Fix local-environment ports (#3136)
* Change Dex port in local-environment from 4190 to 5556
Port 4190 is blocked by standards-compliant browsers (e.g. Firefox), as per https://fetch.spec.whatwg.org/#port-blocking.
Port 5556 is used by Dex in its example config files: 745e1114f3/examples/config-dev.yaml (L50)
* Fix upstream in local-environment/oauth2-proxy.cfg
http://httpbin.localtest.me:8080 is only exposed to the host, not to httpbin Docker network.
Causes Bad Gateway before.
* Do not expose unauthenticated httpbin service in local-environment
This defeats the point of having oauth2-proxy.
It has already been misleading by causing the bug fixed in cafc6af48fc38f6fe4395fb0c7e2638bc84e6091.
It serves as a bad example: users might accidentally expose the service they're trying to protect in the first place.
* Remove unnecessary httpbin.localtest.me alias from local-environment
This commit is contained in:
Simmo Saan
GitHub
parent
5e7f14bdcb
commit
3ac834dbcf
|
|
@ -1,7 +1,7 @@
|
||||||
# This configuration is intended to be used with the docker-compose testing
|
# This configuration is intended to be used with the docker-compose testing
|
||||||
# environment.
|
# environment.
|
||||||
# This should configure Dex to run on port 4190 and provides a static login
|
# This should configure Dex to run on port 5556 and provides a static login
|
||||||
issuer: http://dex.localtest.me:4190/dex
|
issuer: http://dex.localtest.me:5556/dex
|
||||||
storage:
|
storage:
|
||||||
type: etcd
|
type: etcd
|
||||||
config:
|
config:
|
||||||
|
|
@ -9,7 +9,7 @@ storage:
|
||||||
- http://etcd:2379
|
- http://etcd:2379
|
||||||
namespace: dex/
|
namespace: dex/
|
||||||
web:
|
web:
|
||||||
http: 0.0.0.0:4190
|
http: 0.0.0.0:5556
|
||||||
oauth2:
|
oauth2:
|
||||||
skipApprovalScreen: true
|
skipApprovalScreen: true
|
||||||
expiry:
|
expiry:
|
||||||
|
|
|
||||||
|
|
@ -34,12 +34,9 @@ services:
|
||||||
container_name: httpbin
|
container_name: httpbin
|
||||||
image: kennethreitz/httpbin:latest
|
image: kennethreitz/httpbin:latest
|
||||||
hostname: httpbin
|
hostname: httpbin
|
||||||
ports:
|
ports: []
|
||||||
- 8080:80
|
|
||||||
networks:
|
networks:
|
||||||
httpbin:
|
httpbin: {}
|
||||||
aliases:
|
|
||||||
- httpbin.localtest.me
|
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
image: gitea/gitea:1.24.3
|
image: gitea/gitea:1.24.3
|
||||||
|
|
|
||||||
|
|
@ -34,12 +34,9 @@ services:
|
||||||
container_name: httpbin
|
container_name: httpbin
|
||||||
image: kennethreitz/httpbin:latest
|
image: kennethreitz/httpbin:latest
|
||||||
hostname: httpbin
|
hostname: httpbin
|
||||||
ports:
|
ports: []
|
||||||
- 8080:80/tcp
|
|
||||||
networks:
|
networks:
|
||||||
httpbin:
|
httpbin: {}
|
||||||
aliases:
|
|
||||||
- httpbin.localtest.me
|
|
||||||
|
|
||||||
keycloak:
|
keycloak:
|
||||||
container_name: keycloak
|
container_name: keycloak
|
||||||
|
|
|
||||||
|
|
@ -62,7 +62,7 @@ services:
|
||||||
- "./dex.yaml:/dex.yaml"
|
- "./dex.yaml:/dex.yaml"
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
ports:
|
ports:
|
||||||
- 4190:4190/tcp
|
- 5556:4181/tcp
|
||||||
networks:
|
networks:
|
||||||
dex:
|
dex:
|
||||||
aliases:
|
aliases:
|
||||||
|
|
@ -73,12 +73,9 @@ services:
|
||||||
httpbin:
|
httpbin:
|
||||||
container_name: httpbin
|
container_name: httpbin
|
||||||
image: kennethreitz/httpbin
|
image: kennethreitz/httpbin
|
||||||
ports:
|
ports: []
|
||||||
- 8080:80/tcp
|
|
||||||
networks:
|
networks:
|
||||||
httpbin:
|
httpbin: {}
|
||||||
aliases:
|
|
||||||
- httpbin.localtest.me
|
|
||||||
etcd:
|
etcd:
|
||||||
container_name: etcd
|
container_name: etcd
|
||||||
image: gcr.io/etcd-development/etcd:v3.6.2
|
image: gcr.io/etcd-development/etcd:v3.6.2
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ services:
|
||||||
- "./dex.yaml:/dex.yaml"
|
- "./dex.yaml:/dex.yaml"
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
ports:
|
ports:
|
||||||
- 4190:4190/tcp
|
- 5556:4181/tcp
|
||||||
networks:
|
networks:
|
||||||
dex:
|
dex:
|
||||||
aliases:
|
aliases:
|
||||||
|
|
@ -47,12 +47,9 @@ services:
|
||||||
httpbin:
|
httpbin:
|
||||||
container_name: httpbin
|
container_name: httpbin
|
||||||
image: kennethreitz/httpbin
|
image: kennethreitz/httpbin
|
||||||
ports:
|
ports: []
|
||||||
- 8080:80/tcp
|
|
||||||
networks:
|
networks:
|
||||||
httpbin:
|
httpbin: {}
|
||||||
aliases:
|
|
||||||
- httpbin.localtest.me
|
|
||||||
etcd:
|
etcd:
|
||||||
container_name: etcd
|
container_name: etcd
|
||||||
