exec kamal-proxy kamal-proxy deploy find-a-coach-web --target="861f2b0e8501:3000" --host="www.findacoach.eu" --tls --deploy-timeout="30s" --drain-timeout="30s" --buffer-requests --buffer-responses --log-request-header="Cache-Control" --log-request-header="Last-Modified" --log-request-header="User-Agent"** on 168.119.124.201

ERROR Failed to boot web on 168.119.124.201

INFO First web container is unhealthy on 168.119.124.201, not booting any other roles

HTTP parse error, malformed request: #<Puma::HttpParserError: Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma?>

And relevant config files

Dockerfile

EXPOSE 80 443 3000

deploy.yml

proxy:
  ssl: true
  host: www.findacoach.eu
  # kamal-proxy connects to your container over port 80, use `app_port` to specify a different port.
  app_port: 3000

and production.rb

# Assume all access to the app is happening through a SSL-terminating reverse proxy.
  # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
  # config.assume_ssl = true

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = true

  # Skip http-to-https redirect for the default health check endpoint.
  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }

LukasGutwinski · October 23, 2024, 7:50am

Hi Stanislav,

I had the same issue and adding both assume_ssl and force_ssl to production fixed it for me.

config.assume_ssl = true
config.force_ssl = true

There’s an issue for this:

