Add Oathkeeper (broken SSL on login)

docker-compose.override.yml.DISABLED

@@ -0,0 +1,92 @@
+version: "3.7"
+
+services:
+  sia:
+    build:
+      args:
+        branch: master
+
+  kratos-migrate:
+    image: oryd/kratos:v0.5.4-alpha.1
+    container_name: kratos-migrate
+    environment:
+      - DSN=mysql://root:${MYSQL_ROOT_PASSWORD}@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4    
+    volumes:
+      -
+        type: volume
+        source: kratos-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      -
+        type: bind
+        source: ./docker//kratos/config
+        target: /etc/config/kratos
+    command:
+      -c /etc/config/kratos/kratos.yml migrate sql -e --yes
+    restart: on-failure
+    networks:
+      shared:
+        ipv4_address: 10.10.10.95
+
+  kratos-selfservice-ui-node:
+    image: oryd/kratos-selfservice-ui-node:v0.5.0-alpha.1
+    container_name: kratos-selfservice-ui-node
+    ports:
+      - "4455:4455"
+    environment:
+      - PORT=4455
+      - SECURITY_MODE=
+      - BASE_URL=https://${DOMAIN_NAME}/secure/
+      - KRATOS_BROWSER_URL=https:///siasky.xyz/secure/
+      - KRATOS_PUBLIC_URL=http://kratos:4433/
+      - KRATOS_ADMIN_URL=http://kratos:4434/
+    networks:
+      shared:
+        ipv4_address: 10.10.10.96
+    restart: on-failure
+
+  kratos:
+    container_name: kratos
+    depends_on:
+      - kratos-migrate
+    image: oryd/kratos:v0.5.4-alpha.1
+    ports:
+      - "4433:4433" # public
+      - "4434:4434" # admin
+    restart: unless-stopped
+    environment:
+      - DSN=mysql://root:${MYSQL_ROOT_PASSWORD}@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4
+      - LOG_LEVEL=trace
+    command:
+      serve -c /etc/config/kratos/kratos.yml
+    volumes:
+      -
+        type: volume
+        source: kratos-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      -
+        type: bind
+        source: ./docker/kratos/config
+        target: /etc/config/kratos
+      -
+        type: bind
+        source: ./.kratos.yml
+        target: /etc/config/kratos/kratos.yml
+    networks:
+      shared:
+        ipv4_address: 10.10.10.97
+
+  mysql:
+    image: mysql:5.7
+    container_name: mysql
+    ports:
+      - "3306:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+    networks:
+      shared:
+        ipv4_address: 10.10.10.98
+
+volumes:
+  kratos-sqlite:

docker-compose.yml

@@ -209,6 +209,7 @@ services:
     environment:
       - DSN=cockroach://root@cockroachd:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4
       - LOG_LEVEL=trace
+      - SERVE_PUBLIC_BASE_URL=http://siasky.xyz/secure/.ory/kratos/public/
     command: serve -c /etc/config/kratos/kratos.yml
     volumes:
       - ./docker/kratos/config:/etc/config/kratos
@@ -232,19 +233,36 @@ services:
     container_name: kratos-selfservice-ui-node
     restart: on-failure
     logging: *default-logging
-    ports:
-      - "4455:4455"
     environment:
-      - PORT=4455
+      - PORT=4435
-      - SECURITY_MODE=
+      - SECURITY_MODE=jwks
       - BASE_URL=https://siasky.xyz/secure/
-      - KRATOS_BROWSER_URL=https://siasky.xyz/secure/
+      - KRATOS_BROWSER_URL=https://siasky.xyz/secure/.ory/kratos/public
+      - JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
       - KRATOS_PUBLIC_URL=http://kratos:4433/
       - KRATOS_ADMIN_URL=http://kratos:4434/
     networks:
       shared:
         ipv4_address: 10.10.10.82
 
