forked from baron/baron-sso
Merge pull request 'dev/ory-hydra2' (#150) from dev/ory-hydra2 into main
Reviewed-on: ai-team/baron-sso#150
This commit is contained in:
@@ -226,7 +226,7 @@ func main() {
|
|||||||
auditHandler := handler.NewAuditHandler(auditRepo)
|
auditHandler := handler.NewAuditHandler(auditRepo)
|
||||||
authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo)
|
authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo)
|
||||||
adminHandler := handler.NewAdminHandler()
|
adminHandler := handler.NewAdminHandler()
|
||||||
devHandler := handler.NewDevHandler()
|
devHandler := handler.NewDevHandler(redisService)
|
||||||
tenantHandler := handler.NewTenantHandler(db)
|
tenantHandler := handler.NewTenantHandler(db)
|
||||||
kratosAdminService := service.NewKratosAdminService()
|
kratosAdminService := service.NewKratosAdminService()
|
||||||
oryAdminProvider := service.NewOryProvider()
|
oryAdminProvider := service.NewOryProvider()
|
||||||
|
|||||||
@@ -12,11 +12,13 @@ import (
|
|||||||
|
|
||||||
type DevHandler struct {
|
type DevHandler struct {
|
||||||
Hydra *service.HydraAdminService
|
Hydra *service.HydraAdminService
|
||||||
|
Redis *service.RedisService
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewDevHandler() *DevHandler {
|
func NewDevHandler(redis *service.RedisService) *DevHandler {
|
||||||
return &DevHandler{
|
return &DevHandler{
|
||||||
Hydra: service.NewHydraAdminService(),
|
Hydra: service.NewHydraAdminService(),
|
||||||
|
Redis: redis,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -102,7 +104,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
items := make([]clientSummary, 0, len(clients))
|
items := make([]clientSummary, 0, len(clients))
|
||||||
for _, client := range clients {
|
for _, client := range clients {
|
||||||
items = append(items, mapClientSummary(client))
|
items = append(items, h.mapClientSummary(client))
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.JSON(clientListResponse{
|
return c.JSON(clientListResponse{
|
||||||
@@ -126,7 +128,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
|
|||||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||||
}
|
}
|
||||||
|
|
||||||
summary := mapClientSummary(*client)
|
summary := h.mapClientSummary(*client)
|
||||||
return c.JSON(clientDetailResponse{
|
return c.JSON(clientDetailResponse{
|
||||||
Client: summary,
|
Client: summary,
|
||||||
Endpoints: clientEndpoints{
|
Endpoints: clientEndpoints{
|
||||||
@@ -165,7 +167,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
|
|||||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||||
}
|
}
|
||||||
|
|
||||||
summary := mapClientSummary(*updated)
|
summary := h.mapClientSummary(*updated)
|
||||||
return c.JSON(clientDetailResponse{
|
return c.JSON(clientDetailResponse{
|
||||||
Client: summary,
|
Client: summary,
|
||||||
Endpoints: clientEndpoints{
|
Endpoints: clientEndpoints{
|
||||||
@@ -251,9 +253,14 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
created.Metadata["client_secret"] = created.ClientSecret
|
created.Metadata["client_secret"] = created.ClientSecret
|
||||||
_, _ = h.Hydra.UpdateClient(c.Context(), created.ClientID, *created)
|
_, _ = h.Hydra.UpdateClient(c.Context(), created.ClientID, *created)
|
||||||
|
|
||||||
|
// Also store in Redis if available
|
||||||
|
if h.Redis != nil {
|
||||||
|
_ = h.Redis.Set("client_secret:"+created.ClientID, created.ClientSecret, 0)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
summary := mapClientSummary(*created)
|
summary := h.mapClientSummary(*created)
|
||||||
return c.Status(fiber.StatusCreated).JSON(clientDetailResponse{
|
return c.Status(fiber.StatusCreated).JSON(clientDetailResponse{
|
||||||
Client: summary,
|
Client: summary,
|
||||||
Endpoints: clientEndpoints{
|
Endpoints: clientEndpoints{
|
||||||
@@ -341,7 +348,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
|||||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||||
}
|
}
|
||||||
|
|
||||||
summary := mapClientSummary(*updatedClient)
|
summary := h.mapClientSummary(*updatedClient)
|
||||||
return c.JSON(clientDetailResponse{
|
return c.JSON(clientDetailResponse{
|
||||||
Client: summary,
|
Client: summary,
|
||||||
Endpoints: clientEndpoints{
|
Endpoints: clientEndpoints{
|
||||||
@@ -367,6 +374,11 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
|
|||||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Clean up Redis
|
||||||
|
if h.Redis != nil {
|
||||||
|
_ = h.Redis.Delete("client_secret:" + clientID)
|
||||||
|
}
|
||||||
|
|
||||||
return c.SendStatus(fiber.StatusNoContent)
|
return c.SendStatus(fiber.StatusNoContent)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -416,7 +428,7 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error {
|
|||||||
return c.SendStatus(fiber.StatusNoContent)
|
return c.SendStatus(fiber.StatusNoContent)
|
||||||
}
|
}
|
||||||
|
|
||||||
func mapClientSummary(client service.HydraClient) clientSummary {
|
func (h *DevHandler) mapClientSummary(client service.HydraClient) clientSummary {
|
||||||
status := "active"
|
status := "active"
|
||||||
if client.Metadata != nil {
|
if client.Metadata != nil {
|
||||||
if value, ok := client.Metadata["status"].(string); ok && strings.ToLower(value) == "inactive" {
|
if value, ok := client.Metadata["status"].(string); ok && strings.ToLower(value) == "inactive" {
|
||||||
@@ -436,6 +448,20 @@ func mapClientSummary(client service.HydraClient) clientSummary {
|
|||||||
|
|
||||||
scopes := strings.Fields(client.Scope)
|
scopes := strings.Fields(client.Scope)
|
||||||
|
|
||||||
|
clientSecret := client.ClientSecret
|
||||||
|
// 1. Check Metadata (Legacy/Fallback)
|
||||||
|
if clientSecret == "" && client.Metadata != nil {
|
||||||
|
if val, ok := client.Metadata["client_secret"].(string); ok {
|
||||||
|
clientSecret = val
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// 2. Check Redis (New)
|
||||||
|
if clientSecret == "" && h.Redis != nil {
|
||||||
|
if val, err := h.Redis.Get("client_secret:" + client.ClientID); err == nil && val != "" {
|
||||||
|
clientSecret = val
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return clientSummary{
|
return clientSummary{
|
||||||
ID: client.ClientID,
|
ID: client.ClientID,
|
||||||
Name: name,
|
Name: name,
|
||||||
@@ -443,7 +469,7 @@ func mapClientSummary(client service.HydraClient) clientSummary {
|
|||||||
Status: status,
|
Status: status,
|
||||||
RedirectURIs: client.RedirectURIs,
|
RedirectURIs: client.RedirectURIs,
|
||||||
Scopes: scopes,
|
Scopes: scopes,
|
||||||
ClientSecret: client.ClientSecret,
|
ClientSecret: clientSecret,
|
||||||
Metadata: client.Metadata,
|
Metadata: client.Metadata,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -160,6 +160,7 @@ services:
|
|||||||
- "4457:4455" # Proxy
|
- "4457:4455" # Proxy
|
||||||
environment:
|
environment:
|
||||||
- APP_ENV=${APP_ENV:-development}
|
- APP_ENV=${APP_ENV:-development}
|
||||||
|
- LOG_LEVEL=debug
|
||||||
volumes:
|
volumes:
|
||||||
- ./docker/ory/oathkeeper:/etc/config/oathkeeper
|
- ./docker/ory/oathkeeper:/etc/config/oathkeeper
|
||||||
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper
|
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper
|
||||||
|
|||||||
@@ -4,7 +4,6 @@ import ClientConsentsPage from "../features/clients/ClientConsentsPage";
|
|||||||
import ClientDetailsPage from "../features/clients/ClientDetailsPage";
|
import ClientDetailsPage from "../features/clients/ClientDetailsPage";
|
||||||
import ClientGeneralPage from "../features/clients/ClientGeneralPage";
|
import ClientGeneralPage from "../features/clients/ClientGeneralPage";
|
||||||