github.com/basecamp/kamal

[Kamal 2] Error: target failed to become healthy

opened 10:19AM - 03 Oct 24 UTC

closed 11:00PM - 15 Oct 24 UTC

randohinn

I'm using kamal 2 and a fresh config and a fresh dockerfile. Logs end with … ``` "User-Agent" on xxx.xxx.x.xx ERROR Failed to boot web on xxx.xxx.x.xx INFO First web container is unhealthy on xxx.xxx.x.xx, not booting any other roles INFO [c43fba2b] Running docker container ls --all --filter name=^app-web-616499a7f846ac1b9e793e4b65fc0d620975af34_uncommitted_5974b526eb0bface$ --quiet | xargs docker logs --timestamps 2>&1 on xxx.xxx.x.xx INFO [c43fba2b] Finished in 0.086 seconds with exit status 0 (successful). ERROR 2024-10-03T10:12:09.396377559Z {"time":"2024-10-03T10:12:09.396233974Z","level":"INFO","msg":"Server started","http":":80"} 2024-10-03T10:12:10.030154028Z => Booting Puma 2024-10-03T10:12:10.030170436Z => Rails 7.1.3.2 application starting in devint 2024-10-03T10:12:10.030172811Z => Run `bin/rails server --help` for more startup options 2024-10-03T10:12:10.047581359Z {"time":"2024-10-03T10:12:10.047492864Z","level":"INFO","msg":"Unable to proxy request","path":"/up","error":"dial tcp 127.0.0.1:3000: connect: connection refused"} 2024-10-03T10:12:10.047600740Z {"time":"2024-10-03T10:12:10.047563654Z","level":"INFO","msg":"Request","path":"/up","status":502,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/plain; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:10.586403629Z Puma starting in single mode... 2024-10-03T10:12:10.586417892Z * Puma version: 6.4.2 (ruby 3.3.0-p0) ("The Eagle of Durango") 2024-10-03T10:12:10.586420350Z * Min threads: 40 2024-10-03T10:12:10.586422283Z * Max threads: 40 2024-10-03T10:12:10.586424126Z * Environment: devint 2024-10-03T10:12:10.586426017Z * PID: 17 2024-10-03T10:12:10.586552488Z * Listening on http://0.0.0.0:3000 2024-10-03T10:12:10.603315796Z Use Ctrl-C to stop 2024-10-03T10:12:11.048120983Z {"time":"2024-10-03T10:12:11.048046409Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":1,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:12.047512910Z {"time":"2024-10-03T10:12:12.04732821Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:13.047846408Z {"time":"2024-10-03T10:12:13.047729937Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:14.047807686Z {"time":"2024-10-03T10:12:14.047593626Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:15.047478119Z {"time":"2024-10-03T10:12:15.047384139Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:16.047969551Z {"time":"2024-10-03T10:12:16.047850513Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:17.047529146Z {"time":"2024-10-03T10:12:17.047391056Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:18.047754441Z {"time":"2024-10-03T10:12:18.047662475Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:19.047525119Z {"time":"2024-10-03T10:12:19.047406314Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:20.047555951Z {"time":"2024-10-03T10:12:20.047457548Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:21.048005701Z {"time":"2024-10-03T10:12:21.047904734Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:22.047418577Z {"time":"2024-10-03T10:12:22.047325291Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:23.047766252Z {"time":"2024-10-03T10:12:23.047654357Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:24.047382298Z {"time":"2024-10-03T10:12:24.047286567Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:25.048162887Z {"time":"2024-10-03T10:12:25.048084503Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:26.047750958Z {"time":"2024-10-03T10:12:26.047666361Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:27.047461131Z {"time":"2024-10-03T10:12:27.04729404Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:28.047998914Z {"time":"2024-10-03T10:12:28.047815193Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:29.047534102Z {"time":"2024-10-03T10:12:29.04739252Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:30.047297465Z {"time":"2024-10-03T10:12:30.047186348Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:31.047697501Z {"time":"2024-10-03T10:12:31.047600294Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:32.047398803Z {"time":"2024-10-03T10:12:32.047280902Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:33.047837629Z {"time":"2024-10-03T10:12:33.047736866Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:34.047391468Z {"time":"2024-10-03T10:12:34.047251666Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:35.047979415Z {"time":"2024-10-03T10:12:35.047800354Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:36.047563982Z {"time":"2024-10-03T10:12:36.047367517Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:37.047533440Z {"time":"2024-10-03T10:12:37.04743844Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} 2024-10-03T10:12:38.047773791Z {"time":"2024-10-03T10:12:38.047710488Z","level":"INFO","msg":"Request","path":"/up","status":301,"dur":0,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"172.19.0.2:44120","user_agent":"Go-http-client/1.1","cache":"miss","query":""} INFO [0d99e151] Running docker container ls --all --filter name=^app-web-616499a7f846ac1b9e793e4b65fc0d620975af34_uncommitted_5974b526eb0bface$ --quiet | xargs docker inspect --format '{{json .State.Health}}' on xxx.xxx.x.xx INFO [0d99e151] Finished in 0.079 seconds with exit status 0 (successful). ERROR null INFO [92917103] Running docker container ls --all --filter name=^app-web-616499a7f846ac1b9e793e4b65fc0d620975af34_uncommitted_5974b526eb0bface$ --quiet | xargs docker stop on xxx.xxx.x.xx INFO [92917103] Finished in 12.182 seconds with exit status 0 (successful). Releasing the deploy lock... Finished all in 158.3 seconds ERROR (SSHKit::Command::Failed): Exception while executing on host xxx.xxx.x.xx: docker exit status: 1 docker stdout: Nothing written docker stderr: Error: target failed to become healthy ``` Dockerfile: ``` # syntax = docker/dockerfile:1 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile ARG RUBY_VERSION=3.3.0 FROM ruby:$RUBY_VERSION-slim AS base # Rails app lives here WORKDIR /rails # Set production environment ENV BUNDLE_DEPLOYMENT="1" \ BUNDLE_PATH="/usr/local/bundle" \ #BUNDLE_WITHOUT="development:test" \ RAILS_ENV="devint" # Update gems and bundler RUN gem update --system --no-document && \ gem install -N bundler # Throw-away build stage to reduce size of final image FROM base AS build # Install packages needed to build gems and node modules RUN apt-get update -qq && \ apt-get install --no-install-recommends -y build-essential curl default-libmysqlclient-dev libvips node-gyp pkg-config python-is-python3 # Install Node.js ARG NODE_VERSION=18.15.0 ENV PATH=/usr/local/node/bin:$PATH RUN curl -sL https://github.com/nodenv/node-build/archive/master.tar.gz | tar xz -C /tmp/ && \ /tmp/node-build-master/bin/node-build "${NODE_VERSION}" /usr/local/node && \ rm -rf /tmp/node-build-master # Install application gems COPY Gemfile Gemfile.lock ./ RUN bundle install && \ bundle exec bootsnap precompile --gemfile && \ rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git # Install node modules COPY package.json package-lock.json ./ RUN npm install # Copy application code COPY . . # Precompile bootsnap code for faster boot times RUN bundle exec bootsnap precompile app/ lib/ # Adjust binfiles to be executable on Linux RUN chmod +x bin/* && \ sed -i "s/\r$//g" bin/* && \ sed -i 's/ruby\.exe$/ruby/' bin/* # Precompiling assets for production without requiring secret RAILS_MASTER_KEY RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails tailwindcss:build # Final stage for app image FROM base # Install packages needed for deployment RUN apt-get update -qq && \ apt-get install --no-install-recommends -y curl default-mysql-client imagemagick libsqlite3-0 libvips && \ rm -rf /var/lib/apt/lists /var/cache/apt/archives # Copy built artifacts: gems, application COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}" COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security RUN groupadd --system --gid 1000 rails && \ useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ chown -R 1000:1000 db log storage tmp USER 1000:1000 # Entrypoint prepares the database. ENTRYPOINT ["/rails/bin/docker-entrypoint"] # Start the server by default, this can be overwritten at runtime EXPOSE 80 CMD ["bundle", "exec", "thrust", "./bin/rails", "server"] ``` deploy.yml ``` # Name of your application. Used to uniquely configure containers. service: app # Name of the container image. image: mycomp/myapp # Deploy to these servers. servers: web: - xxx.xxx.x.xx # job: # hosts: # - 192.168.0.1 # cmd: bin/jobs # Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server). # Set ssl: false if using something like Cloudflare to terminate SSL (but keep host!). proxy: ssl: false host: devint.mydomain.ee registry: username: myusername password: - KAMAL_REGISTRY_PASSWORD # Configure builder setup. builder: arch: amd64 context: . ssh: user: rando # Inject ENV variables into containers (secrets come from .kamal/secrets). # # env: # clear: # DB_HOST: 192.168.0.2 # secret: # - RAILS_MASTER_KEY env: clear: DB_HOST: xxx.xxx.x.xx RAILS_LOG_TO_STDOUT: 1 RUBY_YJIT_ENABLE: 1 RAILS_SERVE_STATIC_FILES: true RAILS_MAX_THREADS: 40 secret: - RAILS_MASTER_KEY - MYSQL_ROOT_PASSWORD asset_path: /rails/public/assets accessories: db: image: mariadb:11.4 host: xxx.xxx.x.xx port: 3306 env: clear: MYSQL_ROOT_HOST: '%' secret: - MYSQL_ROOT_PASSWORD files: # - config/mysql/production.cnf:/etc/mysql/my.cnf - db/production.sql:/docker-entrypoint-initdb.d/setup.sql directories: - data:/var/lib/mysql ``` What am I missing? devint domain root path serves blue 404 page I assume comes from kamal-proxy.

