Updating collector 2.3.1 to 2.6.1 SSL config errors

Hey,

We are updating the collector with the following collector config

# Copyright (c) 2013-2020 Snowplow Analytics Ltd. All rights reserved.
#
# This program is licensed to you under the Apache License Version 2.0, and
# you may not use this file except in compliance with the Apache License
# Version 2.0.  You may obtain a copy of the Apache License Version 2.0 at
# http://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the Apache License Version 2.0 is distributed on an "AS
# IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.  See the Apache License Version 2.0 for the specific language
# governing permissions and limitations there under.

# This file (config.hocon.sample) contains a template with
# configuration options for the Scala Stream Collector.
#
# To use, copy this to 'application.conf' and modify the configuration options.

# 'collector' contains configuration options for the main Scala collector.
collector {
  # The collector runs as a web service specified on the following interface and port.
  interface = ${COLLECTOR_INTERFACE}
  port = 8000 #${COLLECTOR_PORT}

  # optional SSL/TLS configuration
  ssl {
    enable = ${COLLECTOR_SSL_ENABLE}
    # whether to redirect HTTP to HTTPS
    redirect = ${COLLECTOR_SSL_REDIRECT}
    port = ${COLLECTOR_SSL_PORT}
  }
# The collector responds with a cookie to requests with a path that matches the 'vendor/version' protocol.
  # The expected values are:
  # - com.snowplowanalytics.snowplow/tp2 for Tracker Protocol 2
  # - r/tp2 for redirects
  # - com.snowplowanalytics.iglu/v1 for the Iglu Webhook
  # Any path that matches the 'vendor/version' protocol will result in a cookie response, for use by custom webhooks
  # downstream of the collector.
  # But you can also map any valid (i.e. two-segment) path to one of the three defaults.
  # Your custom path must be the key and the value must be one of the corresponding default paths. Both must be full
  # valid paths starting with a leading slash.
  # Pass in an empty map to avoid mapping.
  paths {
    # "/com.acme/track" = "/com.snowplowanalytics.snowplow/tp2"
    # "/com.acme/redirect" = "/r/tp2"
    # "/com.acme/iglu" = "/com.snowplowanalytics.iglu/v1"
  }

  # Configure the P3P policy header.
  p3p {
    policyRef = "/w3c/p3p.xml"
    CP = "NOI DSP COR NID PSA OUR IND COM NAV STA"
  }

  # Cross domain policy configuration.
  # If "enabled" is set to "false", the collector will respond with a 404 to the /crossdomain.xml
  # route.
  crossDomain {
    enabled = false
    # Domains that are granted access, *.acme.com will match http://acme.com and http://sub.acme.com
    #enabled = ${?COLLECTOR_CROSS_DOMAIN_ENABLED}
    domains = [ "*" ]
    #domains = [ ${?COLLECTOR_CROSS_DOMAIN_DOMAIN} ]
    # Whether to only grant access to HTTPS or both HTTPS and HTTP sources
    secure = true
    #secure = ${?COLLECTOR_CROSS_DOMAIN_SECURE}
  }

  # The collector returns a cookie to clients for user identification
  # with the following domain and expiration.
  cookie {
    enabled = false #true  # false Track no cookies at all for now?
    #enabled = ${?COLLECTOR_COOKIE_ENABLED}
    expiration = 0 #{{cookieExpiration}} # e.g. "365 days"
    #expiration = ${?COLLECTOR_COOKIE_EXPIRATION}
    # Network cookie name
    name = 'sp' #{{collectorCookieName}}
    #name = ${?COLLECTOR_COOKIE_NAME}
    # The domain is optional and will make the cookie accessible to other
    # applications on the domain. Comment out these lines to tie cookies to
    # the collector's full domain.
    # The domain is determined by matching the domains from the Origin header of the request
    # to the list below. The first match is used. If no matches are found, the fallback domain will be used,
    # if configured.
    # If you specify a main domain, all subdomains on it will be matched.
    # If you specify a subdomain, only that subdomain will be matched.
    # Examples:
    # domain.com will match domain.com, www.domain.com and secure.client.domain.com
    # client.domain.com will match secure.client.domain.com but not domain.com or www.domain.com
    domains = [
        "{{cookieDomain1}}" # e.g. "domain.com" -> any origin domain ending with this will be matched and domain.com will be returned
        "{{cookieDomain2}}" # e.g. "secure.anotherdomain.com" -> any origin domain ending with this will be matched and secure.anotherdomain.com will be returned
        # ... more domains
    ]
    #domains += ${?COLLECTOR_COOKIE_DOMAIN_1}
    #domains += ${?COLLECTOR_COOKIE_DOMAIN_2}
    # ... more domains
    # If specified, the fallback domain will be used if none of the Origin header hosts matches the list of
    # cookie domains configured above. (For example, if there is no Origin header.)
    fallbackDomain = "{{fallbackDomain}}"
    #fallbackDomain = ${?FALLBACK_DOMAIN}
    secure = false
    #secure = ${?COLLECTOR_COOKIE_SECURE}
    httpOnly = false
    #httpOnly = ${?COLLECTOR_COOKIE_HTTP_ONLY}
    # The sameSite is optional. You can choose to not specify the attribute, or you can use `Strict`,
    # `Lax` or `None` to limit the cookie sent context.
    #   Strict: the cookie will only be sent along with "same-site" requests.
    #   Lax: the cookie will be sent with same-site requests, and with cross-site top-level navigation.
    #   None: the cookie will be sent with same-site and cross-site requests.
    sameSite = 'None' #"{{cookieSameSite}}"
    #sameSite = ${?COLLECTOR_COOKIE_SAME_SITE}
  }

