https://www.ory.sh/ logo
Join Slack
Powered by
I run kratos on a sub though, but I can paste my d...
# ory-selfhosting
r
I run kratos on a sub though, but I can paste my dev config. One sec
🙏 1
Copy code
serve:
  public:
    base_url: <http://auth.runway.127.0.0.1.nip.io/|http://auth.runway.127.0.0.1.nip.io/>
    cors:
      enabled: true
      allowed_origins:
◦ <http://*.runway.127.0.0.1.nip.io|http://*.runway.127.0.0.1.nip.io>
Copy code
allowed_methods:
◦ POST ◦ GET ◦ PUT ◦ PATCH ◦ DELETE
Copy code
allowed_headers:
◦ Authorization ◦ Cookie ◦ Content-Type
Copy code
exposed_headers:
◦ Content-Type ◦ Set-Cookie
Copy code
admin:
    base_url: <http://auth-admin.runway.127.0.0.1.nip.io/|http://auth-admin.runway.127.0.0.1.nip.io/>
A bit wonky
Slack and code
@plain-lunch-50969
The url is used for redirects etc.. maybe you need to match rules in your ingress though.
p
Putting code between triple ticks will format better.
Thanks for the config.
triple backticks
I would think I'd get something that's not a 404 if I hit a valid endpoint though. For 
curl -k -H 'Accept: application/json' https://[FQDN]/auth/self-service/login/api
I think I'd at least get a JSON object.
r
Yeah, I used tripple
Do you use the sdk?
Or an sdk rather?
p
I am, but now just testing the connection as I keep getting 404s.
Likely something mis configured somewhere...
r
Is the ingress setup to listen to domain/auth?
p
It is.
When I do that curl I see the kratos logs fire. Yet they still give 404.
Copy code
time=2022-07-29T04:41:39Z level=info msg=started handling request http_request=map[headers:map[accept:application/json user-agent:curl/7.82.0 x-forwarded-for:127.0.0.1 x-forwarded-host:<http://launch.mergetb.example.net|launch.mergetb.example.net> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-scheme:https x-real-ip:127.0.0.1 x-request-id:393fe495f7f51695d1e10dafb109e67f x-scheme:https] host:launch.merget
<http://b.example.net|b.example.net> method:GET path:/auth/self-service/login/browser query:<nil> remote:10.244.0.1:50868 scheme:http]                                                                                                                                                                 
time=2022-07-29T04:41:39Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json user-agent:curl/7.82.0 x-forwarded-for:127.0.0.1 x-forwarded-host:<http://launch.mergetb.example.net|launch.mergetb.example.net> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-scheme:https x-real-ip:127.0.0.1 x-request-id:393fe495f7f51695d1e10dafb109e67f x-scheme:https] host:launch.merg
<http://etb.example.net|etb.example.net> method:GET path:/auth/self-service/login/browser query:<nil> remote:10.244.0.1:50868 scheme:http] http_response=map[headers:map[content-type:text/plain; charset=utf-8 set-cookie:[csrf_token_09c1eb59a362dd1a2accba844e413e7bc266e5ad2c7405c89264851d0b49d4ec=mj4L+vnj2uyX6rImc+jwYiPS/K1RqWmFrUv+2eSzXis=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax] vary:Co
okie x-content-type-options:nosniff] size:19 status:404 text_status:Not Found took:503.63µs]
r
I haven't tried it on a subdomain and your baseUrl is set to what exactly?
Sorry, not subdomain but path
p
Copy code
Name:             launch-merge-launch                                                                
Namespace:        merge                                                                              
Address:          192.168.126.10                                                                     
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)      
TLS:                                                                                                 
  launch-tls terminates <http://launch.mergetb.example.net|launch.mergetb.example.net>                                                   
Rules:                                                                                               
  Host                        Path  Backends                                                         
  ----                        ----  --------                                                         
  <http://launch.mergetb.example.net|launch.mergetb.example.net>                                                                         
                              /        launch-merge-launch:8080 (10.244.0.77:8080)                   
                              /auth/   merge-auth-kratos-public:80 (10.244.0.78:4433)                
Annotations:                  <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: launch                                      
                              <http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: merge                                  
Events:                       <none>
r
Go in the pod and see what it responds to… http://0.0.0.0:port/auth
p
404s
Copy code
/home/ory $ wget <http://0.0.0.0:4433/auth/hello>     
Connecting to 0.0.0.0:4433 (0.0.0.0:4433)           
wget: server returned error: HTTP/1.1 404 Not Found 
/home/ory $ wget <http://0.0.0.0:4433/auth>           
Connecting to 0.0.0.0:4433 (0.0.0.0:4433)           
wget: server returned error: HTTP/1.1 404 Not Found 
/home/ory $ wget <http://0.0.0.0:4433>                
Connecting to 0.0.0.0:4433 (0.0.0.0:4433)           
wget: server returned error: HTTP/1.1 404 Not Found 
/home/ory $
r
try 
curl <http://0.0.0.0:4433/self-service/login/browser>
it should give you a redirect to your 
login_url?flow=etc
then you know if 
/auth
even works
p
Strange.
Copy code
/home/ory $ wget <http://0.0.0.0:4433/self-service/login/browser>                                 
Connecting to 0.0.0.0:4433 (0.0.0.0:4433)                                                       
Connecting to <http://launch.mergetb.example.net|launch.mergetb.example.net> (192.168.126.10:443)                                   
ssl_client: <http://launch.mergetb.example.net|launch.mergetb.example.net>: certificate verification failed: self signed certificate
wget: error getting response: Connection reset by peer                                          
/home/ory $ wget --no-check-certificate <http://0.0.0.0:4433/self-service/login/browser>          
Connecting to 0.0.0.0:4433 (0.0.0.0:4433)                                                       
Connecting to <http://launch.mergetb.example.net|launch.mergetb.example.net> (192.168.126.10:443)
Starts the flow and goes to 
selfservice.allowed_return_urls
I think...
r
can you paste your config? I think you may have to just strip /auth before you forward to the pod
p
Which config? Kratos?
r
then it probably works
yeah
p
Trying that now.
That does help.
So the ui_urls in the config are meant to point to where kratos talks to the GUI.
r
yeah
i am not entirely sure if there is a "this is how kratos works behind a reverse proxy"
p
I've been changing a bunch of things. This must have slipped in.
r
change everything and less and less works, i know these days 😄
p
Then the GUI should use the 
/auth
to talk to kratos?
r
yeah, i guess
i mean, what speaks against a sub domain?
p
If that k8s ingress path talks to the kratos public service, which it does.
Although kratos must be getting confused with the 
/auth/
at the start of the API endpoint. I'll need to rewrite that I guess.
Ok. That worked. So for anyone playing along at home, here its what worked. I set the 
/auth
path on the ingress but told nginx to remove the 
/auth
from the API endpoint when routing it. This made kratos happy.
Copy code
ingress:                                              
  public:                                             
    enabled: true                                     
    className: nginx                                  
    annotations:                                      
      <http://nginx.ingress.kubernetes.io/rewrite-target|nginx.ingress.kubernetes.io/rewrite-target>: /$1 
    hosts:                                            
      - host: <http://kratos.public.local.com|kratos.public.local.com>                 
        paths:                                        
          - path: /auth/(.*)                          
            pathType: ImplementationSpecific
🎉 1
(this is from the values.yaml in the kratos helm chart)
ty Till for all the help.
r
no worries, happy weekend
p
Same to you.
2 Views
Open in Slack
PreviousNext
Powered by