Hi, So I've configured oathkeeper with cookie sess...
# talk-oathkeeper
j
Hi, So I've configured oathkeeper with cookie session but now I am facing the issue that when session is available it redirects to only url of my app but I want to fetch all urls of my app. Pls advise
d
Hello. Could you show your
access-rules.yml
?
j
Please check [ { "id": "allow-anonymous-with-header-mutator", "version": "v0.36.0-beta.4", "upstream": { "url": "http://localhost/powerview/ }, "match": { "url": "http://localhost:4455/", "methods": [ "GET" ] }, "authenticators": [ { "handler": "cookie_session", } ], "authorizer": { "handler": "allow" }, "mutators": [ { "handler": "noop" } ], "errors": [ { "handler": "redirect", "config": { "to": "http://localhost/powerview/login3.aspx" } } ] }, ]
Hi @damp-sunset-69236, Did you check ?
d
Hello.
Copy code
"url": "<http://localhost:4455/>",
You need to have either
Copy code
"url": "<http://localhost:4455/><**>",
for glob pattern matching or
Copy code
"url": "<http://localhost:4455/><.*>",
for regex
👍 1
Your configuration works fine for only one url
<http://localhost:4455>
to make it work you need to use regex or glob patterns
👍 1
j
Hi @damp-sunset-69236 I have tried with glob pattern and now I have a query that my match url is http but my upstream url is https so how to match http with https ?
d
Hello @jolly-pencil-87491. Could you provide access-rules config please?
j
pls check [ { "id": "allow-anonymous-with-header-mutator", "version": "v0.36.0-beta.4", "upstream": { "url": "https://econergy.powerview.io:14907/" }, "match": { "url": "http://localhost:4455/designer-viewer/<.*>", "methods": [ "GET" ] }, "authenticators": [ { "handler": "cookie_session", } ], "authorizer": { "handler": "allow" }, "mutators": [ { "handler": "noop" } ], "errors": [ { "handler": "redirect", "config": { "to": "https://econergy.powerview.io/powerview/login3.aspx" } } ] }, ]
Hi @damp-sunset-69236, Any update ?
d
Do you want to use https for localhost? I think that you need to change your url for
Copy code
<https://econergy.powerview.io/designer-viewer>
Do you use any ingress controllers such as nginx/envoy/traefik? Do I understand correctly that you’re preparing for production?
j
Actually what I want is that whenever I click on http://localhost:4455/designer-viewer/ than it will redirect to https://econergy.powerview.io:14907/ but it shows that page not found. Further I set this app in IIS
d
Redirect or proxy it from upstream?
j
Yeah proxy it from upstream
d
It shows you 404 error because it proxies to
<https://econergy.powerview.io:14907/designer-viewer>
. You need to add
strip_prefix
to your access rule to fix it
Copy code
"upstream": {
      "url": "<https://econergy.powerview.io:14907/>",
      "strip_path": "/designer-viewer"
    },
j
I will check it and update you accordingly Thanks for the support
Hi @damp-sunset-69236 So I've added this strip path but now it is not fetching files like js or css. It shows only blank page
d
Could you please send a developer console screenshot? But anyway, it looks like something is missing for access rules
j
Pls check
d
Yep. I see what’s wrong here. You have
Copy code
"url": "<http://localhost:4455/designer-viewer/><.*>",
http://localhost:4455/designer-viewer URL configured for oathkeeper, however your static files does not match this rule
You can add another rule for oathkeeper for static files
Copy code
url: <http://localhost:4455/><**>
Do you have any plans to use ingress controller such as nginx, traefik, envoy? @jolly-pencil-87491
j
Right now there is no plan to use ingress controller.
Hi, Still not working Pls check rules [ { "id": "allow-anonymous-with-header-mutator", "version": "v0.36.0-beta.4", "upstream": { "url": "https://econergy.powerview.io:14907/" }, "match": { "url": "http://localhost:4455/designer-viewer/<.*>", "url": "http://localhost:4455/<**>", "methods": [ "GET" ] }, "authenticators": [ { "handler": "cookie_session", } ], "authorizer": { "handler": "allow" }, "mutators": [ { "handler": "noop" } ], "errors": [ { "handler": "redirect", "config": { "to": "https://econergy.powerview.io/powerview/login3.aspx" } } ] }, ]
d
You need to write an additional rule for that URL
j
can you please help me how to do it ?