  # If you have a do not track cookie in place, the Scala Stream Collector can respect it by
  # completely bypassing the processing of an incoming request carrying this cookie, the collector
  # will simply reply by a 200 saying "do not track".
  # The cookie name and value must match the configuration below, where the names of the cookies must
  # match entirely and the value could be a regular expression.
  doNotTrackCookie {
    enabled = false #false
    name = '' #{{doNotTrackCookieName}}
    value = '' #{{doNotTrackCookieValue}}
  }

  # When enabled and the cookie specified above is missing, performs a redirect to itself to check
  # if third-party cookies are blocked using the specified name. If they are indeed blocked,
  # fallbackNetworkId is used instead of generating a new random one.
  cookieBounce {
    enabled = false
    # The name of the request parameter which will be used on redirects checking that third-party
    # cookies work.
    name = "n3pc"
    # Network user id to fallback to when third-party cookies are blocked.
    fallbackNetworkUserId = "00000000-0000-4000-A000-000000000000"
    # Optionally, specify the name of the header containing the originating protocol for use in the
    # bounce redirect location. Use this if behind a load balancer that performs SSL termination.
    # The value of this header must be http or https. Example, if behind an AWS Classic ELB.
    forwardedProtocolHeader = "X-Forwarded-Proto"
  }

  # When enabled, redirect prefix `r/` will be enabled and its query parameters resolved.
  # Otherwise the request prefixed with `r/` will be dropped with `404 Not Found`
  # Custom redirects configured in `paths` can still be used.
  enableDefaultRedirect = true

  # When enabled, the redirect url passed via the `u` query parameter is scanned for a placeholder
  # token. All instances of that token are replaced withe the network ID. If the placeholder isn't
  # specified, the default value is `${SP_NUID}`.
  redirectMacro {
    enabled = false
    # Optional custom placeholder token (defaults to the literal `${SP_NUID}`)
    placeholder = "[TOKEN]"
  }

  # Customize response handling for requests for the root path ("/").
  # Useful if you need to redirect to web content or privacy policies regarding the use of this collector.
  rootResponse {
    enabled = false
    statusCode = 302
    # Optional, defaults to empty map
    headers = {
      Location = "https://127.0.0.1/",
      X-Custom = "something"
    }
    # Optional, defaults to empty string
    body = "302, redirecting"
  }

  # Configuration related to CORS preflight requests
  cors {
    # The Access-Control-Max-Age response header indicates how long the results of a preflight
    # request can be cached. -1 seconds disables the cache. Chromium max is 10m, Firefox is 24h.
    accessControlMaxAge = 5 seconds
  }

  # Configuration of prometheus http metrics
  prometheusMetrics {
    # If metrics are enabled then all requests will be logged as prometheus metrics
    # and '/metrics' endpoint will return the report about the requests
    enabled = false
    # Custom buckets for http_request_duration_seconds_bucket duration metric
    #durationBucketsInSeconds = [0.1, 3, 10]
  }
  streams {
    # Events which have successfully been collected will be stored in the good stream/topic
    good = ${COLLECTOR_GOOD_STREAM}
    # Events that are too big (w.r.t Kinesis 1MB limit) will be stored in the bad stream/topic
    bad = ${COLLECTOR_BAD_STREAM}

    # Whether to use the incoming event's ip as the partition key for the good stream/topic
    # Note: Nsq does not make use of partition key.

    useIpAddressAsPartitionKey = false

    # Enable the chosen sink by uncommenting the appropriate configuration
    sink {
      # Choose between kinesis, google-pub-sub, kafka, nsq, or stdout.
      # To use stdout, comment or remove everything in the "collector.streams.sink" section except
      # "enabled" which should be set to "stdout".
      enabled = kinesis

      # Region where the streams are located
      region = ${COLLECTOR_STREAMS_SINK_REGION}

      ## Optional endpoint url configuration to override aws kinesis endpoints,
      ## this can be used to specify local endpoints when using localstack
      #customEndpoint =  localstack:4566