import ClientsPage from "../features/clients/ClientsPage";
|
import ClientsPage from "../features/clients/ClientsPage";
|
||||||
import { ClientFederationPage } from "../features/clients/routes/ClientFederationPage";
|
|
||||||
|
|
||||||
export const router = createBrowserRouter(
|
export const router = createBrowserRouter(
|
||||||
[
|
[
|
||||||
@@ -18,7 +17,6 @@ export const router = createBrowserRouter(
|
|||||||
{ path: "clients/:id", element: <ClientDetailsPage /> },
|
{ path: "clients/:id", element: <ClientDetailsPage /> },
|
||||||
{ path: "clients/:id/consents", element: <ClientConsentsPage /> },
|
{ path: "clients/:id/consents", element: <ClientConsentsPage /> },
|
||||||
{ path: "clients/:id/settings", element: <ClientGeneralPage /> },
|
{ path: "clients/:id/settings", element: <ClientGeneralPage /> },
|
||||||
{ path: "clients/:id/federation", element: <ClientFederationPage /> },
|
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
|
|||||||
@@ -120,12 +120,6 @@ function ClientConsentsPage() {
|
|||||||
>
|
>
|
||||||
Settings
|
Settings
|
||||||
</Link>
|
</Link>
|
||||||
<Link
|
|
||||||
to={`/clients/${clientId}/federation`}
|
|
||||||
className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground"
|
|
||||||
>
|
|
||||||
Federation
|
|
||||||
</Link>
|
|
||||||
</div>
|
</div>
|
||||||
</header>
|
</header>
|
||||||
|
|
||||||
|
|||||||
@@ -130,12 +130,6 @@ function ClientDetailsPage() {
|
|||||||
>
|
>
|
||||||
Settings
|
Settings
|
||||||
</Link>
|
</Link>
|
||||||
<Link
|
|
||||||
to={`/clients/${clientId}/federation`}
|
|
||||||
className="pb-3 text-sm font-bold text-muted-foreground hover:text-foreground"
|
|
||||||
>
|
|
||||||
Federation
|
|
||||||
</Link>
|
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|||||||
@@ -154,7 +154,6 @@ function ClientGeneralPage() {
|
|||||||
<Link to={`/clients/${clientId}`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Connection</Link>
|
<Link to={`/clients/${clientId}`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Connection</Link>
|
||||||
<Link to={`/clients/${clientId}/consents`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Consent & Users</Link>
|
<Link to={`/clients/${clientId}/consents`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Consent & Users</Link>
|
||||||
<span className="whitespace-nowrap border-b-2 border-primary pb-1 text-primary">Settings</span>
|
<span className="whitespace-nowrap border-b-2 border-primary pb-1 text-primary">Settings</span>
|
||||||
<Link to={`/clients/${clientId}/federation`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Federation</Link>
|
|
||||||
</>
|
</>
|
||||||
)}
|
)}
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@@ -31,7 +31,12 @@ services:
|
|||||||
ports:
|
ports:
|
||||||
- "${BACKEND_PORT:-3000}:3000"
|
- "${BACKEND_PORT:-3000}:3000"
|
||||||
depends_on:
|
depends_on:
|
||||||
- infra_check
|
postgres:
|
||||||
|
condition: service_healthy
|
||||||
|
redis:
|
||||||
|
condition: service_started
|
||||||
|
clickhouse:
|
||||||
|
condition: service_started
|
||||||
networks:
|
networks:
|
||||||
- baron_net
|
- baron_net
|
||||||
- ory-net
|
- ory-net
|
||||||
|
|||||||
@@ -24,7 +24,12 @@ if [ ! -f "$RULES_FILE" ]; then
|
|||||||
echo "[oathkeeper] rules file not found: $RULES_FILE"
|
echo "[oathkeeper] rules file not found: $RULES_FILE"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
cp "$RULES_FILE" "$RULES_ACTIVE"
|
|
||||||
|
# Remove existing active rules file to prevent overwrite issues (File exists/Permission denied)
|
||||||
|
if [ -f "$RULES_ACTIVE" ]; then
|
||||||
|
rm -f "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to remove existing rules.active.json"
|
||||||
|
fi
|
||||||
|
cp -f "$RULES_FILE" "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to copy rules file. Using existing if present."
