From 3d897cb3aba76546a1d952b6150851c70ea73920 Mon Sep 17 00:00:00 2001 From: Karol Wypchlo Date: Wed, 16 Dec 2020 13:08:51 +0100 Subject: [PATCH] use secure subdomain --- docker-compose.yml | 6 +++--- docker/kratos/config/kratos.yml | 19 +++++++++---------- docker/kratos/oathkeeper/access-rules.yml | 2 +- docker/kratos/oathkeeper/oathkeeper.yml | 2 +- docker/nginx/conf.d/secure.conf | 10 ++++++++++ 5 files changed, 24 insertions(+), 15 deletions(-) create mode 100644 docker/nginx/conf.d/secure.conf diff --git a/docker-compose.yml b/docker-compose.yml index a3524840..dbcf19e6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -227,7 +227,7 @@ services: environment: - DSN=cockroach://root@cockroach:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4 - LOG_LEVEL=trace - - SERVE_PUBLIC_BASE_URL=/secure/.ory/kratos/public/ + - SERVE_PUBLIC_BASE_URL=/.ory/kratos/public/ - SQA_OPT_OUT=true command: serve -c /etc/config/kratos/kratos.yml volumes: @@ -256,8 +256,8 @@ services: - PORT=4435 - SECURITY_MODE=jwks - PROJECT_NAME=Skynet - - BASE_URL=/secure/ - - KRATOS_BROWSER_URL=/secure/.ory/kratos/public + - BASE_URL=/ + - KRATOS_BROWSER_URL=/.ory/kratos/public - JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json - KRATOS_PUBLIC_URL=http://kratos:4433/ - KRATOS_ADMIN_URL=http://kratos:4434/ diff --git a/docker/kratos/config/kratos.yml b/docker/kratos/config/kratos.yml index 250cbe8c..a939024b 100644 --- a/docker/kratos/config/kratos.yml +++ b/docker/kratos/config/kratos.yml @@ -4,7 +4,7 @@ dsn: memory serve: public: - base_url: http://127.0.0.1/secure/ + base_url: http://127.0.0.1/ cors: enabled: true admin: @@ -21,33 +21,33 @@ selfservice: flows: error: - ui_url: http://127.0.0.1/secure/error + ui_url: http://127.0.0.1/error settings: - ui_url: http://127.0.0.1/secure/settings + ui_url: http://127.0.0.1/settings privileged_session_max_age: 15m recovery: enabled: true - ui_url: http://127.0.0.1/secure/recovery + ui_url: http://127.0.0.1/recovery verification: enabled: true - ui_url: http://127.0.0.1/secure/verify + ui_url: http://127.0.0.1/verify after: default_browser_return_url: http://127.0.0.1/ logout: after: - default_browser_return_url: http://127.0.0.1/secure/auth/login + default_browser_return_url: http://127.0.0.1/auth/login login: - ui_url: http://127.0.0.1/secure/auth/login + ui_url: http://127.0.0.1/auth/login lifespan: 10m registration: lifespan: 10m - ui_url: http://127.0.0.1/secure/auth/registration + ui_url: http://127.0.0.1/auth/registration after: password: hooks: @@ -64,8 +64,7 @@ secrets: session: cookie: - domain: siasky.xyz - path: /secure + domain: secure.siasky.xyz hashers: argon2: diff --git a/docker/kratos/oathkeeper/access-rules.yml b/docker/kratos/oathkeeper/access-rules.yml index 0abe8619..478d9830 100644 --- a/docker/kratos/oathkeeper/access-rules.yml +++ b/docker/kratos/oathkeeper/access-rules.yml @@ -50,7 +50,7 @@ errors: - handler: redirect config: - to: http://127.0.0.1/secure/auth/login + to: http://127.0.0.1/auth/login - id: "accounts" upstream: diff --git a/docker/kratos/oathkeeper/oathkeeper.yml b/docker/kratos/oathkeeper/oathkeeper.yml index f957313d..1887f8e1 100644 --- a/docker/kratos/oathkeeper/oathkeeper.yml +++ b/docker/kratos/oathkeeper/oathkeeper.yml @@ -30,7 +30,7 @@ errors: redirect: enabled: true config: - to: http://127.0.0.1/secure/auth/login + to: http://127.0.0.1/auth/login when: - error: - unauthorized diff --git a/docker/nginx/conf.d/secure.conf b/docker/nginx/conf.d/secure.conf new file mode 100644 index 00000000..4656e91e --- /dev/null +++ b/docker/nginx/conf.d/secure.conf @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; + server_name secure.*; + + location / { + proxy_redirect http://127.0.0.1/ https://$host/; + proxy_pass http://oathkeeper:4455; + } +}