      # Thread pool size for Kinesis API requests
      threadPoolSize = ${COLLECTOR_STREAMS_SINK_THREAD_POOL_SIZE}

      # The following are used to authenticate for the Amazon Kinesis sink.
      # If both are set to 'default', the default provider chain is used
      # (see http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html)
      # If both are set to 'iam', use AWS IAM Roles to provision credentials.
      # If both are set to 'env', use environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
      aws {
        accessKey = default #iam
        secretKey = default #iam
      }

      # Minimum and maximum backoff periods, in milliseconds
      backoffPolicy {
        minBackoff = ${COLLECTOR_STREAMS_SINK_MIN_BACKOFF}
        maxBackoff = ${COLLECTOR_STREAMS_SINK_MAX_BACKOFF}
      }

    }

    # Incoming events are stored in a buffer before being sent to Kinesis/Kafka.
    # Note: Buffering is not supported by NSQ.
    # The buffer is emptied whenever:
    # - the number of stored records reaches record-limit or
    # - the combined size of the stored records reaches byte-limit or
    # - the time in milliseconds since the buffer was last emptied reaches time-limit
    buffer {
      byteLimit = ${COLLECTOR_STREAMS_BUFFER_BYTE_LIMIT}
      recordLimit = ${COLLECTOR_STREAMS_BUFFER_RECORD_LIMIT}
      timeLimit = ${COLLECTOR_STREAMS_BUFFER_TIME_LIMIT}
    }
  }

}

# Akka has a variety of possible configuration options defined at
# http://doc.akka.io/docs/akka/current/scala/general/configuration.html
akka {
  loglevel = DEBUG # 'OFF' for no logging, 'DEBUG' for all logging.
  loggers = ["akka.event.slf4j.Slf4jLogger"]

  # akka-http is the server the Stream collector uses and has configurable options defined at
  # http://doc.akka.io/docs/akka-http/current/scala/http/configuration.html
  http.server {
    # To obtain the hostname in the collector, the 'remote-address' header
    # should be set. By default, this is disabled, and enabling it
    # adds the 'Remote-Address' header to every request automatically.
    remote-address-header = off

    raw-request-uri-header = on

    # Define the maximum request length (the default is 2048)
    parsing {
      max-uri-length = 32768
      uri-parsing-mode = relaxed
    }
  }

  # By default setting `collector.ssl` relies on JSSE (Java Secure Socket
  # Extension) to enable secure communication.
  # To override the default settings set the following section as per
  # https://lightbend.github.io/ssl-config/ExampleSSLConfig.html
#   ssl-config {
#     debug = {
#       ssl = true
#     }
#
#     keyManager = {
#       stores = [
#         {type = "PKCS12", classpath = false, path = "/opt/snowplow/ssl/collector.p12", password = ${CERT_PW} }
#       ]
#     }
#
#     loose {
#       disableHostnameVerification = true
#     }
#   }
}

and our dockerfile looks like the following:

FROM snowplow/scala-stream-collector-kinesis:2.6.2

ARG AWS_DEFAULT_REGION
ENV COLLECTOR_STREAMS_SINK_REGION=$AWS_DEFAULT_REGION
ENV COLLECTOR_INTERFACE 0.0.0.0
ENV COLLECTOR_PORT 8000
ENV COLLECTOR_SSL_ENABLE true
ENV COLLECTOR_SSL_REDIRECT true
ENV COLLECTOR_SSL_PORT 9543
ENV COLLECTOR_STREAMS_SINK_THREAD_POOL_SIZE 10
ENV COLLECTOR_STREAMS_SINK_MIN_BACKOFF 5000
ENV COLLECTOR_STREAMS_SINK_MAX_BACKOFF 60000
ENV COLLECTOR_STREAMS_BUFFER_BYTE_LIMIT 10000
ENV COLLECTOR_STREAMS_BUFFER_RECORD_LIMIT 5
ENV COLLECTOR_STREAMS_BUFFER_TIME_LIMIT 60
ENV CERT_PW $CERT_PW
ENV SSL_DIR /opt/snowplow/ssl

WORKDIR /app
COPY src/ /app/

# hadolint ignore=DL3002
USER root
RUN sh generate_ssl_cert.sh

CMD ["--config", "oneapp_collector.conf", \
 "-Dcom.amazonaws.sdk.disableCertChecking", "-Dcom.amazonaws.sdk.disableCbor", \
 "-Djavax.net.ssl.keyStore=/opt/snowplow/ssl/collector.p12", \
 "-Djavax.net.ssl.keyStorePassword=${CERT_PW}", \
 "-Djavax.net.ssl.keyStoreType=PKCS12"]

However, we keep getting the following error and the collector is not reachable for tracking events.

I don’t think that’s the full stack trace so it’s hard to tell but this looks identical to the issue from your colleague here which looks like a variable substitution issue rather than an issue with the collector itself. @oguzhanunlu has posted a comment there which should fix the issue.

2 Likes

Hey @mike,
Thanks for pointing it out! I managed to get it work with the instructions from the other thread!
Thanks!

2 Likes

Hi @atordai
Thanks for the update - really helpful to other users to know what worked.
Cheers,
Eddie

1 Like