Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: allow for using URI paths instead of subdomains #179

Closed
SinisterSpatula opened this issue Nov 1, 2022 · 6 comments
Closed

feature: allow for using URI paths instead of subdomains #179

SinisterSpatula opened this issue Nov 1, 2022 · 6 comments
Assignees
@greenpau
Labels
feature need triage

Comments

@SinisterSpatula
Copy link

A clear and concise description of what you want the system to do.

Currently it seems to be set up for using multiple subdomains, but I would prefer URI paths like:

home.mydomain.com/auth
home.mydomain.com/portal
home.mydomain.com/uniqueApp1
home.mydomain.com/uniqueApp2

I was able to work-around the issue by setting things up in my caddyfile to operate this way, but had to add a few redirects to make it work:

home.mydomain.com/ {
        # serve public website here, or just redirect to login
        import tls_config
        redir / /auth
}

home.mydomain.com/login* {
        import tls_config
        redir * /auth/login
}

home.mydomain.com/auth* {
        import tls_config
        route {
                authenticate with myportal
        }
}
@greenpau
Copy link
Owner

greenpau commented Nov 1, 2022

@SinisterSpatula , did you have a change to review configs in here? https://github.com/authp/authp.github.io/tree/main/assets/conf

@greenpau
Copy link
Owner

greenpau commented Nov 1, 2022

Here is a config for a reverse proxy:

(aclConfig) {
	crypto key verify {env.JWT_SHARED_KEY}
	acl rule {
		comment allow admins and users
		match role authp/admin authp/user
		allow stop log info
	}
	acl rule {
		comment default deny
		match any
		deny log warn
	}
}

{
	admin off
	http_port 8080
	https_port 8443
	auto_https disable_redirects
	debug

	order authenticate before respond
	order authorize before basicauth
	order trace before redir

	security {
		local identity store localdb {
			realm local
			path /data/caddy/auth/users.json
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			cookie lifetime 7200
			cookie strip domain
			enable identity store localdb
			ui {
				links {
					"My App" "/app/" icon "las la-desktop"
					"Swagger UI" "/swagger/" icon "las la-desktop"
					"PostgREST API" "/api/" icon "las la-desktop"
					"pgAdmin UI" "/pgadmin4/" icon "las la-desktop"
					"My Identity" "/auth/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin local
				ui link "Settings" "/auth/settings" icon "las la-cog"
			}
		}

		authorization policy appPolicy {
			set auth url /auth
			import aclConfig
		}

		authorization policy apiPolicy {
			# do not redirect to /auth, return 403 instead.
			disable auth redirect
			import aclConfig
			# allow basic auth
			with basic auth portal myportal realm local
			# allow api key auth
			with api key auth portal myportal realm local
		}
	}
}

:8080 {
	redir https://{host}:8443{uri} 302
}

:8443 {
	tls internal {
		on_demand
	}
	header {
		Access-Control-Allow-Origin "*"
		Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT, DELETE"
		Access-Control-Allow-Headers "*"
		Access-Control-Allow-Credentials true
	}
	route /auth* {
		authenticate with myportal
	}
	route /app* {
		# React SPA.
		authorize with appPolicy
		uri strip_prefix /app
		root * /var/www/html
		try_files {path} {file} /index.html
		file_server
	}
	route /api* {
		# Reverse proxy to Fastify API.
		authorize with apiPolicy
		# uri strip_prefix /api
		reverse_proxy http://fastify:3000
	}
	route /postgrest* {
		# Reverse proxy to PostgREST API.
		authorize with apiPolicy
		uri strip_prefix /postgrest
		reverse_proxy http://postgrest-api:3000
	}
	route /swagger* {
		# Reverse proxy to Swagger UI.
		authorize with apiPolicy
		uri strip_prefix /swagger
		reverse_proxy http://swagger:8080
	}
	route /pgadmin4* {
		# Reverse proxy to pgAdmin UI.
		authorize with appPolicy
		reverse_proxy http://pgadmin {
			header_up X-Script-Name "/pgadmin4"
		}
	}
	route {
		redir https://{hostport}/app/ 302
	}
}

@SinisterSpatula
Copy link
Author

Oh I did not see this, thank you very much it's VERY helpful. :) I'm really greatful for the work you put into this system, it is exactly what I was hoping for!

@greenpau
Copy link
Owner

greenpau commented Nov 1, 2022

I'm really greatful for the work you put into this system, it is exactly what I was hoping for!

@SinisterSpatula thank you for the kind words 😃

@greenpau greenpau mentioned this issue Nov 1, 2022
Closed
@SinisterSpatula
Copy link
Author

Just wanted to share info for others that wanted to do a similar thing, it seems there are some issues with reverse proxy on one subdomain with many paths and it's likely much better and easier to use subdomains, further reading here: https://caddy.community/t/the-subfolder-problem-or-why-cant-i-reverse-proxy-my-app-into-a-subfolder/8575

@greenpau
Copy link
Owner

@SinisterSpatula , I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at greenpau@outlook.com?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
feature need triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @SinisterSpatula