d
Try this
Copy code
[
  {
    "id": "allow-designer-viewer-anonymous",
    "version": "v0.36.0-beta.4",
	"upstream": {
      "url": "<https://econergy.powerview.io:14907/>",
      "strip_path": "/designker-viewer"
    },
    "match": {
      "url": "<http://localhost:4455/designer-viewer/><.*>",
      "methods": [
        "GET"
      ]
    },
    "authenticators": [
      {
        "handler": "cookie_session",
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "noop"
      }
    ],
	"errors": [
		{
			"handler": "redirect",
			"config": {
				"to": "<https://econergy.powerview.io/powerview/login3.aspx>"
			}
		}
	]
  },
{
    "id": "allow-root-anonymous",
    "version": "v0.36.0-beta.4",
	"upstream": {
      "url": "<https://econergy.powerview.io:14907/>"
    },
    "match": {
	  "url": "<http://localhost:4455/><**>",
      "methods": [
        "GET"
      ]
    },
    "authenticators": [
      {
        "handler": "cookie_session",
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "noop"
      }
    ],
	"errors": [
		{
			"handler": "redirect",
			"config": {
				"to": "<https://econergy.powerview.io/powerview/login3.aspx>"
			}
		}
	]
  },
]
j
Thankyou for your response I am getting the following error {"error":{"code":500,"status":"Internal Server Error","message":"error parsing regexp: invalid nested repetition operator in `^**$`"}}
d
Change from this to
Copy code
"url": "<http://localhost:4455/><**>",
this
Copy code
"url": "<http://localhost:4455/><.*>",
Oh. I think that you’ll have a conflict in that case
j
Now got the following error
Copy code
{
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "message": "Expected exactly one rule but found multiple rules"
  }
}
d
Another rule that might work for you
Copy code
{
    "id": "allow-root-anonymous",
    "version": "v0.36.0-beta.4",
	"upstream": {
      "url": "<https://econergy.powerview.io:14907/>",
      "strip_path": "/designer-viewer"
    },
    "match": {
	  "url": "<http://localhost:4455/><.*>",
      "methods": [
        "GET"
      ]
    },
    "authenticators": [
      {
        "handler": "cookie_session",
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "noop"
      }
    ],
	"errors": [
		{
			"handler": "redirect",
			"config": {
				"to": "<https://econergy.powerview.io/powerview/login3.aspx>"
			}
		}
	]
  },
]
j
Now got this error
Copy code
{
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "message": "error parsing regexp: invalid nested repetition operator in `^**$`"
  }
}
d
I fixed it.
j
What is the solution ?
d
The previous example that I sent 🙂
j
Yeah I tried it but got this error
Copy code
{
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "message": "error parsing regexp: invalid nested repetition operator in `^**$`"
  }
}
d
please change the pattern from this
Copy code
"url": "<http://localhost:4455/><**>",
to this
Copy code
"url": "<http://localhost:4455/><.*>",
👍 1
j
Hi, Thankyou again for your response. It is working with one url but it gives error with different urls and saying that found multiple rules
d
What’s your case? 🙂
j
[ { "id": "allow-root-anonymous", "version": "v0.36.0-beta.4", "upstream": { "url": "https://econergy.powerview.io:14907/", "strip_path": "/designer-viewer" }, "match": { "url": "http://localhost:4455/1/<http://localhost:4455/1/%3C.*%3E%22%7C&lt;.*>">, "methods": [ "GET ] }, "authenticators": [ { "handler": "cookie_session", } ], "authorizer": { "handler": "allow" }, "mutators": [ { "handler": "noop" } ], "errors": [ { "handler": "redirect", "config": { "to": "https://econergy.powerview.io/powerview/login3.aspx" } } ] }, { "id": "allow-secondrule", "version": "v0.36.0-beta.4", "upstream": { "url": "https://econergy.powerview.io:14906/", "strip_path": "/3" }, "match": { "url": "http://localhost:4455/3/<http://localhost:4455/3/%3C.*%3E%22%7C&lt;.*>">, "methods": [ "GET" ] }, "authenticators": [ { "handler": "cookie_session", } ], "authorizer": { "handler": "allow" }, "mutators": [ { "handler": "noop" } ], "errors": [ { "handler": "redirect", "config": { "to": "https://econergy.powerview.io/powerview/login3.aspx" } } ] } ]
I want to match with multiple urls
d
Could you tell more about your URL structure?
j
Actually I want to put my both urls behind this oathkeeper 1 url is https://econergy.powerview.io:14907/ 2 url is https://econergy.powerview.io:14906/ But when I click on 2nd rule's matching url than it shows that expect single rule and found multiple
d
How do you want to expose them to the public internet?
j
Right now when I click on http://localhost:4455/1/ than I am getting to my desired page but when I click on http://localhost:4455/3/ than I am getting an error that found multiple rules. My task is simple that I want to get to my both url whenever I click on any of the above two urls
d
Could you please give some examples following this structure 1. localhost:4455/1 should proxy traffic to https://econergy.powerview.io:14907/ for anonymous users 2. localhost:4455/2 should proxy traffic to https://econergy.powerview.io:14906/ for authenticated users
j
Both for authenticated users. I am able to get in https://econergy.powerview.io:14907/ but as I click on localhost:4455/2 to get in https://econergy.powerview.io:14906/ than I am getting the error that multiple rules find
In simple words I actually want to do multiple matchings with multiple upstream
Hi @damp-sunset-69236 I have almost completed my task. Just need to figure out this multiple matching with multiple upstream thing. Please also support in this regard 🙂
d
Hello. Let me describe the theoretical part of a solution because it couldn’t work. You need to have a setup for your microservices or isolate URLs here. For instance, you have the following idea to route traffic http://localhost:4455/design proxies traffic to https://econergy.powerview.io:14907/. In that case, you need that econergy has support of serving files using this URL(static files, content, something else). Usually, people use
baseURL
or something similar for that purpose. It works like this econergy exposes everything on /design/. You configure a simple rule for oathkeeper (you have plenty of examples in this thread). Everything should work fine using this setup. The same thing you need to do with another service.
👍 1
and for second service you need an additional rule that uses different upstream.
👍 1