+  oathkeeper:
+    image: oryd/oathkeeper:v0.38
+    depends_on:
+      - kratos
+    expose:
+      - 4455
+      - 4456
+    command:
+      serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml"
+    environment:
+      - LOG_LEVEL=debug
+    volumes:
+      - ./docker/kratos/oathkeeper:/etc/config/oathkeeper
+    restart: on-failure
+    networks:
+      shared:
+        ipv4_address: 10.10.10.83
+
   cockroachd:
     image: cockroachdb/cockroach:v20.1.0
     container_name: cockroachd

docker/kratos/oathkeeper/access-rules.yml

@@ -0,0 +1,62 @@
+-
+  id: "ory:kratos:public"
+  upstream:
+    preserve_host: true
+    url: "http://kratos:4433"
+    strip_path: /.ory/kratos/public
+  match:
+    url: "http://oathkeeper:4455/.ory/kratos/public/<**>"
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+  authenticators:
+    -
+      handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+
+-
+  id: "ory:kratos-selfservice-ui-node:anonymous"
+  upstream:
+    preserve_host: true
+    url: "http://kratos-selfservice-ui-node:4435"
+  match:
+    url: "http://oathkeeper:4455/<{error,recovery,verify,auth/*,**.css,**.js}{/,}>"
+    methods:
+      - GET
+  authenticators:
+    -
+      handler: anonymous
+  authorizer:
+    handler: allow
+  mutators:
+    -
+      handler: noop
+
+-
+  id: "ory:kratos-selfservice-ui-node:protected"
+  upstream:
+    preserve_host: true
+    url: "http://kratos-selfservice-ui-node:4435"
+  match:
+    url: "http://oathkeeper:4455/<{,debug,dashboard,settings}>"
+    methods:
+      - GET
+  authenticators:
+    -
+      handler: cookie_session
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: id_token
+  errors:
+    - handler: redirect
+      config:
+        #to: http://oathkeeper:4455/auth/login
+        to: https://siasky.xyz/secure/auth/login
+

docker/kratos/oathkeeper/id_token.jwks.json

@@ -0,0 +1,19 @@
+{
+  "keys": [
+    {
+      "use": "sig",
+      "kty": "RSA",
+      "kid": "a2aa9739-d753-4a0d-87ee-61f101050277",
+      "alg": "RS256",
+      "n": "zpjSl0ySsdk_YC4ZJYYV-cSznWkzndTo0lyvkYmeBkW60YHuHzXaviHqonY_DjFBdnZC0Vs_QTWmBlZvPzTp4Oni-eOetP-Ce3-B8jkGWpKFOjTLw7uwR3b3jm_mFNiz1dV_utWiweqx62Se0SyYaAXrgStU8-3P2Us7_kz5NnBVL1E7aEP40aB7nytLvPhXau-YhFmUfgykAcov0QrnNY0DH0eTcwL19UysvlKx6Uiu6mnbaFE1qx8X2m2xuLpErfiqj6wLCdCYMWdRTHiVsQMtTzSwuPuXfH7J06GTo3I1cEWN8Mb-RJxlosJA_q7hEd43yYisCO-8szX0lgCasw",
+      "e": "AQAB",
+      "d": "x3dfY_rna1UQTmFToBoMn6Edte47irhkra4VSNPwwaeTTvI-oN2TO51td7vo91_xD1nw-0c5FFGi4V2UfRcudBv9LD1rHt_O8EPUh7QtAUeT3_XXgjx1Xxpqu5goMZpkTyGZ-B6JzOY3L8lvWQ_Qeia1EXpvxC-oTOjJnKZeuwIPlcoNKMRU-mIYOnkRFfnUvrDm7N9UZEp3PfI3vhE9AquP1PEvz5KTUYkubsfmupqqR6FmMUm6ulGT7guhBw9A3vxIYbYGKvXLdBvn68mENrEYxXrwmu6ITMh_y208M5rC-hgEHIAIvMu1aVW6jNgyQTunsGST3UyrSbwjI0K9UQ",
+      "p": "77fDvnfHRFEgyi7mh0c6fAdtMEMJ05W8NwTG_D-cSwfWipfTwJJrroWoRwEgdAg5AWGq-MNUzrubTVXoJdC2T4g1o-VRZkKKYoMvav3CvOIMzCBxBs9I_GAKr5NCSk7maksMqiCTMhmkoZ5RPuMYMY_YzxKNAbjBd9qFLfaVAqs",
+      "q": "3KEmPA2XQkf7dvtpY1Xkp1IfMV_UBdmYk7J6dB5BYqzviQWdEFvWaSATJ_7qV1dw0JDZynOgipp8gvoL-RepfjtArhPz41wB3J2xmBYrBr1sJ-x5eqAvMkQk2bd5KTor44e79TRIkmkFYAIdUQ5JdVXPA13S8WUZfb_bAbwaCBk",
+      "dp": "5uyy32AJkNFKchqeLsE6INMSp0RdSftbtfCfM86fZFQno5lA_qjOnO_avJPkTILDT4ZjqoKYxxJJOEXCffNCPPltGvbE5GrDXsUbP8k2-LgWNeoml7XFjIGEqcCFQoohQ1IK4DTDN6cmRh76C0e_Pbdh15D6TydJEIlsdGuu_kM",
+      "dq": "aegFNYCEojFxeTzX6vIZL2RRSt8oJKK-Be__reu0EUzYMtr5-RdMhev6phFMph54LfXKRc9ZOg9MQ4cJ5klAeDKzKpyzTukkj6U20b2aa8LTvxpZec6YuTVSxxu2Ul71IGRQijTNvVIiXWLGddk409Ub6Q7JqkyQfvdwhpWnnUk",
+      "qi": "P68-EwgcRy9ce_PZ75c909cU7dzCiaGcTX1psJiXmQAFBcG0msWfsyHGbllOZG27pKde78ORGJDYDNk1FqTwsogZyCP87EiBmOoqXWnMvKYfJ1DOx7x42LMAGwMD3bgQj9jgRACxFJG4n3NI6uFlFruyl_CLQzwW_rQFHshLK7Q"
+    }
+  ]
+}
+

