deploy: medic/cht-docs@c46bd48

apps/guides/hosting/4.x/index.xml

@@ -558,7 +558,17 @@ docker cp cert.pem temp:/etc/nginx/private/.
 <li>Attempt to renew your certificates once a week by adding this cronjob via <code>crontab -e</code>. Certbot will only renew them as needed:
 <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#0000cf;font-weight:bold">0</span> <span style="color:#0000cf;font-weight:bold">0</span> * * <span style="color:#0000cf;font-weight:bold">0</span> <span style="color:#204a87">cd</span> /home/ubuntu/cht/certbot<span style="color:#ce5c00;font-weight:bold">&&</span>docker compose up
 </span></span></code></pre></div></li>
-&lt;/ol></description></item><item><title>Apps: Viewing server logs in CHT 4.x</title><link>https://docs.communityhealthtoolkit.org/apps/guides/hosting/4.x/logs/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://docs.communityhealthtoolkit.org/apps/guides/hosting/4.x/logs/</guid><description>
+&lt;/ol>
+&lt;h2 id="troubleshooting">Troubleshooting&lt;/h2>
+&lt;h3 id="proxying">Proxying&lt;/h3>
+&lt;h4 id="err_tls_cert_altname_invalid">ERR_TLS_CERT_ALTNAME_INVALID&lt;/h4>
+&lt;p>When proxying to HTTPS from HTTP (for example where an ingress does TLS termination in an SNI environment and then the traffic is proxied to an HTTPS service (eg, haproxy)), not including a &lt;code>servername&lt;/code> for a request to the HTTPS server (eg, def.org) produces the following error:&lt;/p>
+&lt;div class="highlight">&lt;pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#4e9a06">&amp;#39;ERR_TLS_CERT_ALTNAME_INVALID&amp;#39;&lt;/span>
+&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#4e9a06">&amp;#34;RequestError: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate&amp;#39;s altnames:
+&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#4e9a06">Host: abc.com. is not in the cert&amp;#39;s altnames: DNS:def.org&amp;#34;&lt;/span>
+&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The addition of &lt;code>servername&lt;/code> resolves this error by providing routing information. See docs for &lt;code>tls.connect(options[, callback])&lt;/code>&amp;rsquo; (&lt;a href="https://nodejs.org/api/tls.html)">https://nodejs.org/api/tls.html)&lt;/a>: &amp;ldquo;Server name for the SNI (Server Name Indication) TLS extension. It is the name of the host being connected to, and must be a host name, and not an IP address.&amp;rdquo;.&lt;/p>
+&lt;p>A &lt;code>servername&lt;/code> parameter may be added to all requests to the haproxy/couchdb by setting the environment variable &lt;code>ADD_SERVERNAME_TO_HTTP_AGENT&lt;/code> to &lt;code>true&lt;/code>.&lt;/p>
+&lt;p>A similar change can be made for the http clients used in the application by setting &lt;code>PROXY_CHANGE_ORIGIN&lt;/code> to &lt;code>true&lt;/code>. This sets the &lt;code>changeOrigin&lt;/code> parameter of all the &lt;code>http-proxy&lt;/code> clients to &lt;code>true&lt;/code>, which &amp;ldquo;changes the origin of the host header to the target URL&amp;rdquo;. See &lt;a href="https://www.npmjs.com/package/http-proxy#options">http-proxy: options&lt;/a>.&lt;/p></description></item><item><title>Apps: Viewing server logs in CHT 4.x</title><link>https://docs.communityhealthtoolkit.org/apps/guides/hosting/4.x/logs/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://docs.communityhealthtoolkit.org/apps/guides/hosting/4.x/logs/</guid><description>
 &lt;p>CHT 4.x has the following services running via Docker and each can have its logs queried:&lt;/p>
 &lt;ul>
 &lt;li>nginx&lt;/li>