Feature Request: Gatekeeper BaseURL Variable. - Githubissues

KeychainMDIP / kc

Reference implementation of the Multi Dimensional Identity Protocol (MDIP)

MIT License

9 stars 2 forks source link

Feature Request: Gatekeeper BaseURL Variable. #300

Open alexfornuto opened 2 weeks ago

alexfornuto commented 2 weeks ago

Request: Provide an environment variable like GATEKEEPER_URL which would be prepend to all internal resource calls for the Gatekeeper web UI.

Reason: The configuration of reverse proxies to manage deployments of Keychain alongside apps using it on a single host could be simplified to a single domain and server block.

As an example: consider a single VM running multiple containers/services, with a single domain associated with its IP address. There's the Gatekeeper, Keymaster, etc, and a 3rd party web service. Access to Keymaster is configured separately for internal access only, but the web service and Gatekeeper are to be exposed publicly on port 443. An nginx server block would include something like this:


...

server_name example.com

location / {
    proxy_pass http://localhost:3000;
    #ADDITIONAL OPTIONS
}

location /gatekeeper {
    proxy_pass http://localhost:4224;
    #ADDITIONAL OPTIONS
}

Currently, a configuration like this fails, as the Gatekeeper web UI cannot find its resources under that subdirectory.

Prior Art: Docusaurus handles this situation with the baseUrl key in its configuration file, as does Hugo

macterra commented 1 week ago

@Flaxscrip how did you get https://mdip.yourself.dev/ to work?

Flaxscrip commented 1 week ago

This is my nginx config exposing :

the /did query path for public MDIP DID queries
the / path for public MDIP Keymaster Wallet services

Note: The nginx server is on mdip-node and points to gatekeeper services on a separate mdip-gatekeeper host. Note 2: Access rights are currently public (allow all). This could be restricted and offered under conditions.

    location /api/v1/did {
        proxy_pass http://mdip-gatekeeper:4224/api/v1/did;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        allow all;
    }
    location / {
        proxy_pass http://mdip-gatekeeper:4224;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        allow all;
    }

Flaxscrip commented 1 week ago

We can also create multiple endpoints for multiple wallets. Since the keys are kept browser-side and segregated in the browser storage by URL, a user can use 2 different URLs to manage 2 wallets in the same browser.

Example:

https://wallet1.mdip.yourself.dev https://wallet2.mdip.yourself.dev

    server_name mdip.yourself.dev wallet1.mdip.yourself.dev wallet2.mdip.yourself.dev

Flaxscrip commented 1 week ago

The best practices will be documented as a work-product of https://github.com/KeychainMDIP/kc/issues/307

Flaxscrip commented 1 week ago

Also using nginx, we can create a baseURL for the wallet (https://mdip.yourself.dev/wallet). The Keymaster WebUI seems to handle the baseURL proxy well without any additional variables required.

    location /wallet {
        proxy_pass http://mdip-gatekeeper:4224;
       proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        allow all;
    }

Flaxscrip commented 1 week ago

Although it is currently offline, I have a sample nginx configuration and OAuth server that requires the user to pass an OAuth authentication before being allowed to access the Keymaster Wallet. This was used for the "custodial" Keymaster Wallets.