https://www.ory.sh/ logo
Join Slack
Powered by
<@U011D3UQKNY> do you happen to have any bright id...
# ory-selfhosting
l
@magnificent-energy-493 do you happen to have any bright ideas as to what I am missing?
m
Hm not sure without going in and taking a look myself. So you moved your existing Ory Kratos installation from one server to another and that broke something in 2FA? Can you maybe explain what you were trying to achieve and how your setup looks roughly?
l
Also moved from haproxy in front of oathkeeper to nginx in front of oathkeeper. I'll do a writeup in the evening (GMT+3)
👍 1
Alright, so 1) Everything worked fine so far 2) Kratos was reinstalled on a new machine from scratch, version upgraded from v 1.0.0 to the current latest 3) Kratos database was copied over and migrations were applied. Kratos config and identity schema were also copied. 4) Haproxy for company proxy stuff in front of oathkeeper as replaced with an nginx proxy in front of oathkeeper 5) Setup is now nginx -> oathkeeper -> kratos machine, hydra machine, selfservice node rewritten based on the ui-node example. I am willing to share this for debug if needed as a zip. 6) What I have determined, is after login and 2fa, the redirect to dashboard fails, because what it seems like, is the ory client s part of getting the flows in the ui node app, does a request to /sessions/whoami, and does not provide the credentials. If I copy the whoami url into the browser, I successfully get my identity returned to me. This leads me to believe, that something in the nginx proxy config is foobar and it is not 2FA, as I originally assumed. Proxy config is as follows:
Copy code
server {

        server_name whatever.doesntmatter.ee;

        location / {

                allow INSERT_DMZ_NETWORK_IP/24;

                allow 10.10.10.0/24;

                deny all;

                proxy_pass <http://konto_backend>;

                proxy_pass_header Content-Type;

                proxy_pass_header Access-Control-Allow-Origin;

                proxy_ssl_verify off;

                proxy_redirect off;

                proxy_set_header Host whatever.doesntmatter.ee;

                proxy_set_header Cookie $http_cookie;

                proxy_set_header Authorization $http_authorization;

                proxy_set_header X-ID-Token $http_x_id_token;

                proxy_set_header X-CSRF-Token $http_x_csrf_token;

                proxy_http_version 1.1;

                proxy_pass_header Set-Cookie;

                proxy_set_header Connection "";

                proxy_set_header X-Forwarded-Proto http;

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                proxy_set_header X-Forwarded-Host $host;

                add_header 'Access-Control-Allow-Origin' '*';

                proxy_pass_request_headers on;

                proxy_pass_request_body on;

        }
}
I figured it out a few weeks ago!
Open in Slack
PreviousNext
Powered by