"juju deploy juju-dashboard" using juju 3.0 only attaches to localhost?

Hi just testing out juju 3.0 and can’t get it to listen on anything other than the loopback address.

Following this guide: Roadmap & Releases and ran

juju bootstrap localhost XXX
juju switch controller
juju deploy juju-dashboard
juju integrate controller juju-dashboard
juju expose juju-dashboard

I used juju dashboard but it tells me

Dashboard for controller “XXX” is enabled at: http://localhost:31666

But I don’t want the dashboard listening only on “localhost” but also on the machine’s physical IP. Using lsof -i :31666 confirms that it is only listening on localhost.

I can’t find a flag to specify an IP or card, etc.

Everything seems to be running correctly

$ juju machines
Machine  State    Address        Inst id        Base          AZ  Message
0        started  10.20.172.175  juju-287e40-0  ubuntu@22.04      Running
1        started  10.20.172.168  juju-287e40-1  ubuntu@20.04      Running

The machine is on a 192.168.1.0/24 network so I also tried

juju expose juju-dashboard --to-cidrs 192.168.1.0/24 --show-log --verbose

with no luck.

I can open a browser to https://10.20.172.175:17070 which returns “bad request”

I can open a browser to https://10.20.172.175:17070/dashboard returns “404 not found”

Any advice would be helpful as I don’t know what I’m missing here.

Hi, in Juju 3, the dashboard is accessed via a ssh tunnel set up by the juju dashboard command. The command listens on localhost:31666 as you point out.

This is to allow the browser to connect to a http address and thus avoid the recent browser restrictions on self signed certs, whilst still having encrypted traffic to the dashboard itself.

Perhaps I’m missing something in the documentation.

You can’t just connect to “localhost” from a remote system and if that system is behind a firewall - it makes sense to port forward the web traffic, not ssh traffic.

$ juju status

gives

Unit               Workload  Agent  Machine  Public address  Ports     Message
controller/0*      active    idle   0        10.20.172.175              
juju-dashboard/0*  active    idle   1        `10.20.172.168   8080`/tcp

Since juju dashboard only allows connections to localhost I could

  • SNAT to 10.20.172.168:8080 from a remotely reachable IP address
  • Put a HAProxy (or Apache I suppose) interface on that same machine and proxy inbound data to localhost:31666
  • create a SSH bridge

Not as ideal as being able to specify the dashboard , but at least I can view the dashboard remotely easily, just noting that the 8080 traffic is unencrypted so having a HAproxy system in front of it allowed remote browser access via encrypted end-to-end traffic.

The juju dashboard command is expected to be run on the same machine where your web browser is. It opens a secure tunnel to the dashboard api endpoint and proxies a localhost connection to that endpoint. This allows a browser on the same host to connect to http localhost to reach the dashboard. The alternative is to connect directly to the actual dashboard endpoint with http but this is insecure and the browser rightly warns about it.

If you are using some sort of bastion host to run the Juju CLI and want to run the browser on a different host, we sort of assume you have the networking skills to set this up (as you have done) because it’s not a use case we cater for out of the box. The expected common use case is to have the Juju CLI installed and run locally.