Add Oathkeeper (broken SSL on login)

This commit is contained in:
Sia Dev 2020-12-09 13:50:17 +01:00
parent 0a6d51c0fe
commit 2c832c0000
6 changed files with 292 additions and 10 deletions

View File

@ -0,0 +1,92 @@
version: "3.7"
services:
sia:
build:
args:
branch: master
kratos-migrate:
image: oryd/kratos:v0.5.4-alpha.1
container_name: kratos-migrate
environment:
- DSN=mysql://root:${MYSQL_ROOT_PASSWORD}@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4
volumes:
-
type: volume
source: kratos-sqlite
target: /var/lib/sqlite
read_only: false
-
type: bind
source: ./docker//kratos/config
target: /etc/config/kratos
command:
-c /etc/config/kratos/kratos.yml migrate sql -e --yes
restart: on-failure
networks:
shared:
ipv4_address: 10.10.10.95
kratos-selfservice-ui-node:
image: oryd/kratos-selfservice-ui-node:v0.5.0-alpha.1
container_name: kratos-selfservice-ui-node
ports:
- "4455:4455"
environment:
- PORT=4455
- SECURITY_MODE=
- BASE_URL=https://${DOMAIN_NAME}/secure/
- KRATOS_BROWSER_URL=https:///siasky.xyz/secure/
- KRATOS_PUBLIC_URL=http://kratos:4433/
- KRATOS_ADMIN_URL=http://kratos:4434/
networks:
shared:
ipv4_address: 10.10.10.96
restart: on-failure
kratos:
container_name: kratos
depends_on:
- kratos-migrate
image: oryd/kratos:v0.5.4-alpha.1
ports:
- "4433:4433" # public
- "4434:4434" # admin
restart: unless-stopped
environment:
- DSN=mysql://root:${MYSQL_ROOT_PASSWORD}@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4
- LOG_LEVEL=trace
command:
serve -c /etc/config/kratos/kratos.yml
volumes:
-
type: volume
source: kratos-sqlite
target: /var/lib/sqlite
read_only: false
-
type: bind
source: ./docker/kratos/config
target: /etc/config/kratos
-
type: bind
source: ./.kratos.yml
target: /etc/config/kratos/kratos.yml
networks:
shared:
ipv4_address: 10.10.10.97
mysql:
image: mysql:5.7
container_name: mysql
ports:
- "3306:3306"
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
networks:
shared:
ipv4_address: 10.10.10.98
volumes:
kratos-sqlite:

View File

@ -209,6 +209,7 @@ services:
environment:
- DSN=cockroach://root@cockroachd:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4
- LOG_LEVEL=trace
- SERVE_PUBLIC_BASE_URL=http://siasky.xyz/secure/.ory/kratos/public/
command: serve -c /etc/config/kratos/kratos.yml
volumes:
- ./docker/kratos/config:/etc/config/kratos
@ -232,19 +233,36 @@ services:
container_name: kratos-selfservice-ui-node
restart: on-failure
logging: *default-logging
ports:
- "4455:4455"
environment:
- PORT=4455
- SECURITY_MODE=
- PORT=4435
- SECURITY_MODE=jwks
- BASE_URL=https://siasky.xyz/secure/
- KRATOS_BROWSER_URL=https://siasky.xyz/secure/
- KRATOS_BROWSER_URL=https://siasky.xyz/secure/.ory/kratos/public
- JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
- KRATOS_PUBLIC_URL=http://kratos:4433/
- KRATOS_ADMIN_URL=http://kratos:4434/
networks:
shared:
ipv4_address: 10.10.10.82
oathkeeper:
image: oryd/oathkeeper:v0.38
depends_on:
- kratos
expose:
- 4455
- 4456
command:
serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml"
environment:
- LOG_LEVEL=debug
volumes:
- ./docker/kratos/oathkeeper:/etc/config/oathkeeper
restart: on-failure
networks:
shared:
ipv4_address: 10.10.10.83
cockroachd:
image: cockroachdb/cockroach:v20.1.0
container_name: cockroachd

View File

@ -0,0 +1,62 @@
-
id: "ory:kratos:public"
upstream:
preserve_host: true
url: "http://kratos:4433"
strip_path: /.ory/kratos/public
match:
url: "http://oathkeeper:4455/.ory/kratos/public/<**>"
methods:
- GET
- POST
- PUT
- DELETE
- PATCH
authenticators:
-
handler: noop
authorizer:
handler: allow
mutators:
- handler: noop
-
id: "ory:kratos-selfservice-ui-node:anonymous"
upstream:
preserve_host: true
url: "http://kratos-selfservice-ui-node:4435"
match:
url: "http://oathkeeper:4455/<{error,recovery,verify,auth/*,**.css,**.js}{/,}>"
methods:
- GET
authenticators:
-
handler: anonymous
authorizer:
handler: allow
mutators:
-
handler: noop
-
id: "ory:kratos-selfservice-ui-node:protected"
upstream:
preserve_host: true
url: "http://kratos-selfservice-ui-node:4435"
match:
url: "http://oathkeeper:4455/<{,debug,dashboard,settings}>"
methods:
- GET
authenticators:
-
handler: cookie_session
authorizer:
handler: allow
mutators:
- handler: id_token
errors:
- handler: redirect
config:
#to: http://oathkeeper:4455/auth/login
to: https://siasky.xyz/secure/auth/login

