Hi < C012RBW0F18|hydra> Since hydra runs on 2 ports one for Ory Community #talk-hydra

Hi <#C012RBW0F18|hydra>, Since hydra runs on 2 por...

loud-keyboard-84117

03/03/2022, 12:52 PM

Hi #hydra, Since hydra runs on 2 ports, one for admin one for public, how do I bind both behind two different sub domains? I read somewhere that we can hide using SRV Records but is this the right way for hydra? Also, if anyone worked with let's encrypt to generate ssl for hydra server? please let me know how to do that as it asks for a webserver root or something and then verifies the domain ownership.

damp-sunset-69236

03/03/2022, 2:24 PM

You can setup reverse proxy before hydra and configure routes e.g example.com/write example.com/read And proxy network traffic using one single domain.

damp-sunset-69236

03/03/2022, 2:25 PM

Good ingress webservers with reverse proxy support: 1. Nginx 2. Envoy 3. Traefik 4. Istio It depends on your infrastructure for production environment

damp-sunset-69236

03/03/2022, 2:26 PM

https://serverfault.com/questions/920534/nginx-proxy-subdomains-to-other-addresses-and-ports here’s an example for Nginx

loud-keyboard-84117

03/03/2022, 2:29 PM

Thanks a lot @User, Found out this good article using the above keywords, which follows what I had been facing 🙌 https://medium.com/@jose.t.weeks/ory-hydra-in-the-cloud-with-nginx-reverse-proxy-23002fb4a0e3

damp-sunset-69236

03/03/2022, 2:30 PM

Nice. Feel free to ask questions. I can assist you with that configuration. What hosting provider do you want to use?

🙌 1

damp-sunset-69236

03/03/2022, 2:32 PM

There’re cost-effective options if you use Google Cloud, Amazon Web services or Azure. They have load balancer and you can use it too.

loud-keyboard-84117

03/03/2022, 2:33 PM

Using aws ec2, trying to get it up and running with a let's encrypt free SSL (till testing). Hydra and Kratos servers on same ec2. Will be deploying nextjs based login and consent with Kratos on lambda I guess.

damp-sunset-69236

03/03/2022, 2:35 PM

The article above solves your case. It’s good to start with this guide.

damp-sunset-69236

03/03/2022, 2:36 PM

You can consider using Elastic Load Balancer when you’ll have more network load for your VPS

loud-keyboard-84117

03/03/2022, 2:38 PM

Yes definitely, Once I get to deploy a working version, I'll be tweaking a bit and then finally will be working on stability.

damp-sunset-69236

03/03/2022, 2:39 PM

You can host generated version of your next.js application on S3 if you have no backend for it.

loud-keyboard-84117

03/03/2022, 2:41 PM

I'm thinking to have hydraAdmin API calls on server logic, let's see how it goes.

damp-sunset-69236

03/03/2022, 2:41 PM

But lambda is good anyway. I’m huge fan of Lambda for my projects 🙂

✅ 1

loud-keyboard-84117

03/03/2022, 2:48 PM

yup definitely, let's see if it works out for me.

loud-keyboard-84117

04/07/2022, 8:24 PM

Revisiting this after a long time 😅 I've set up reverse proxy using nginx. Both kratos and hydra are running on the same instance but being mapped like 9000 -> /oauth-admin 9001 -> oauth-public and similar trend for kratos admin and public apis. I've set up SSL using Lets Encrypt. OAuth Client is on 127.0.0.1:8080 which is redirecting user to the oauth endpoint for hydra oauth. Now, I'm getting these 2 errors.

error=map[message:neither remote address nor any x-forwarded-for values match CIDR ranges [127.0.0.1/32]: [172.19.0.1], ranges, check)]

and

error=map[message:can not serve request over insecure http]

To tackle 2nd one, I'm using https connection on 127.0.0.1:8080 but I'm unaware of the 1st one. My nginx rules are:

Copy code

location /auth-admin{
          proxy_set_header          X-Forwarded-Proto $thescheme;
          proxy_pass                <http://127.0.0.1:9000/>;
        }

location /auth-public{
            proxy_set_header        X-Forwarded-Proto $thescheme;
            proxy_pass              <http://127.0.0.1:9001/>;
        }

location /idp-admin {
            proxy_set_header        X-Forwarded-Proto $thescheme;
            proxy_pass              <http://127.0.0.1:4433/>;
        }
		
location /idp-public {
            proxy_set_header        X-Forwarded-Proto $thescheme;
            proxy_pass              <http://127.0.0.1:4434/>;
        }

loud-keyboard-84117

04/07/2022, 9:36 PM

@User, Can you help me figure out what might be the issue here?

damp-sunset-69236

04/08/2022, 6:26 AM

Hello. Looks like you need to change settings for Hydra. You can check configuration reference and setup

Copy code

allow_termination_from:
      - 127.0.0.1/32

and add your internal network range of your load balancers

loud-keyboard-84117

04/08/2022, 8:11 AM

This exists in env.

SERVE_TLS_ALLOW_TERMINATION_FROM_0=127.0.0.1/32

damp-sunset-69236

04/08/2022, 8:37 AM

Yep. but you have additional network configuration in your cluster and you need to add ip addresses of your load balancers

Copy code

172.19.0.1

It’s an example I found in your logs

damp-sunset-69236

04/08/2022, 8:38 AM

in your configuration you terminate only from localhost network while you need to setup a network ranges from your cluster

loud-keyboard-84117

04/08/2022, 11:13 PM

How did I miss this! Thanks a lot for pointing out 🙌

loud-keyboard-84117

04/08/2022, 11:26 PM

Now, it's redirecting me to

/oauth2/auth?response_type=code&redirect_uri=http%

instead of

/auth-public/oauth2/auth?response_type=code&redirect_uri=http%

Trying to figure out what config can I override.

loud-keyboard-84117

04/10/2022, 6:27 AM

seems like the redirect was from disk cache 🤐

2 Views

Open in Slack

Previous Next