I am experimenting with a two-service docker-compose recipe, largely based on
the following GitHub project:
https://github.com/rongfengliang/keycloak-openresty-openidc
After streamlining, my configuration looks something like the following fork
commit:
https://github.com/Tythos/keycloak-openresty-openidc
My current issue is, the authorization endpoint ("../openid-connect/auth") uses
the internal origin ("http://keycloak-svc:"). Obviously, if users are
redirected to this URL, their browsers will need to cite the external origin
("http://localhost:"). I thought the PROXY_ADDRESS_FORWARDING variable for the
Keycloak service would fix this, but I'm wondering if I need to do something
like a rewrite on-the-fly in the nginx/openresty configuration.
To replicate, from project root::
docker-compose build
docker-compose up --force-recreate --remove-orphans
Then browse to "http://localhost:8090" to start the OIDC flow. You can
circumvent the origin issue by, once you encounter the aforementioned origin
issue, by replacing "keycloak-svc" with "localhost", which will forward you to
the correct login interface. Once there, though, you will need to add a user
to proceed. To add a user, browse to "http://localhost:8080" in a separate tab
and follow these steps before returning to the original tab and entering the
credentials:
Under Users > Add user:
username = "testuser"
email = "{{whatever}}"
email verified = ON
Groups > add "restybox-group"
After user created:
Go to "Credentials" tab
Set to "mypassword"
Temporary = OFF
Authorization Servers such as Keycloak have a base / internet URL when running behind a reverse proxy. You don't need to do anything dynamic in the reverse proxy - have a look at the frontend URL configuration.
Out of interest I just answered a similar question here, that may help you to understand the general pattern. Aim for good URLs (not localhost) and a discovery endpoint that returns intermet URLs rather than internal URLs.
Related
I came into a situation today. Please share your expertise 🙏
I have a project (my-app.com) and one of the features is to generate a status page consisting of different endpoints.
Current Workflow
User login into the system
User creates a status page for one of his sites (e.g.google) and adds different endpoints and components to be included on that page.
System generates a link for a given status page.
For Example. my-app.com/status-page/google
But the user may want to see this page in his custom domain.
For Example. status.google.com
Since this is a custom domain, we need on-demand TLS functionality. For this feature, I used Caddy and is working fine. Caddy is running on our subdomain status.myserver.com and user's custom domain status.google.com has a CNAME to our subdomain status.myserver.com
Besides on-demand TLS, I am also required to do reverse proxy as
shown below.
For Example. status.google.com ->(CNAME)-> status.myserver.com ->(REVERSE_PROXY)-> my-app.com/status-page/google
But Caddy supports only protocol, host, and port format for reverse proxy like my-app.com but my requirement is to support reverse proxy for custom page my-app.com/status-page/google. How can I achieve this? Is there a better alternative to Caddy or a workaround with Caddy?
You're right, since you can't use a path in a reverse-proxy upstream URL, you'd have to do rewrite the request to include the path first, before initiating the reverse-proxy.
Additionally, upstream addresses cannot contain paths or query strings, as that would imply simultaneous rewriting the request while proxying, which behavior is not defined or supported. You may use the rewrite directive should you need this.
So you should be able to use an internal caddy rewrite to add the /status-page/google path to every request. Then you can simply use my-app.com as your Caddy reverse-proxy upstream. This could look like this:
https:// {
rewrite * /status-page/google{path}?{query}
reverse_proxy http://my-app.com
}
You can find out more about all possible Caddy reverse_proxy upstream addresses you can use here: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#upstream-addresses
However, since you probably can't hard-code the name of the status page (/status-page/google) in your Caddyfile, you could set up a script (e.g. at /status-page) which takes a look at the requested URL, looks up the domain (e.g. status.google.com) in your database, and automatically outputs the correct status-page.
After configuring my database and running my Wiki.js instance using nodejs, I was prompted to "install" Wiki.js on localhost:3000. However, there is this input bar asking for the public URL wiki.example.com:
I am trying wiki.js out on my own computer, which has nothing to do with public URLs. In the future, I plan to use nginx to reverse proxy received request to two different ports on my server, which also does not require public URL exposing to the service (proxied by nginx already).
Therefore I am curious: Why does wiki.js need public URL when installing? What do I need to configure when testing Wiki.js on my computer? What do I need to configure in nginx reverse proxy and what to fill here in the public URL input bar?
TL;DR if you're on localhost and testing it doesn't matter what URL you put. Also note that this setting can be easily changed after installation from admin area.
I was deploying wiki.js in our company and first I was setting it up on throwaway domain before switching to target domain, and I was confused by this as well.
