first time using docker and nginx reverse proxy.
Setup
Dockerized front with Vuejs behind localhost:4200
Dockerized back with Symfony behind a dockerized nginx on localhost:80
Trouble
Every time I add a cookie to the response, the Set-Cookie get ignored by the front.
Telling me:
This Set-Cookie was blocked because its Domain attribute was invalid with regards to the current host url.
What I tried
Add different domain to the cookie config.
Add a new header within nginx.
As I said, I m new with this setup, can't figure if the problem come from nginx or the cookie config.
Edit: It actually work fine with postman.
Related
I am creating an application using Vue.js with Vite for client-side and express.js for the server-side on docker. The server side sends the cookie as a response to Axios request front client, and I can see Set-cookie in the response-header. However, this cookie is not set to the browser. I opened the Application tab and checked the cookie, but nothing was there.
Client URL: http://localhost:3000/
Server URL: http://localhost:15173/
Both of the are running on separate Docker containers.
Environment is
Front: vue3 with vite
Sererside: nodejs with express.js
connection: Using axios
Probably, this is caused by CORS, but I don't know how to deal with that. I'm tring to solve this question fixing proxy, but so far no luck.
if anyone can help me out, that would be great. Thank you!
I tried vite.config proxy setting, but it didn't solve the situation.
I have a Spring based application, which uses keycloak-spring-security-adapter to handle the Keycloak specific stuff. This server is deployed on same machine as the Keycloak server, and both of them are running behind Nginx reverse proxy.
The Spring app has in its keycloak.json configuration the correct proxy-url. The Keycloak server has the the frontendUrl set to the correct proxy-url. When testing on localhost without the reverse proxy everything works as expected.
The issue is when deployed with the reverse-proxy in front. The Spring application runs the OIDC service discovery during startup. But to do this, is uses the public URL. This fails, because the on the backend side, the reverse proxy is not in DNS record.
How to setup the keycloak-spring-security-adapter in such a way, that for the backend requests it uses local URL. But for the logins that are done through the JSP pages in the browser, it uses the proxied URL?
I have found a strange behavior in Keycloak when deployed in Kubernetes, that I can't wrap my head around.
Use-case:
login as admin:admin (created by default)
click on Manage account
(manage account dialog screenshot)
I have compared how the (same) image (quay.io/keycloak/keycloak:17.0.0) behaves if it runs on Docker or in Kubernetes (K3S).
If I run it from Docker, the account console loads. In other terms, I get a success (204) for the request
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=account-console
From the same image deployed in Kubernetes, the same request fails with error 403. However, on this same application, I get a success (204) for the request
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console
Since I can call security-admin-console, this does not look like an issue with the Kubernetes Ingress gateway nor with anything related to routing.
I've then thought about a Keycloak access-control configuration issue, but in both cases I use the default image without any change. I cross-checked to be sure, it appears that the admin user and the account-console client are configured exactly in the same way in both the docker and k8s applications.
I have no more idea about what could be the problem, do you have any suggestion?
Try to set ssl_required = NONE in realm table in Keycloak database to your realm (master)
So we found that it was the nginx ingress controller causing a lot of issues. While we were able to get it working with nginx, via X-Forwarded-Proto etc., but it was a bit complicated and convoluted. Moving to haproxy instead resolved this problem. As well, make sure you are interfacing with the ingress controller over https or that may cause issues with keycloak.
annotations:
kubernetes.io/ingress.class: haproxy
...
I currently have the following scenario on one of my VPSs:
https://example.com - Landing page hosted on root of domain
https://example.com/app - Nginx proxying /app to my Rails app on same VPS (served by Puma)
Need to migrate both to a new server as Dokku apps and that should result in two apps: one for the static landing page and one to the Rails app. Is that even possible? If yes, any tips?
Thanks!
Got it working by setting a reverse proxy on the landing page app's nginx config file, pointing to the main app:
Disable VHOST support on main app, since it won't be reachable outside or by a domain name. This will create a local listening container on a high numbered port
Add a proxy.conf file to /home/dokku/landing-page/nginx.conf.d/
Set up a reverse proxy on a 'location /app/' block inside that file. Set the upstream to the main app's IP and PORT (from the first item).
That's the main steps. Had to tweak forwarded headers a bit to get SSL working fine, but it works fine!
tl;dr - how to add a specific header in nginx response explicitly when running nginx inside a docker container?
I have deployed ELK stack inside a docker container on a RHEL 7.1 using sebp/elk:latest image. I also want to render my own scatterplots that I have developed, apart from Kibana graphs. I am rendering those pages through a separate nginx webserver I install and run in the same docker image. This is because Kibana 4 (in the sebp image) doesn't give a freedom to choose another web server like Kibana 3, and I can't possibly edit URLs/ Pages rendered by Kibana 4 as it is using its own inbuilt non-nginx webserver as far as I could understood. Now, the issue is, when I deploy my scatterplts to nginx root location and retrieve from browser, I get below error.
XMLHttpRequest cannot load http:///_search?size=500&. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://IP-of-my-server' is therefore not allowed access.
I had faced this issue while running ELK without docker but this link has helped me - http://enable-cors.org/server_nginx.html
Now it doesn't seem to work, I am pushing the conf from my host to container while building the docker image and when a container is spun up from the image I could login and see nginx is running and my nginx.conf is being used but when I analyse actual response, no such header is added to the response even though it should be as I have added it in nginx.
Nginx 1.4 is being used. There is no issue of port mapping and I am not running any nginx on the host, as some of you might suspect if those pages are really being rendered by nginx of the container or the host.
Please help if you have faced this issue and resolved. Does the header gets added into response if you are running webserver from inside the container or there is bug in docker or add_header is not supported in my nginx version?
When I open a session of chrome with disabled web security, I get my scatterplots in chrome perfectly.
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
So scatterplot code or something else definitely doesn't have any issue. It's only with the header being absent in the response even though I explicitely try to add it through conf/
Thanks in advance, sorry for a bit long post.
Just realized issue was with elasticsearch response and not in nginx conf. If you see carefully that header is not presence in response from :9200, so there is a module named "http" and you can edit its properties in elasticsearch.yml file.
Below link helped, had to allow that header through its APIs.
https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html