search

Wirecloud / docker-wirecloud

🐳 Docker Official Image packaging for WireCloud https://conwet.fi.upm.es/wirecloud
Other
8 stars 15 forks source link

Wirecloud and Keyrock #45

Closed SamuelTJackson closed 4 years ago

SamuelTJackson commented 4 years ago

Hey, I can't login into Wirecloud with Keyrock. Wirecloud settings:

wirecloud:
    restart: always
    image: fiware/wirecloud
    container_name: wirecloud
    depends_on:
        - postgres
        - elasticsearch
        - memcached
    environment:
        - DEBUG=True
        - VIRTUAL_HOST=wirecloud.mydomain.de
        - VIRTUAL_PORT=8000
        - LETSENCRYPT_HOST=wirecloud.mydomain.de
        - LETSENCRYPT_EMAIL=test@test.de
        - DEFAULT_THEME=wirecloud.defaulttheme
        - DB_HOST=postgres
        - DB_PASSWORD=wirepass   # Change this password!
        - FORWARDED_ALLOW_IPS=*
        - ELASTICSEARCH2_URL=http://elasticsearch:9200/
        - MEMCACHED_LOCATION=memcached:11211
        # Uncomment the following environment variables to enable IDM integration
        - FIWARE_IDM_PUBLIC_URL=https://keyrock.mydomain.de
        - FIWARE_IDM_SERVER=https://keyrock.mydomain.de
        - SOCIAL_AUTH_FIWARE_KEY=0955b004-a6b0-459c-bae9-36d16cda654g
        - SOCIAL_AUTH_FIWARE_SECRET=634fa7ad-940e-4fc9-abcf-a6091ca72e4e
    volumes:
        - ./wirecloud-data:/opt/wirecloud_instance/data
        - ./wirecloud-static:/var/www/static 
keyrock settings:
  keyrock:
    image: fiware/idm
    container_name: fiware-keyrock
    user: "996:995"
    depends_on:
        - keyrock-db
        - authzforce
    expose:
      - "3005"
    environment:
        - IDM_DB_HOST=keyrock-db
        - IDM_DB_PASS_FILE=/run/secrets/keyrock_db_password
        - IDM_DB_USER=root
        - IDM_HOST=http://localhost:3005
        - IDM_PORT=3005
        - IDM_HTTPS_ENABLED=false
        - IDM_ADMIN_USER=test
        - IDM_ADMIN_EMAIL=test@test.de
        - IDM_ADMIN_PASS=1234
        - IDM_PDP_LEVEL=advanced
        - IDM_AUTHZFORCE_ENABLED=true
        - IDM_AUTHZFORCE_HOST=authzforce
        - IDM_AUTHZFORCE_PORT=8080
        - VIRTUAL_HOST=keyrock.mydomain.de
        - VIRTUAL_PORT=3005
        - LETSENCRYPT_HOST=keyrock.mydomain.de
        - LETSENCRYPT_EMAIL=test@test.de
    secrets:
        - keyrock_db_password

I created an application in keyrock:

aY0HU

Wirecloud and keyrock are working fine. They are both behind a reverse tls ending proxy. No I try to login into Wirecloud. I click login and get redirected to Keyrock. Keyrock is asking me, if I want to allow or deny access (I'm already logged in). I click allow. The following URL get called:

https://wirecloud.mydomain.de/complete/fiware/?code=4f7a0a53070f1fd587270f1b4968d7e7bb5e40ad&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5

It's loading for some seconds and I get a 502 Bad Gateway. Wirecloud logs:

[2019-11-12 15:49:06 +0000] [1] [INFO] Starting gunicorn 19.3.0
[2019-11-12 15:49:06 +0000] [1] [INFO] Listening at: http://0.0.0.0:8000 (1)
[2019-11-12 15:49:06 +0000] [1] [INFO] Using worker: sync
[2019-11-12 15:49:06 +0000] [57] [INFO] Booting worker with pid: 57
[2019-11-12 15:49:06 +0000] [59] [INFO] Booting worker with pid: 59
[2019-11-12 15:50:07 +0000] [1] [CRITICAL] WORKER TIMEOUT (pid:57)
[2019-11-12 09:50:07 -0600] [57] [INFO] Worker exiting (pid: 57)
[2019-11-12 15:50:07 +0000] [188] [INFO] Booting worker with pid: 188

reverse proxy log:

keyrock.mydomain.de 10.10.100.10 - - [12/Nov/2019:16:07:00 +0000] "POST /oauth2/enable_app?client_id=0955b004-a6b0-459c-bae9-36d16cda654e&redirect_uri=https://wirecloud.mydomain.de/complete/fiware/&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5&response_type=code HTTP/2.0" 302 328 "https://keyrock.mydomain.de/oauth2/authorize?client_id=0955b004-a6b0-459c-bae9-36d16cda654e&redirect_uri=https://wirecloud.mydomain.de/complete/fiware/&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5&response_type=code" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
2019/11/12 16:07:30 [error] 565#565: *3080 upstream prematurely closed connection while reading response header from upstream, client: 10.10.100.10, server: wirecloud.mydomain.de, request: "GET /complete/fiware/?code=22a1188950f5b23d54ba3f6e4ffe0d26a0bc5194&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5 HTTP/2.0", upstream: "http://172.24.0.13:8000/complete/fiware/?code=22a1188950f5b23d54ba3f6e4ffe0d26a0bc5194&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5", host: "wirecloud.mydomain.de", referrer: "https://keyrock.mydomain.de/oauth2/authorize?client_id=0955b004-a6b0-459c-bae9-36d16cda654e&redirect_uri=https://wirecloud.mydomain.de/complete/fiware/&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5&response_type=code"
wirecloud.mydomain.de 10.10.100.10 - - [12/Nov/2019:16:07:30 +0000] "GET /complete/fiware/?code=22a1188950f5b23d54ba3f6e4ffe0d26a0bc5194&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5 HTTP/2.0" 502 559 "https://keyrock.mydomain.de/oauth2/authorize?client_id=0955b004-a6b0-459c-bae9-36d16cda654e&redirect_uri=https://wirecloud.mydomain.de/complete/fiware/&state=DBRNiDOBc4OdzHBayh8vrznT1fthFSr5&response_type=code" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"

I don't see my mistake. Hope you guys can help.

SamuelTJackson commented 4 years ago

You are not allowed to use the public domain for FIWARE_IDM_SERVER. I had to use the docker intern ip (http://keyrock:5003). I don't understand why.