Also make sure to expose an /up endpoint e.g. routes: get ‘/up’, to: ‘health#up’

class HealthController < ApplicationController
  skip_before_action :authenticate_user!, only: [:up]

  def up
    render json: { status: 'UP' }, status: :ok
  end
end

chris.covington · October 24, 2024, 12:22am

Right, if you use force_ssl and you have SSL termination on a load balancer / kamal-proxy / thruster, anything sitting in front of PUMA, then you need to use assume_ssl too which is a very simple middleware that forces the right headers like X-Forwarded-Proto https

And Rails 7.2.1 will have

get "up" => "rails/health#show", as: :rails_health_check

Available for the health check side.

valasek · October 26, 2024, 8:15pm

SOLVED. Thank you Lucas.

Topic		Replies	Views
Kamal 2 - Deploy, ERR_SSL_PROTOCOL_ERROR rubyonrails-talk	1	11	November 20, 2024
Struggling with Kamal 2 deploy rubyonrails-talk	5	254	October 25, 2024
Kamal + Traefik + SSL = Actioncable not working rubyonrails-talk	1	114	July 24, 2024
Running in a docker container in production with nginx and puma. rubyonrails-talk	0	174	February 9, 2017
Puma Server won't Install rubyonrails-talk	2	311	January 10, 2015

Kamal: Are you trying to open an SSL connection to a non-SSL Puma?

Related topics

More Resources