use secure subdomain

2020-12-16 13:08:51 +01:00 · 2020-12-16 13:08:51 +01:00 · 3d897cb3ab
parent b3029b43e3
commit 3d897cb3ab
5 changed files with 24 additions and 15 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -227,7 +227,7 @@ services:
    environment:
      - DSN=cockroach://root@cockroach:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4
      - LOG_LEVEL=trace
-      - SERVE_PUBLIC_BASE_URL=/secure/.ory/kratos/public/
+      - SERVE_PUBLIC_BASE_URL=/.ory/kratos/public/
      - SQA_OPT_OUT=true
    command: serve -c /etc/config/kratos/kratos.yml
    volumes:
@ -256,8 +256,8 @@ services:
      - PORT=4435
      - SECURITY_MODE=jwks
      - PROJECT_NAME=Skynet
-      - BASE_URL=/secure/
-      - KRATOS_BROWSER_URL=/secure/.ory/kratos/public
+      - BASE_URL=/
+      - KRATOS_BROWSER_URL=/.ory/kratos/public
      - JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
      - KRATOS_PUBLIC_URL=http://kratos:4433/
      - KRATOS_ADMIN_URL=http://kratos:4434/
--- a/docker/kratos/config/kratos.yml
+++ b/docker/kratos/config/kratos.yml
@ -4,7 +4,7 @@ dsn: memory

 serve:
  public:
-    base_url: http://127.0.0.1/secure/
+    base_url: http://127.0.0.1/
    cors:
      enabled: true
  admin:
@ -21,33 +21,33 @@ selfservice:

  flows:
    error:
-      ui_url: http://127.0.0.1/secure/error
+      ui_url: http://127.0.0.1/error

    settings:
-      ui_url: http://127.0.0.1/secure/settings
+      ui_url: http://127.0.0.1/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: true
-      ui_url: http://127.0.0.1/secure/recovery
+      ui_url: http://127.0.0.1/recovery

    verification:
      enabled: true
-      ui_url: http://127.0.0.1/secure/verify
+      ui_url: http://127.0.0.1/verify
      after:
        default_browser_return_url: http://127.0.0.1/

    logout:
      after:
-        default_browser_return_url: http://127.0.0.1/secure/auth/login
+        default_browser_return_url: http://127.0.0.1/auth/login

    login:
-      ui_url: http://127.0.0.1/secure/auth/login
+      ui_url: http://127.0.0.1/auth/login
      lifespan: 10m

    registration:
      lifespan: 10m
-      ui_url: http://127.0.0.1/secure/auth/registration
+      ui_url: http://127.0.0.1/auth/registration
      after:
        password:
          hooks:
@ -64,8 +64,7 @@ secrets:

 session:
  cookie:
-    domain: siasky.xyz
-    path: /secure
+    domain: secure.siasky.xyz

 hashers:
  argon2:
--- a/docker/kratos/oathkeeper/access-rules.yml
+++ b/docker/kratos/oathkeeper/access-rules.yml
@ -50,7 +50,7 @@
  errors:
    - handler: redirect
      config:
-        to: http://127.0.0.1/secure/auth/login
+        to: http://127.0.0.1/auth/login

 - id: "accounts"
  upstream:
--- a/docker/kratos/oathkeeper/oathkeeper.yml
+++ b/docker/kratos/oathkeeper/oathkeeper.yml
@ -30,7 +30,7 @@ errors:
    redirect:
      enabled: true
      config:
-        to: http://127.0.0.1/secure/auth/login
+        to: http://127.0.0.1/auth/login
        when:
          - error:
              - unauthorized
--- a/docker/nginx/conf.d/secure.conf
+++ b/docker/nginx/conf.d/secure.conf
@ -0,0 +1,10 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name secure.*;
+
+	location / {
+		proxy_redirect http://127.0.0.1/ https://$host/;
+		proxy_pass http://oathkeeper:4455;
+	}
+}