I've put target URL during installation and it seemed at first like this setting is unused - I was able to use wiki normally. Later I found out that it is in fact used in few places like for example when user requests password reset, the reset link will be generated against this URL.
Note that while using reverse proxy allows you to easily change on which domain name is wiki.js served, if the wiki is public for users, the system WILL have to know this public URL, for reasons like password reset mentioned above.
The public url may appear in emails sent to events. In this case, the system needs to know where it is available. This is even more important based on what you describe, because hiding behind different proxies will no longer be able to identify the availability of your own url.
I have a few apps running in a aws instance with Dokku. I'm using virtual hostname, and together with some DNS configuration of my registered domain, I have the following for one of them: mydomain.com is a CNAME record pointing to the aws instance address, and Dokku+nginx take care of redirecting to the correct app/process.
The path for all API calls is /parse, as I'm using the open source Parse Server. The final server url is mydomain.com/parse.
What I want to achieve, ideally, is the following: api.mydomain.com gets redirected to mydomain.com/parse, api.mydomain.com/someFunction to mydomain.com/parse/someFunction and so on.
When researching to see how this may be possible, I found that this can be done easily with nginx, like explained here in this answer.
I can even change manually the nginx config file, but I'm afraid that it will be overwritten in future changes. How can this ideally be achieved with nginx on Dokku?
What I'd really like to do is set up an azure site called site.com. Then have hundreds of subdomains such as foo.site.com, bar.site.com, baz.site.com etc. My asp.net mvc application will pull out the subdomain as this will be used as an identifier.
Next I'd like to have other domains CNamed to the subdomains. Such as hello.othersite.com -> foo.site.com, so that the browser still shows hello.othersite.com but I'd be able to get the foo subdomain out of the request.
I don't want to have to configure any of this because there are going to be lots of subdomains, essentially one per account.
Is this actually possible?
I've tried a few tests but I'm not 100% sure how to proceed. Would I just:
Setup site.com to accept *.site.com
CNAME hello.othersite.com to foo.site.com (do I want masking, forwarding etc?)
Does the incoming http request contain any information about the subdomain (foo) that
it's CNAMED to?
I hope this isn't too vague and hand wavey but some confirmation of its plausibility would be a great help.
It is not just Azure, but the whole web.
I don't think it is possible to get out of the HTTP request for hello.othersite.com that it actually mapped in the DNS to foo.site.com. And this is because your actual HTTP request will look something like
GET /index.html HTTP/1.1
(other headers)
host: hello.othersite.com
Your web server, whatever it is, has no idea that hello.othersites.com is mapped via CNAME to foo.site.com. The request you receive is for hello.othersite.com.
If you do forwarding, the users will never stay on hello.othersite.com but will be redirected to foo.site.com. I guess this is not what you want.
Direct domain masking is usually done via iFrame, which would also not recommend.
I would do the following, as nothing else comes to mind at the moment:
Setup the site to accept *.site.com and *.othersite.com
Add Wildcard CNAME map to my Azure cloud service, i.e. *.site.com -> CNAME -> my.cloudapp.net. Same for both custom domains I want to have.
Perform necessary checks in my app to figure out domain mappings <-> user accounts.
HI,
I have issue in using Windows live API
Iam using asp.net, am not able to use the callback url on local
The signin link is working only if i provide live url, but i cant able to use local host.
Please help
It may help someone else also -
Please add following entry in hosts file (located at [%system drive%]\Windows\System32\drivers\etc)
127.0.0.1 www.example.com
#[Please replace example domain with your actual one]
Windows live server expects your return url to have http:// in it but chrome does not add it and IE do add it, I realized this after wasting sometime.
This should get you through testing api on your local machine.
Go and setup a dynamic dns and a name for your computer and make your tests this way.
For example you can setup on DynDns.com a name for your dynamic ip, and then setup your router with that name to automatic assign it (or do it manual from the pages), and then you can use this name, and not the localhost. Do not forget to open the port to your router so the other side can make requests.
Also on /windows/system32/drivers/etc/host you can also setup the same name to see your local host and make your tests and callbacks.
Your problem is that the callback address needs to be the same as the address you used to sign up with.
(In relation to your callback), from the documentation:
The domain name portion of the URL (for example, www.contoso.com) must
be the same as the one that you specified when you created your
application with Live Connect. The URL must use URL escape codes, such
as %20 for spaces, %3A for colons, and %2F for forward slashes.
So, based on what you have said, you are using localhost (which you can't). As #Aristos suggested, add an entry to /windows/system32/drivers/etc/host to the domain you have registered (eg www.contoso.com).
Use www.contoso.com instead of localhost to test.