Closed mate-h closed 3 years ago
Single sign on (SSO) pros
SSO cons
I made some progress yesterday and it seems that the domain localhost
will not allow for cookies on code.localhost
or any subdomain. So I decided to use sorosbot.local
domain for local development to mitigate this issue.
Globally the application will redirect to https://$HOST/signin?next=...
where $HOST
is either sorosbot.com
or localhost.dev
depending on the environment.
When the user completes the sign in challenge, the application will forward to the url specified in the next
get parameter, see chart above.
All static files that the sign in page has to access need to be explicitly whitelisted for the nginx configuration at
sorosbot.com/nginx/vhost.d/localhost.dev
and
sorosbot.com/nginx/vhost.d/sorosbot.com
Note: not applicable to sorosbot.com production environment
Assuming that newservice
is added on subdomain.localhost.dev
Append the new service configuration to docker-compose.yml
. If the service is served over https internally, the certificate path config for service needs to be added in docker/config.dev.yml
and docker/config.prod.yml
. The following snippet will extend from these files:
extends:
file: ./docker/config.${CERT_TARGET}.yml
service: newservice
where $CERT_TARGET
is either prod
or dev
.
localhost.dev cerfiticate DNS entries need to be updated with DNS.5 = subdomain.$NAME
at
sorosbot.com/nginx/bin/cert.sh:42
Regenerate the certificate with
/bin/bash -c ./nginx/bin/cert.sh
docker exec nginx-proxy nginx -s reload
The new subdomain needs to be added to nginx/etc/hosts
and /etc/hosts
of the local system.
echo "127.0.0.1 subdomain.localhost.dev" > ./nginx/etc/hosts
sudo echo "127.0.0.1 subdomain.localhost.dev" > /etc/hosts
Still TODO: remove sign in challenge from freqtrade UI and portainer, leave user management as is
Latest sign in attempt error on sorosbot.com
request to https://api/session failed, reason:
Hostname/IP does not match certificate's altnames:
Host: sorosbot.com. is not cert's CN: letsencrypt-nginx-proxy-companion
Solution https://github.com/nginx-proxy/acme-companion/blob/main/docs/Standalone-certificates.md
Removed this snippet
const ca = [];
// TODO: depending on environment
try {
ca.push(fs.readFileSync("/etc/nginx/certs/default.crt"));
ca.push(fs.readFileSync("/etc/nginx/certs/root.pem"));
}
catch {
//
}
try {
ca.push(fs.readFileSync("/etc/nginx/certs/sorosbot.com.chain.pem"));
ca.push(fs.readFileSync("/etc/nginx/certs/sorosbot.com.crt"));
}
catch {
//
}
https.globalAgent.options.ca = ca;
Added this despite recommendations not to, it's internal DNS so it should be fine either way
https.globalAgent.options.rejectUnauthorized = false;
When redoing the HTTP let's encrypt SSL challenge, remove the proxy from cloudflare DNS. otherwise the challenge fails. Next renewal time is: Thu Jul 22 10:14:40 UTC 2021
Signin flow
move firebase login API from svelte kit to fastify set cookie cross subdomain for all containers Environment specific signin flow
Include ssh username in custom claims firebase user