image: gcr.io/etcd-development/etcd:v3.6.2
|
image: gcr.io/etcd-development/etcd:v3.6.2
|
||||||
|
|
|
||||||
|
|
@ -20,4 +20,4 @@ providers:
|
||||||
clientSecret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
|
clientSecret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
|
||||||
clientID: oauth2-proxy
|
clientID: oauth2-proxy
|
||||||
oidcConfig:
|
oidcConfig:
|
||||||
issuerURL: http://dex.localhost:4190/dex
|
issuerURL: http://dex.localhost:5556/dex
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
||||||
email_domains="example.com"
|
email_domains="example.com"
|
||||||
cookie_secure="false"
|
cookie_secure="false"
|
||||||
upstreams="http://httpbin"
|
upstreams="http://httpbin"
|
||||||
cookie_domains=["oauth2-proxy.localtest.me:4080", "httpbin.localtest.me:8080", "keycloak.localtest.me:9080"] # Required so cookie can be read on all subdomains.
|
cookie_domains=["oauth2-proxy.localtest.me:4080", "keycloak.localtest.me:9080"] # Required so cookie can be read on all subdomains.
|
||||||
whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
|
whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
|
||||||
|
|
||||||
# keycloak provider
|
# keycloak provider
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ http_address="0.0.0.0:4180"
|
||||||
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
||||||
provider="oidc"
|
provider="oidc"
|
||||||
email_domains="example.com"
|
email_domains="example.com"
|
||||||
oidc_issuer_url="http://dex.localtest.me:4190/dex"
|
oidc_issuer_url="http://dex.localtest.me:5556/dex"
|
||||||
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
|
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
|
||||||
client_id="oauth2-proxy"
|
client_id="oauth2-proxy"
|
||||||
cookie_secure="false"
|
cookie_secure="false"
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ http_address="0.0.0.0:4180"
|
||||||
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
||||||
provider="oidc"
|
provider="oidc"
|
||||||
email_domains=["example.com"]
|
email_domains=["example.com"]
|
||||||
oidc_issuer_url="http://dex.localhost:4190/dex"
|
oidc_issuer_url="http://dex.localhost:5556/dex"
|
||||||
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
|
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
|
||||||
client_id="oauth2-proxy"
|
client_id="oauth2-proxy"
|
||||||
cookie_secure="false"
|
cookie_secure="false"
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ http_address="0.0.0.0:4180"
|
||||||
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
||||||
email_domains="example.com"
|
email_domains="example.com"
|
||||||
cookie_secure="false"
|
cookie_secure="false"
|
||||||
upstreams="http://httpbin.localtest.me:8080"
|
upstreams="http://httpbin"
|
||||||
cookie_domains=[".localtest.me"] # Required so cookie can be read on all subdomains.
|
cookie_domains=[".localtest.me"] # Required so cookie can be read on all subdomains.
|
||||||
whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
|
whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
|
||||||
|
|
||||||
|
|
@ -11,6 +11,6 @@ client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
|
||||||
client_id="oauth2-proxy"
|
client_id="oauth2-proxy"
|
||||||
redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
|
redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
|
||||||
|
|
||||||
oidc_issuer_url="http://dex.localtest.me:4190/dex"
|
oidc_issuer_url="http://dex.localtest.me:5556/dex"
|
||||||
provider="oidc"
|
provider="oidc"
|
||||||
provider_display_name="Dex"
|
provider_display_name="Dex"
|
||||||
|
|
|
||||||
|
|
@ -85,5 +85,5 @@ The docker compose setups expose the services with a dynamic reverse DNS resolve
|
||||||
|
|
||||||
- OAuth2-Proxy: http://oauth2-proxy.localtest.me:4180
|
- OAuth2-Proxy: http://oauth2-proxy.localtest.me:4180
|
||||||
- Upstream: http://httpbin.localtest.me:8080
|
- Upstream: http://httpbin.localtest.me:8080
|
||||||
- Dex: http://dex.localtest.me:4190
|
- Dex: http://dex.localtest.me:5556
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -85,5 +85,5 @@ The docker compose setups expose the services with a dynamic reverse DNS resolve
|
||||||
|
|
||||||
- OAuth2-Proxy: http://oauth2-proxy.localtest.me:4180
|
- OAuth2-Proxy: http://oauth2-proxy.localtest.me:4180
|
||||||
- Upstream: http://httpbin.localtest.me:8080
|
- Upstream: http://httpbin.localtest.me:8080
|
||||||
- Dex: http://dex.localtest.me:4190
|
- Dex: http://dex.localtest.me:5556
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue