Hi there, I'm using Docker Compose for Oathkeeper, nginx and Hello API. I have set up a hydra, kratos and keto on another domain (as example https://oauth.mydomain.com). My problem is when I try to run docker compose (oathkeeper, nginx and hello api) on the virtual machine. The same docker compose works fine and I have no clue what is missing in the config. Maybe someone has the answer. This is my nginx.conf

events {

worker_connections  512;

}

http {

server {

listen 80;

server_name <http://mydomain.com|mydomain.com>;

if ($host = <http://mydomain.com|mydomain.com>) {

return 301 https://$host$request_uri;

}

}

server {

listen 443 ssl;

server_name <http://mydomain.com|mydomain.com>;

location / {

auth_request     /auth;

auth_request_set $auth_status $upstream_status;

proxy_set_header Authorization $http_authorization;

proxy_pass <http://hello:8090>$request_uri;

}

location = /auth {

internal;

proxy_pass              <http://oathkeeper:4456/decisions>;

proxy_method            $request_method;

proxy_http_version      1.1;

proxy_connect_timeout   2s;

proxy_pass_request_body off;

proxy_set_header Authorization $http_authorization;

proxy_set_header        Content-Length "";

proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header        X-Original-URI $request_uri;

proxy_set_header        X-Forwarded-Host $host:$server_port;

proxy_set_header        X-Forwarded-Proto $scheme;

proxy_set_header        X-Forwarded-Uri $request_uri;

}

}

}

And this my oathkeeper/access-rules.yml

- id: "api:protected"

upstream:

preserve_host: true

url: "<http://hello:8090>"

match:

url: "<https://mydomain.com:443/hello>"

methods:

- GET

- POST

authenticators:

- handler: oauth2_introspection

config:

introspection_url: <https://oauth.mydomain.com/admin/oauth2/introspect>

authorizer:

handler: remote_json

config:

remote: <https://oauth.mydomain.com/relation-tuples/check>

payload: |

{

"subject_id": "{{ print .Subject }}",

"relation": "edit",

"namespace": "backoffice",

"object": "rules"

}

mutators:

- handler: noop

errors:

And I got the following error after send a curl in my domain:

curl -H "Authorization: Bearer ory_at_uYx-oNddo1Jqorvhw0G3OrbnNAO5V1mHAk1Uuel09GE.TZTqRAkrziBlwcNivjvttxvx0c8rMNBXH26FoqYSRT8"  <https://mydomain.com/hello>

api-oathkeeper-oathkeeper-1  | {"http_request":{"headers":{"accept":"*/*","authorization":["Bearer ory_at_uYx-oNddo1Jqorvhw0G3OrbnNAO5V1mHAk1Uuel09GE.TZTqRAkrziBlwcNivjvttxvx0c8rMNBXH26FoqYSRT8"],"connection":"close","user-agent":"curl/7.81.0","x-forwarded-for":"x.x.x.x","x-forwarded-host":"<http://mydomain.com:443|mydomain.com:443>","x-forwarded-proto":"https","x-forwarded-uri":"/hello","x-original-uri":"/hello"},"host":"oathkeeper:4456","method":"GET","path":"/decisions","query":null,"remote":"x.x.x.x:49410","scheme":"http"},"level":"info","msg":"started handling request","time":"2023-08-29T15:30:07.650750335Z"}

api-oathkeeper-oathkeeper-1  | {"audience":"application","granted":true,"http_host":"oathkeeper:4456","http_method":"GET","http_url":"<https://mydomain.com:443/hello>","http_user_agent":"curl/7.81.0","level":"info","msg":"Access request granted","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2023-08-29T15:30:07.664971178Z"}

api-oathkeeper-oathkeeper-1  | {"http_request":{"headers":{"accept":"*/*","authorization":["Bearer ory_at_uYx-oNddo1Jqorvhw0G3OrbnNAO5V1mHAk1Uuel09GE.TZTqRAkrziBlwcNivjvttxvx0c8rMNBXH26FoqYSRT8"],"connection":"close","user-agent":"curl/7.81.0","x-forwarded-for":"x.x.x.x","x-forwarded-host":"<http://mydomain.com:443|mydomain.com:443>","x-forwarded-proto":"https","x-forwarded-uri":"/hello","x-original-uri":"/hello"},"host":"oathkeeper:4456","method":"GET","path":"/hello","query":null,"remote":"x.x.x.x:49410","scheme":"http"},"http_response":{"headers":{"accept":"*/*","authorization":["Bearer ory_at_uYx-oNddo1Jqorvhw0G3OrbnNAO5V1mHAk1Uuel09GE.TZTqRAkrziBlwcNivjvttxvx0c8rMNBXH26FoqYSRT8"],"connection":"close","user-agent":"curl/7.81.0","x-forwarded-for":"x.x.x.x","x-forwarded-host":"mydomain:443","x-forwarded-proto":"https","x-forwarded-uri":"/hello","x-original-uri":"/hello"},"size":0,"status":200,"text_status":"OK","took":14349551},"level":"info","msg":"completed handling request","time":"2023-08-29T15:30:07.665030121Z"}

api-oathkeeper-nginx-1       | 2023/08/29 15:30:07 [error] 22#22: *10 no resolver defined to resolve hello while sending to client, client: x.x.x.x, server: <http://mydomain.com|mydomain.com>, request: "GET /hello HTTP/1.1", host: "<http://mydomain.com|mydomain.com>"

api-oathkeeper-nginx-1       | 192.168.100.41 - - [29/Aug/2023:15:30:07 +0000] "GET /hello HTTP/1.1" 502 157 "-" "curl/7.81.0"

I'm pretty sure the rest of the integration is working, because when I run docker compose locally, the token and keto permission validation are successful.

curl -H "Authorization: Bearer ory_at_W3usT7KyoobcZ4tbdUToqndCUEq-MTnQ5rxMnWU7AYo.SNFxlzRvhOv3r8SaOP17q5ikJH5oli28VHA1xbs9J9I"  <http://127.0.0.1:8080/hello>

Hello :wave:

Does anyone know what I'm missing? Thanks in advance! Excellent product!