Develop Reference

Traefik 2: access to .well-known acme folder, What do you think?

I had problem with my mailserver is it was not working properly when i added mailbox to Outlook. It warned me that i use wrong certificate, on closer inspection it showed default email docker creator certificate. Even though webmail is protected with SSL from Traefik.
After researching I manage to come up with this, it is combination of ones guy docker compose, cannot find the link for his post. And my previous attempt to host acme challenge on my flask website, what was overwritten by default with Nginx Proxy manager, so I abandon it.
But now while working with Traefik, what provides much more flexibility i was able to do it:
This is one page on my flask website, what returns files from within the .well-known folder, which is mapped in each docker container what needs access to lets encrypt certification process, behind reverse proxy.
#app.route('/.well-known/acme-challenge/<acmechalleng>')
def acme(acmechalleng):
try:
# acme_folder is file path to folder where challenges are stored
# for example: acmechall_folder = os.path.abspath('acmefiles/')
acme_folder=config.acmechall_folder
extr = {}
# Sets up ignored file names what will not be showed
ignore_files='.paths.json'
try:
items = json.load(open(os.path.join(acme_folder, '.paths.json')))
except Exception:
items = ""
for root, dirs, files in os.walk(acme_folder):
for f in files:
# this filters files we do not want to show ie: paths file
if f not in ignore_files:
full_path = os.path.join(root, f)
path = full_path.split(acme_folder,1)[1]
path = path.replace("\\", "/")
split_path = path.split('/')
extr.update({path[1:]: 0})
if items != extr:
with open(os.path.join(acme_folder, '.paths.json'), 'w', encoding='utf-8') as f:
json.dump(extr, f, ensure_ascii=False, indent=4)
# Only files what are in .pahts.json will be allowed to be read
items = json.load(open(os.path.join(acme_folder, '.paths.json')))
existing = []
for key, arr in items.items():
existing.append(key)
if acmechalleng in existing:
with open(os.path.join(acme_folder, acmechalleng),"rb") as f:
content = f.readlines()
return Response(content)
else:
return render_template('404.html', **_auto_values), 404
except Exception as err:
return render_template('404.html', **_auto_values), 404
Poste.io mail server Docker File, with access to .well-known challenges for Letsencrypt
version: '3'
networks:
traefikauth_net:
external: true
services:
mailserver:
image: analogic/poste.io
container_name: mailserver
hostname: mail.mydomain.com
networks:
- traefikauth_net
restart: unless-stopped
ports:
- "25:25"
- "587:587"
- "993:993"
environment:
- HOSTNAME=poste.mydomain.com
- TZ=Europe/London
- LETSENCRYPT_EMAIL=admin#mydomain.com
- LETSENCRYPT_HOST=mydomain.com
- VIRTUAL_HOST=poste.mydomain.com
- HTTPS=OFF
- DISABLE_CLAMAV=TRUE
- DISABLE_RSPAMD=TRUE
volumes:
- /opt/traefik/.well-known:/opt/www/.well-known/acme-challenge
- /opt/mailserver:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.poste-letsencrypt.rule=HostRegexp(`mydomain.com`,`{subdomain:[a-z]*}.mydomain.com`) && PathPrefix(`/.well-known/`)"
- "traefik.http.routers.poste-letsencrypt.entrypoints=http"
- "traefik.http.routers.poste-letsencrypt.service=mail"
- "traefik.http.services.poste-letsencrypt.loadbalancer.server.port=80"
- "traefik.http.routers.mail.rule=Host(`poste.mydomain.com`)"
- "traefik.http.routers.mail.entrypoints=https"
- "traefik.http.routers.mail.tls.certresolver=cloudflare"
- "traefik.http.routers.mail.service=mail"
- "traefik.http.services.mail.loadbalancer.server.port=80"
The main website, on "mydomain.com" needs also Traefik labels:
volumes:
- /opt/traefik/.well-known:/var/www/wellknown
labels:
- "traefik.enable=true"
- "traefik.http.routers.flask-letsencrypt.entrypoints=http"
- "traefik.http.routers.flask-letsencrypt.rule=HostRegexp(`mydomain.com`) && PathPrefix(`/.well-known/`)"
- "traefik.http.services.flask-letsencrypt.loadbalancer.server.port=80"
- "traefik.http.routers.flask-letsencrypt.service=myflask"
- "traefik.http.routers.myflask.entrypoints=https"
- "traefik.http.routers.myflask.rule=Host(`mydomain.com`)"
- "traefik.http.routers.myflask.service=myflask"
- "traefik.http.routers.myflask.tls=true"
- "traefik.http.routers.myflask.tls.certresolver=cloudflare"
- "traefik.http.services.myflask.loadbalancer.server.port=80"
I also have normal CertResolver for all the other domains what is in main Traefik file as follow traefik.yml:
certificatesResolvers:
cloudflare:
acme:
email: admin#mydomain.com
storage: /letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
entryPoints:
http:
address: ":80"
https:
address: ":443"
Traefik 2 docker-compose:
version: '3'
services:
traefik:
image: traefik
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.yml:/traefik.yml:ro
- /opt/traefik/conf:/additionalsettings
- /opt/traefik/folderacme:/letsencrypt
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.mydomain.com`)'
- 'traefik.http.routers.api.entrypoints=https'
- 'traefik.http.routers.api.service=api#internal'
- 'traefik.http.routers.api.tls=true'
- 'traefik.http.routers.api.middlewares=authelia#docker'
- "traefik.http.routers.api.tls.certresolver=cloudflare"
- "traefik.http.routers.api.tls.domains[0].main=mydomain.com"
- "traefik.http.routers.api.tls.domains[0].sans=*.mydomain.com"
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://logmein.mydomain.com/"
- "traefik.http.middlewares.authelia.forwardauth.trustforwardheader=true"
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
- 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
- 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
environment:
- CF_API_EMAIL=<cloudflare api email>
- CF_API_KEY=<cloudflare api key for certresolver>
ports:
- 80:80
- 443:443
command:
- '--api'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--entrypoints.http=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.http.http.redirections.entrypoint.to=https'
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
- '--entrypoints.https=true'
- '--entrypoints.https.address=:443'
What do you think? I believe that python code could be much smaller, especially that part what stores the path in Json but i use that from my other project, and there I needed more then path to the file. This way I believe nobody should be able access other files, only those in ACME folder.

Keycloak returns 'Invalid parameter: redirect_uri'

[Edit-1] Add scope in oauth2 configuration, add grafana service, remove oauth-keycloak-signin. The configurations is referred from this link
[UPDATE] I am able to log in at Keycloak page but it couldn't route me to the Grafana service. Looked at the OAuth2 logs, something weird, the access token that generated by Keycloak was validated of Github, not for Keycloak :))) -> This was caused by missing oauth validate_url config.
Solution:
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185/oauth2/auth'
Log of OAuth2 Proxy
paddy_oauth-keycloak.1.nd9v50gfv9kc#staging | 123.28.110.207 - 411d7575-fb97-42ca-87ed-d57cad683b31 - - [2021/09/30 02:04:53] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000
paddy_oauth-keycloak.1.nd9v50gfv9kc#staging | [2021/09/30 02:05:00] [internal_util.go:74] token validation request failed: status 400 - {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc#staging | [2021/09/30 02:05:00] [internal_util.go:69] 400 GET https://keycloak.my-domain.com/auth/realms/staging/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYa1NjbzduRjlaTUpiWDRXVU5mTlhJS2FwOG9ZMHZ1THVZZU1SUk9EQ1J3In0.eyJleHAiOjE2MzI5Njc4MDAsImlhdCI6MTYzMjk2NzUwMCwiYXV0aF90aW1lIjoxNjMyOTY3NDk5LCJqdGkiOiI4NGJjZjdiNC0yN2YzLTQ4NDktYjUzNi05OTNkNTczNzA5OWYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnN0YWdpbmcucHJlY2lzaW9uYWcub3JnL2F1dGgvcmVhbG1zL3N0YWdpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzk1NjE1YWUtN2VkNi00MWI3LWE5YWUtMjBkZmZhMTc1NjBhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXV0aGVudGljYXRpb24iLCJzZXNzaW9uX3N0YXRlIjoiZTVjM2FkMDMtNzhmNi00ZmE4LThhOTgtZTdkYjk1YjZiNmEzIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtc3RhZ2luZyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW5... {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc#staging | 123.28.110.207 - 39bea317-002b-4366-858c-01aa6f6901b6 - dathuynh#my-domain.com [2021/09/30 02:05:00] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh#my-domain.com user: PreferredUsername: token:true groups:[/pader]}
I am setting up keycloak and oauth2 for authentication in my system. The system is running in docker swarm mode and using traefik reverse-proxy. I followed this guide to set up the oauth2 container: https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#keycloak-auth-provider
I created a new client in the 'development' realm, with the Valid Redirect URL is https://oauth-keycloak.my-domain.com/oauth2/callback (it is the Oauth URL), used traefik forward auth to route the request to the Keycloak if it is unauthenticated.
I got Invalid parameter: redirect_uri for 2 case:
I access Grafana and the request was routed to Keycloak
I try to access this link in the OAuth config https://oauth-keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth.
I have searched and try some suggestions but they did not work for me. Hope you guys can help. I have really appreciated it.
Here is my docker swarm configuration:
keycloak:
image: quay.io/keycloak/keycloak:15.0.2
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.my-domain.com`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls=true"
- "traefik.http.routers.keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.keycloak.service=keycloak-svc"
- "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
environment:
- "DB_VENDOR=POSTGRES"
- "DB_ADDR=postgis"
- "DB_DATABASE=${POSTGRES_DB}"
- "DB_USER=${POSTGRES_USER}"
- "DB_PASSWORD=${POSTGRES_PASSWORD}"
- "KEYCLOAK_USER="
- "KEYCLOAK_PASSWORD="
- "PROXY_ADDRESS_FORWARDING=true"
- "KEYCLOAK_LOGLEVEL=DEBUG" # DEBUG, ERROR, INFO
grafana:
image: grafana/grafana
deploy:
resources:
limits:
memory: 256M
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.my-domain.com`)"
- "traefik.http.routers.grafana.entrypoints=websecure"
- "traefik.http.routers.grafana.tls=true"
- "traefik.http.routers.grafana.tls.certresolver=leresolver"
# Basic HTTP authentication
- "traefik.http.routers.grafana.middlewares=oauth-keycloak"
# Set up service
- "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
- "traefik.http.routers.grafana.service=grafana-svc"
environment:
- GF_SECURITY_ADMIN_USER=my-username
- GF_SECURITY_ADMIN_PASSWORD=my-pasword
- GF_USERS_ALLOW_SIGN_UP=true
volumes:
- "/home/app/grafana:/var/lib/grafana"
oauth-keycloak:
image: quay.io/oauth2-proxy/oauth2-proxy
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth-keycloak.rule=Host(`oauth-keycloak.my-domain.com`) || PathPrefix(`/oauth2`)"
- "traefik.http.routers.oauth-keycloak.entrypoints=websecure"
- "traefik.http.routers.oauth-keycloak.tls=true"
- "traefik.http.routers.oauth-keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.oauth-keycloak.service=oauth-keycloak-svc"
- "traefik.http.services.oauth-keycloak-svc.loadbalancer.server.port=4185"
# Set up middlewares
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.authResponseHeaders=X-Forwarded-User'
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.service=oauth-keycloak-svc"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.status=401-403"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.query=/oauth2/sign_in"
environment:
OAUTH2_PROXY_CLIENT_ID: 'development'
OAUTH2_PROXY_CLIENT_SECRET: ''
OAUTH2_PROXY_PROVIDER: 'keycloak'
OAUTH2_PROXY_SCOPE: 'profile email address phone'
OAUTH2_PROXY_LOGIN_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth'
OAUTH2_PROXY_REDEEM_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/token'
OAUTH2_PROXY_PROFILE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_VALIDATE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_COOKIE_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
OAUTH2_PROXY_COOKIE_REFRESH: '1h'
OAUTH2_PROXY_COOKIE_SECURE: 'false'
OAUTH2_PROXY_COOKIE_SECRET: '0Y18nYVtNLzKQroYQpi0jw=='
OAUTH2_PROXY_EMAIL_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_REVERSE_PROXY: 'true'
OAUTH2_PROXY_WHITELIST_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: 'true'

