https://www.ory.sh/ logo
l

loud-keyboard-84117

03/03/2022, 12:52 PM
Hi #hydra, Since hydra runs on 2 ports, one for admin one for public, how do I bind both behind two different sub domains? I read somewhere that we can hide using SRV Records but is this the right way for hydra? Also, if anyone worked with let's encrypt to generate ssl for hydra server? please let me know how to do that as it asks for a webserver root or something and then verifies the domain ownership.
d

damp-sunset-69236

03/03/2022, 2:24 PM
You can setup reverse proxy before hydra and configure routes e.g example.com/write example.com/read And proxy network traffic using one single domain.
Good ingress webservers with reverse proxy support: 1. Nginx 2. Envoy 3. Traefik 4. Istio It depends on your infrastructure for production environment
l

loud-keyboard-84117

03/03/2022, 2:29 PM
Thanks a lot @User, Found out this good article using the above keywords, which follows what I had been facing 🙌 https://medium.com/@jose.t.weeks/ory-hydra-in-the-cloud-with-nginx-reverse-proxy-23002fb4a0e3
d

damp-sunset-69236

03/03/2022, 2:30 PM
Nice. Feel free to ask questions. I can assist you with that configuration. What hosting provider do you want to use?
🙌 1
There’re cost-effective options if you use Google Cloud, Amazon Web services or Azure. They have load balancer and you can use it too.
l

loud-keyboard-84117

03/03/2022, 2:33 PM
Using aws ec2, trying to get it up and running with a let's encrypt free SSL (till testing). Hydra and Kratos servers on same ec2. Will be deploying nextjs based login and consent with Kratos on lambda I guess.
d

damp-sunset-69236

03/03/2022, 2:35 PM
The article above solves your case. It’s good to start with this guide.
You can consider using Elastic Load Balancer when you’ll have more network load for your VPS
l

loud-keyboard-84117

03/03/2022, 2:38 PM
Yes definitely, Once I get to deploy a working version, I'll be tweaking a bit and then finally will be working on stability.
d

damp-sunset-69236

03/03/2022, 2:39 PM
You can host generated version of your next.js application on S3 if you have no backend for it.
l

loud-keyboard-84117

03/03/2022, 2:41 PM
I'm thinking to have hydraAdmin API calls on server logic, let's see how it goes.
d

damp-sunset-69236

03/03/2022, 2:41 PM
But lambda is good anyway. I’m huge fan of Lambda for my projects 🙂
1
l

loud-keyboard-84117

03/03/2022, 2:48 PM
yup definitely, let's see if it works out for me.
Revisiting this after a long time 😅 I've set up reverse proxy using nginx. Both kratos and hydra are running on the same instance but being mapped like 9000 -> /oauth-admin 9001 -> oauth-public and similar trend for kratos admin and public apis. I've set up SSL using Lets Encrypt. OAuth Client is on 127.0.0.1:8080 which is redirecting user to the oauth endpoint for hydra oauth. Now, I'm getting these 2 errors.
error=map[message:neither remote address nor any x-forwarded-for values match CIDR ranges [127.0.0.1/32]: [172.19.0.1], ranges, check)]
and
error=map[message:can not serve request over insecure http]
To tackle 2nd one, I'm using https connection on 127.0.0.1:8080 but I'm unaware of the 1st one. My nginx rules are:
Copy code
location /auth-admin{
          proxy_set_header          X-Forwarded-Proto $thescheme;
          proxy_pass                <http://127.0.0.1:9000/>;
        }

location /auth-public{
            proxy_set_header        X-Forwarded-Proto $thescheme;
            proxy_pass              <http://127.0.0.1:9001/>;
        }

location /idp-admin {
            proxy_set_header        X-Forwarded-Proto $thescheme;
            proxy_pass              <http://127.0.0.1:4433/>;
        }
		
location /idp-public {
            proxy_set_header        X-Forwarded-Proto $thescheme;
            proxy_pass              <http://127.0.0.1:4434/>;
        }
@User, Can you help me figure out what might be the issue here?
d

damp-sunset-69236

04/08/2022, 6:26 AM
Hello. Looks like you need to change settings for Hydra. You can check configuration reference and setup
Copy code
allow_termination_from:
      - 127.0.0.1/32
and add your internal network range of your load balancers
l

loud-keyboard-84117

04/08/2022, 8:11 AM
This exists in env.
SERVE_TLS_ALLOW_TERMINATION_FROM_0=127.0.0.1/32
d

damp-sunset-69236

04/08/2022, 8:37 AM
Yep. but you have additional network configuration in your cluster and you need to add ip addresses of your load balancers
Copy code
172.19.0.1
It’s an example I found in your logs
in your configuration you terminate only from localhost network while you need to setup a network ranges from your cluster
l

loud-keyboard-84117

04/08/2022, 11:13 PM
How did I miss this! Thanks a lot for pointing out 🙌
Now, it's redirecting me to
/oauth2/auth?response_type=code&redirect_uri=http%
instead of
/auth-public/oauth2/auth?response_type=code&redirect_uri=http%
Trying to figure out what config can I override.
seems like the redirect was from disk cache 🤐
2 Views