docker/kratos/oathkeeper/oathkeeper.yml

@@ -0,0 +1,91 @@
+log:
+  level: debug
+  format: json
+
+serve:
+  proxy:
+    cors:
+      enabled: true
+      allowed_origins:
+        - "*"
+      allowed_methods:
+        - POST
+        - GET
+        - PUT
+        - PATCH
+        - DELETE
+      allowed_headers:
+        - Authorization
+        - Content-Type
+      exposed_headers:
+        - Content-Type
+      allow_credentials: true
+      debug: true
+
+errors:
+  fallback:
+    - json
+
+  handlers:
+    redirect:
+      enabled: true
+      config:
+        #to: http://oathkeeper:4455/auth/login
+        to: https://siasky.xyz/secure/auth/login
+        when:
+          -
+            error:
+              - unauthorized
+              - forbidden
+            request:
+              header:
+                accept:
+                  - text/html
+    json:
+      enabled: true
+      config:
+        verbose: true
+
+access_rules:
+  matching_strategy: glob
+  repositories:
+    - file:///etc/config/oathkeeper/access-rules.yml
+
+authenticators:
+  anonymous:
+    enabled: true
+    config:
+      subject: guest
+
+  cookie_session:
+    enabled: true
+    config:
+      check_session_url: http://kratos:4433/sessions/whoami
+      preserve_path: true
+      extra_from: "@this"
+      subject_from: "identity.id"
+      only:
+        - ory_kratos_session
+
+  noop:
+    enabled: true
+
+authorizers:
+  allow:
+    enabled: true
+
+mutators:
+  noop:
+    enabled: true
+
+  id_token:
+    enabled: true
+    config:
+      #issuer_url: http://oathkeeper:4455/
+      issuer_url: https://siasky.xyz/
+      jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json
+      claims: |
+        {
+          "session": {{ .Extra | toJson }}
+        }
+

docker/nginx/conf.d/client.conf

@@ -320,13 +320,13 @@ server {
 
 	location /secure {
 		rewrite /secure/(.*) /$1 break;
-		proxy_pass http://kratos-selfservice-ui-node:4455;
+		proxy_pass http://oathkeeper:4455;
 	}
 
-	location /secure/self-service {
+	#location /secure/self-service {
-		rewrite /secure/(.*) /$1 break;
+	#	rewrite /secure/self-service/(.*) /$1 break;
-		proxy_pass http://kratos:4433;
+	#	proxy_pass http://oathkeeper:4455;
-	}
+	#}
 
 	# include custom locations, specific to the server
 	include /etc/nginx/conf.d/server-override/*;