From 8a65e1aadf3fca83d0e11a46689b06b097b0f7e4 Mon Sep 17 00:00:00 2001
From: Karol Wypchlo <kwypchlo@gmail.com>
Date: Tue, 15 Dec 2020 16:12:46 +0100
Subject: [PATCH] use secure subdomain

---
 docker-compose.yml                        |  6 +++---
 docker/kratos/config/kratos.yml           | 18 ++++++++---------
 docker/kratos/oathkeeper/access-rules.yml | 24 ++++++++---------------
 docker/kratos/oathkeeper/oathkeeper.yml   |  6 ++----
 4 files changed, 22 insertions(+), 32 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index edb8406a..5098dabd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -227,7 +227,7 @@ services:
     environment:
       - DSN=cockroach://root@cockroach:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4
       - LOG_LEVEL=trace
-      - SERVE_PUBLIC_BASE_URL=https://siasky.xyz/secure/.ory/kratos/public/
+      - SERVE_PUBLIC_BASE_URL=https://secure.siasky.xyz/.ory/kratos/public/
       - SQA_OPT_OUT=true
     command: serve -c /etc/config/kratos/kratos.yml
     volumes:
@@ -256,8 +256,8 @@ services:
       - PORT=4435
       - SECURITY_MODE=jwks
       - PROJECT_NAME=Skynet
-      - BASE_URL=https://siasky.xyz/secure/
-      - KRATOS_BROWSER_URL=https://siasky.xyz/secure/.ory/kratos/public
+      - BASE_URL=https://secure.siasky.xyz
+      - KRATOS_BROWSER_URL=https://secure.siasky.xyz/.ory/kratos/public
       - JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
       - KRATOS_PUBLIC_URL=http://kratos:4433/
       - KRATOS_ADMIN_URL=http://kratos:4434/
diff --git a/docker/kratos/config/kratos.yml b/docker/kratos/config/kratos.yml
index 7d3f4434..6f60d681 100644
--- a/docker/kratos/config/kratos.yml
+++ b/docker/kratos/config/kratos.yml
@@ -4,7 +4,7 @@ dsn: memory
 
 serve:
   public:
-    base_url: https://siasky.xyz/secure/
+    base_url: https://secure.siasky.xyz
     cors:
       enabled: true
   admin:
@@ -21,33 +21,33 @@ selfservice:
 
   flows:
     error:
-      ui_url: https://siasky.xyz/secure/error
+      ui_url: https://secure.siasky.xyz/error
 
     settings:
-      ui_url: https://siasky.xyz/secure/settings
+      ui_url: https://secure.siasky.xyz/settings
       privileged_session_max_age: 15m
 
     recovery:
       enabled: true
-      ui_url: https://siasky.xyz/secure/recovery
+      ui_url: https://secure.siasky.xyz/recovery
 
     verification:
       enabled: true
-      ui_url: https://siasky.xyz/secure/verify
+      ui_url: https://secure.siasky.xyz/verify
       after:
         default_browser_return_url: https://siasky.xyz
 
     logout:
       after:
-        default_browser_return_url: https://siasky.xyz/secure/auth/login
+        default_browser_return_url: https://secure.siasky.xyz/auth/login
 
     login:
-      ui_url: https://siasky.xyz/secure/auth/login
+      ui_url: https://secure.siasky.xyz/auth/login
       lifespan: 10m
 
     registration:
       lifespan: 10m
-      ui_url: https://siasky.xyz/secure/auth/registration
+      ui_url: https://secure.siasky.xyz/auth/registration
       after:
         password:
           hooks:
@@ -64,7 +64,7 @@ secrets:
 
 session:
   cookie:
-    domain: siasky.xyz
+    domain: secure.siasky.xyz
 
 hashers:
   argon2:
diff --git a/docker/kratos/oathkeeper/access-rules.yml b/docker/kratos/oathkeeper/access-rules.yml
index e6c5d395..b338fb00 100644
--- a/docker/kratos/oathkeeper/access-rules.yml
+++ b/docker/kratos/oathkeeper/access-rules.yml
@@ -1,5 +1,4 @@
--
-  id: "ory:kratos:public"
+- id: "ory:kratos:public"
   upstream:
     preserve_host: true
     url: "http://kratos:4433"
@@ -13,15 +12,13 @@
       - DELETE
       - PATCH
   authenticators:
-    -
-      handler: noop
+    - handler: noop
   authorizer:
     handler: allow
   mutators:
     - handler: noop
 
--
-  id: "ory:kratos-selfservice-ui-node:anonymous"
+- id: "ory:kratos-selfservice-ui-node:anonymous"
   upstream:
     preserve_host: true
     url: "http://kratos-selfservice-ui-node:4435"
@@ -30,16 +27,13 @@
     methods:
       - GET
   authenticators:
-    -
-      handler: anonymous
+    - handler: anonymous
   authorizer:
     handler: allow
   mutators:
-    -
-      handler: noop
+    - handler: noop
 
--
-  id: "ory:kratos-selfservice-ui-node:protected"
+- id: "ory:kratos-selfservice-ui-node:protected"
   upstream:
     preserve_host: true
     url: "http://kratos-selfservice-ui-node:4435"
@@ -48,8 +42,7 @@
     methods:
       - GET
   authenticators:
-    -
-      handler: cookie_session
+    - handler: cookie_session
   authorizer:
     handler: allow
   mutators:
@@ -58,5 +51,4 @@
     - handler: redirect
       config:
         #to: http://oathkeeper:4455/auth/login
-        to: https://siasky.xyz/secure/auth/login
-
+        to: https://secure.siasky.xyz/auth/login
diff --git a/docker/kratos/oathkeeper/oathkeeper.yml b/docker/kratos/oathkeeper/oathkeeper.yml
index e31ef77c..196b0909 100644
--- a/docker/kratos/oathkeeper/oathkeeper.yml
+++ b/docker/kratos/oathkeeper/oathkeeper.yml
@@ -31,10 +31,9 @@ errors:
       enabled: true
       config:
         #to: http://oathkeeper:4455/auth/login
-        to: https://siasky.xyz/secure/auth/login
+        to: https://secure.siasky.xyz/auth/login
         when:
-          -
-            error:
+          - error:
               - unauthorized
               - forbidden
             request:
@@ -88,4 +87,3 @@ mutators:
         {
           "session": {{ .Extra | toJson }}
         }
-