Hide all internal services behind one url

[rikukissa]

Benefits:

• One of the points brought up in pen testing by Gofore
  • One more layer of obfuscation
• Easier deployment of mobile testing environments and other environment
• Number of required SSL certificates

Services to consider:

• Minio
• Config, Gateway, Country config, Webhooks

We will be leaving all the webapps(login, client, kibana, metabase, minio-console) as is.

These are URLs that we sending to client from countryconfig currently:

  API_GATEWAY_URL: 'http://localhost:7070/'
  CONFIG_API_URL: 'http://localhost:2021'
  LOGIN_URL: 'http://localhost:3020'
  AUTH_URL: 'http://localhost:7070/auth/'
  COUNTRY_CONFIG_URL: 'http://localhost:3040'

As part of this ticket we would like to trim this down to this:

  API_GATEWAY_URL: 'http://localhost:7070/'
  LOGIN_URL: 'http://localhost:3020'

The LOGIN_URL still needs to stay because it's a totally separate webapp. While all the API's will be served from API_GATEWAY_URL

Auth

• [ ] We are currently proxying all the /auth/* calls from gateway to the auth microservice. But there's a downside to this that every endpoint defined in the auth microservice are exposed to the internet via gateway so there's no way of creating an internal endpoint. So the first task is to identify all the endpoints in auth that we want publicly available and proxy them individually from gateway behind /api/auth/
• [ ] Handle JWT verification for the /api/auth/*endpoints where applicable and remove any such checks from inside the auth microservice.
• [ ] Find usages of AUTH_URL in client & login apps and replace them with API_GATEWAY_URL/api/auth
• [ ] Remove AUTH_URL from being sent to clinet/login from countryconfig
• [ ] Remove any traefik configurations that exposes auth to the public internet

Config

• [ ] Proxy all public config endpoints from gateway behind /api/config
• [ ] Handle JWT verification for the /api/config/*endpoints where applicable and remove any such checks from inside the config microservice.
• [ ] Find usages of CONFIG_API_URL in client & login apps and replace them with API_GATEWAY_URL/api/config
• [ ] Remove CONFIG_API_URL from being sent to clinet/login from countryconfig
• [ ] Remove any traefik configurations that exposes config to the public internet

CountryConfig

From clinet/login's perspective, it doesn't need to know whether it's communicating with config or countryconfig microservice. So we will be proxy all relevant countryconfig public endpoints behind /api/config/

• [ ] Proxy all public countryconfig endpoints from gateway behind /api/config
• [ ] Handle JWT verification for the /api/config/*endpoints where applicable and remove any such checks from inside the countryconfig microservice.
• [ ] Find usages of COUNTRY_CONFIG_URL in client & login apps and replace them with API_GATEWAY_URL/api/config
• [ ] Remove COUNTRY_CONFIG_URL from being sent to clinet/login from countryconfig
• [ ] Remove any traefik configurations that exposes countryconfig to the public internet
• [ ] Remove any traefik configurations that hides internal endpoints from being exposed to the public internet

Webhooks

• [ ] Proxy all public webhooks endpoints from gateway behind /api/webhooks
• [ ] Handle JWT verification for the /api/webhooks/*endpoints where applicable and remove any such checks from inside the webhooks microservice.
• [ ] Remove any traefik configurations that exposes webhooks to the public internet

Minio

We will be proxying all /api/documents/* endpoints from gateway to the minio service

• [ ] Create a proxy in gateway that forwards all requests received at /api/documents/* to the minio service. It should not be protected with JWT
• [ ] Change presignedURL creation accordingly
• [ ] Make sure minio-console can communicate with minio
• [ ] Change cache URL pattern in client service worker. It's a hardcoded value as the URL isn't available to us during build time
• [ ] Remove any traefik configurations that exposes minio to the public internet

Client & Gateway

• [ ] The final part of this ticket is to remove GATEWAY_API_URL too. We will do that via NGINX proxy_pass to redirect all /api calls to gateway:7070/api on the server & for local development use https://vitejs.dev/config/server-options#server-proxy to achieve the same

[rikukissa]

Related https://github.com/opencrvs/opencrvs-core/issues/6869

[rikukissa]

Related https://github.com/opencrvs/opencrvs-core/issues/6692

[rikukissa]

This task need to be prioritised as we frequently have mission-critical data exposed from different services. For example, the certificates are available without authorisation.

https://countryconfig.farajaland-qa.opencrvs.org/certificates

[rikukissa]

There's another auth related endpoint exposed. In some places it would also be easier from implementation point of view if we could have as many of these services hidden as we can