View File

@ -0,0 +1,19 @@
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "a2aa9739-d753-4a0d-87ee-61f101050277",
"alg": "RS256",
"n": "zpjSl0ySsdk_YC4ZJYYV-cSznWkzndTo0lyvkYmeBkW60YHuHzXaviHqonY_DjFBdnZC0Vs_QTWmBlZvPzTp4Oni-eOetP-Ce3-B8jkGWpKFOjTLw7uwR3b3jm_mFNiz1dV_utWiweqx62Se0SyYaAXrgStU8-3P2Us7_kz5NnBVL1E7aEP40aB7nytLvPhXau-YhFmUfgykAcov0QrnNY0DH0eTcwL19UysvlKx6Uiu6mnbaFE1qx8X2m2xuLpErfiqj6wLCdCYMWdRTHiVsQMtTzSwuPuXfH7J06GTo3I1cEWN8Mb-RJxlosJA_q7hEd43yYisCO-8szX0lgCasw",
"e": "AQAB",
"d": "x3dfY_rna1UQTmFToBoMn6Edte47irhkra4VSNPwwaeTTvI-oN2TO51td7vo91_xD1nw-0c5FFGi4V2UfRcudBv9LD1rHt_O8EPUh7QtAUeT3_XXgjx1Xxpqu5goMZpkTyGZ-B6JzOY3L8lvWQ_Qeia1EXpvxC-oTOjJnKZeuwIPlcoNKMRU-mIYOnkRFfnUvrDm7N9UZEp3PfI3vhE9AquP1PEvz5KTUYkubsfmupqqR6FmMUm6ulGT7guhBw9A3vxIYbYGKvXLdBvn68mENrEYxXrwmu6ITMh_y208M5rC-hgEHIAIvMu1aVW6jNgyQTunsGST3UyrSbwjI0K9UQ",
"p": "77fDvnfHRFEgyi7mh0c6fAdtMEMJ05W8NwTG_D-cSwfWipfTwJJrroWoRwEgdAg5AWGq-MNUzrubTVXoJdC2T4g1o-VRZkKKYoMvav3CvOIMzCBxBs9I_GAKr5NCSk7maksMqiCTMhmkoZ5RPuMYMY_YzxKNAbjBd9qFLfaVAqs",
"q": "3KEmPA2XQkf7dvtpY1Xkp1IfMV_UBdmYk7J6dB5BYqzviQWdEFvWaSATJ_7qV1dw0JDZynOgipp8gvoL-RepfjtArhPz41wB3J2xmBYrBr1sJ-x5eqAvMkQk2bd5KTor44e79TRIkmkFYAIdUQ5JdVXPA13S8WUZfb_bAbwaCBk",
"dp": "5uyy32AJkNFKchqeLsE6INMSp0RdSftbtfCfM86fZFQno5lA_qjOnO_avJPkTILDT4ZjqoKYxxJJOEXCffNCPPltGvbE5GrDXsUbP8k2-LgWNeoml7XFjIGEqcCFQoohQ1IK4DTDN6cmRh76C0e_Pbdh15D6TydJEIlsdGuu_kM",
"dq": "aegFNYCEojFxeTzX6vIZL2RRSt8oJKK-Be__reu0EUzYMtr5-RdMhev6phFMph54LfXKRc9ZOg9MQ4cJ5klAeDKzKpyzTukkj6U20b2aa8LTvxpZec6YuTVSxxu2Ul71IGRQijTNvVIiXWLGddk409Ub6Q7JqkyQfvdwhpWnnUk",
"qi": "P68-EwgcRy9ce_PZ75c909cU7dzCiaGcTX1psJiXmQAFBcG0msWfsyHGbllOZG27pKde78ORGJDYDNk1FqTwsogZyCP87EiBmOoqXWnMvKYfJ1DOx7x42LMAGwMD3bgQj9jgRACxFJG4n3NI6uFlFruyl_CLQzwW_rQFHshLK7Q"
}
]
}

View File

@ -0,0 +1,91 @@
log:
level: debug
format: json
serve:
proxy:
cors:
enabled: true
allowed_origins:
- "*"
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
allow_credentials: true
debug: true
errors:
fallback:
- json
handlers:
redirect:
enabled: true
config:
#to: http://oathkeeper:4455/auth/login
to: https://siasky.xyz/secure/auth/login
when:
-
error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html
json:
enabled: true
config:
verbose: true
access_rules:
matching_strategy: glob
repositories:
- file:///etc/config/oathkeeper/access-rules.yml
authenticators:
anonymous:
enabled: true
config:
subject: guest
cookie_session:
enabled: true
config:
check_session_url: http://kratos:4433/sessions/whoami
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
noop:
enabled: true
authorizers:
allow:
enabled: true
mutators:
noop:
enabled: true
id_token:
enabled: true
config:
#issuer_url: http://oathkeeper:4455/
issuer_url: https://siasky.xyz/
jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json
claims: |
{
"session": {{ .Extra | toJson }}
}

View File

@ -320,13 +320,13 @@ server {
location /secure {
rewrite /secure/(.*) /$1 break;
proxy_pass http://kratos-selfservice-ui-node:4455;
proxy_pass http://oathkeeper:4455;
}
location /secure/self-service {
rewrite /secure/(.*) /$1 break;
proxy_pass http://kratos:4433;
}
#location /secure/self-service {
# rewrite /secure/self-service/(.*) /$1 break;
# proxy_pass http://oathkeeper:4455;
#}
# include custom locations, specific to the server
include /etc/nginx/conf.d/server-override/*;