You configured a valid redirect URI for https://oauth-keycloak.my-domain.com/oauth2/callback as you said. In case of accessing grafana your redirect uri should be https://grafana.my-domain.com/oauth2/callback instead. You will need to add this to the list of valid redirect URIs as well.

Ghost Docker SMTP setup

I created a ghost instance in my vps with the official docker compose file of the ghost cms
and I modified it to use a mailgun SMTP account as follows
version: '3.1'
services:
mariadb:
image: 'docker.io/bitnami/mariadb:10.3-debian-10'
environment:
- ALLOW_EMPTY_PASSWORD=yes
- MARIADB_USER=bn_ghost
- MARIADB_DATABASE=bitnami_ghost
volumes:
- 'mariadb_data:/bitnami'
ghost:
image: 'ghost:3-alpine'
environment:
MARIADB_HOST: mariadb
MARIADB_PORT_NUMBER: 3306
GHOST_DATABASE_USER: bn_ghost
GHOST_DATABASE_NAME: bitnami_ghost
GHOST_HOST: localhost
mail__transport: SMTP
mail__options__service: Mailgun
mail__auth__user: ${MY_MAIL_USER}
mail__auth__pass: ${MY_MAIL_PASS}
mail__from: ${MY_FROM_ADDRESS}
ports:
- '80:2368'
volumes:
- 'ghost_data:/bitnami'
depends_on:
- mariadb
volumes:
mariadb_data:
driver: local
ghost_data:
driver: local
but when I try to invite authors to the site
it gives me following error
Failed to send 1 invitation: dulara#thinksmart.lk. Please check your email configuration, see https://ghost.org/docs/concepts/config/#mail for instructions
I am certain that my SMTP credentials are correct.
I logged in to ghost containers bash shell and checked its files there.
it's mail section is empty
I still can't find what is my mistake. I am not sure about the variable names. but I took them from the official documentation.

My exemple :
url=https://www.exemple.com/
# admin__url=XXX // Remove it (For my side, the redirection is failed)
database__client=mysql
database__connection__host=...
database__connection__port=3306
database__connection__database=ghost
database__connection__user=ghost
database__connection__password=XXX
privacy__useRpcPing=false
mail__transport=SMTP
mail__options__host=smtp.exemple.com
mail__options__port=587
# mail__options__service=Exemple // Remove it
mail__options__auth__user=sys#exemple.com
mail__options__auth__pass=XXX
# mail__options__secureConnection=true // Remove it
mail__from=Exemple Corp. <sys#exemple.com>
In your case change :
mail__auth__user => mail__options__auth__user
mail__auth__pass => mail__options__auth__pass
And delete : mail__options__service
(https://github.com/metabase/metabase/issues/4272#issuecomment-566928334)

WSO2is Error after change Keystore - System error while Authenticating/Authorizing User : Error when handling event : PRE_AUTHENTICATION

I am running the WSO2is version 5.8.0 in Docker-Swarm, i script a compose for this mapping the files:
deployment.toml, wsocarbon.jks and directory in servers.
After change the keystore i receive the error on login admin:
System error while Authenticating/Authorizing User : Error when handling event : PRE_AUTHENTICATION
removing the mapping, the SSL Cert is not valid, but i login.
PS: i use traefik to redirect to container.
The stack deploy file:
#IS#
is-hml:
image: wso2/wso2is:5.8.0
ports:
- 4763:4763
- 4443:9443
volumes:
#- /docker/release-hml/wso2/full-identity-server-volume:/home/wso2carbon/wso2is-5.8.0
- /docker/release-hml/wso2/identity-server:/home/wso2carbon/wso2-config-volume
extra_hosts:
- "wso2-hml.valecard.com.br:127.0.0.1"
networks:
traefik_traefik:
aliases:
- is-hml
configs:
#- source: deployment.toml
# target: /home/wso2carbon/wso2is-5.8.0/repository/conf/deployment.toml
#
- source: wso2carbon.jks
target: /home/wso2carbon/wso2is-5.8.0/repository/resources/security/wso2carbon.jks
#- source: catalina-server.xml
# target: /home/wso2carbon/wso2is-5.8.0/repository/conf/tomcat/catalina-server.xml
- source: carbon.xml
target: /home/wso2carbon/wso2is-5.8.0/repository/conf/carbon.xml
#environment:
# - "CATALINA_OPTS=-Xmx2g -Xms2g -XX:MaxPermSize=1024m"
# - "JVM_OPTS=-Xmx2g -Xms2g -XX:MaxPermSize=1024m"
# - "JAVA_OPTS=-Xmx2g -Xms2g"
deploy:
#endpoint_mode: dnsrr
resources:
limits:
cpus: '2'
memory: '4096M'
replicas: 1
labels:
- "traefik.docker.network=traefik_traefik"
- "traefik.backend=is-hml"
- "traefik.port=4443"
- "traefik.frontend.entryPoints=http,https"
- "traefik.frontend.rule=Host:wso2-hml.valecard.com.br"
configs:
deployment.toml:
file: ./wso2-config/deployment.toml
catalina-server.xml:
file: ./wso2-config/catalina-server.xml
wso2carbon.jks:
file: ../../certs/wso2carbon-valecard.jks
carbon.xml:
file: ./wso2-config/carbon.xml
networks:
traefik_traefik:
external: true
The password is some from the deployment.toml
Thz.

docker-compose and express-gateway show bag gateway locally

I want run my express-gateway locally in my pc and have two services for access with my gateway, the problem is that always have the same problem "bad gateway" I test with other public api and work fine, how can do run this locally without this problem? because always show "bad gateway":
my docker-compose.yml
version: "3.4"
services:
express-gateway:
image: gateway:latest
build:
context: ./
dockerfile: Dockerfile
labels:
- "traefik.enable=true"
- "traefik.http.routers.express-gateway.rule=Host(`eg.127.0.0.1.nip.io`)"
- "traefik.http.routers.express-gateway.entrypoints=web"
- "traefik.http.services.express-gateway.loadbalancer.server.port=9090"
volumes:
- ./gateway.config.yml:/usr/src/app/config/gateway.config.yml
ingress-controller:
image: traefik:v2.0
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- 80:80
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
this is the configuration on my express gateway. my gateway.config.yml :
http:
port: 9090
admin:
port: 9876
host: 0.0.0.0
apiEndpoints:
events:
host: "*"
paths: ["/api/events*", "/swagger*"]
methods: ["GET", "PATCH"]
eventsCreate:
host: "*"
paths: "/api/events*"
methods: ["POST", "PUT", "OPTIONS"]
auth:
host: "*"
paths: "/api/auth*"
methods: ["POST", "GET", "OPTIONS"]
serviceEndpoints:
auth:
url: "http://127.0.0.1:59868"
events:
url: "http://127.0.0.1:5000"
policies:
- basic-auth
- cors
- expression
- key-auth
- log
- oauth2
- proxy
- rate-limit
- jwt
- request-transformer
pipelines:
authPipeline:
apiEndpoints:
- auth
policies:
- cors:
- log:
action:
message: "auth ${req.method}"
- proxy:
action:
serviceEndpoint: auth
changeOrigin: true
eventsPipeline:
apiEndpoints:
- events
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- proxy:
action:
serviceEndpoint: events
changeOrigin: true
eventsCreatePipeline:
apiEndpoints:
- eventsCreate
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- jwt:
action:
secretOrPublicKey: "MORTADELAIsMyPassion321"
checkCredentialExistence: false
- proxy:
action:
serviceEndpoint: events
changeOrigin: true

Bad Gateway is usually an error raised by the Proxy policy — in such case you should be able to check the log and see the specifics, and then go from there.