|
||||||
|
|
||||||
LOG_DIR="/var/log/oathkeeper"
|
LOG_DIR="/var/log/oathkeeper"
|
||||||
LOG_FILE="${LOG_DIR}/access.log"
|
LOG_FILE="${LOG_DIR}/access.log"
|
||||||
|
|||||||
0
docker/ory/oathkeeper/oathkeeper.yml
Normal file → Executable file
0
docker/ory/oathkeeper/oathkeeper.yml
Normal file → Executable file
100
docker/ory/oathkeeper/rules.active.json
Normal file → Executable file
100
docker/ory/oathkeeper/rules.active.json
Normal file → Executable file
@@ -1,92 +1,114 @@
|
|||||||
[
|
[
|
||||||
{
|
{
|
||||||
"id": "public-health",
|
"id": "public-health",
|
||||||
"description": "공개 헬스체크",
|
"description": "공개 헬스체크 (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/health",
|
"url": "<.*>://sso-test.hmac.kr/health",
|
||||||
"methods": ["GET"]
|
"methods": ["GET"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-preflight",
|
"id": "public-preflight",
|
||||||
"description": "CORS preflight",
|
"description": "CORS preflight (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["OPTIONS"]
|
"methods": ["OPTIONS"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-auth",
|
"id": "public-auth",
|
||||||
"description": "인증/회원가입 등 공개 엔드포인트",
|
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/auth/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
|
||||||
"methods": ["GET", "POST", "OPTIONS"]
|
"methods": ["GET", "POST", "OPTIONS"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-command",
|
"id": "backend-command",
|
||||||
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
|
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["POST", "PUT", "PATCH", "DELETE"]
|
"methods": ["POST", "PUT", "PATCH", "DELETE"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-query",
|
"id": "backend-query",
|
||||||
"description": "Backend Query (admin/dev 포함)",
|
"description": "Backend Query (admin/dev 포함)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["GET"]
|
"methods": ["GET"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
},
|
||||||
]
|
{
|
||||||
|
"id": "hydra-well-known",
|
||||||
|
"description": "Hydra OIDC Discovery & JWKS",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
|
||||||
|
"methods": ["GET", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "hydra-oauth2",
|
||||||
|
"description": "Hydra OAuth2 Endpoints",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
|
||||||
|
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "hydra-userinfo",
|
||||||
|
"description": "Hydra Userinfo",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/userinfo",
|
||||||
|
"methods": ["GET", "POST", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
48
docker/ory/oathkeeper/rules.draft.json
Normal file → Executable file
48
docker/ory/oathkeeper/rules.draft.json
Normal file → Executable file
@@ -9,13 +9,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-auth",
|
"id": "public-auth",
|
||||||
@@ -27,13 +23,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-command",
|
"id": "backend-command",
|
||||||
@@ -45,13 +37,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-query",
|
"id": "backend-query",
|
||||||
@@ -63,13 +51,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "kratos-public",
|
"id": "kratos-public",
|
||||||
@@ -82,13 +66,9 @@
|
|||||||
"url": "http://kratos:4433",
|
"url": "http://kratos:4433",
|
||||||
"strip_path": "/kratos"
|
"strip_path": "/kratos"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "hydra-public",
|
"id": "hydra-public",
|
||||||
@@ -101,12 +81,8 @@
|
|||||||
"url": "http://hydra:4444",
|
"url": "http://hydra:4444",
|
||||||
"strip_path": "/hydra"
|
"strip_path": "/hydra"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|||||||
100
docker/ory/oathkeeper/rules.json
Normal file → Executable file
100
docker/ory/oathkeeper/rules.json
Normal file → Executable file
@@ -1,92 +1,114 @@
|
|||||||
[
|
[
|
||||||
{
|
{
|
||||||
"id": "public-health",
|
"id": "public-health",
|
||||||
"description": "공개 헬스체크",
|
"description": "공개 헬스체크 (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/health",
|
"url": "<.*>://sso-test.hmac.kr/health",
|
||||||
"methods": ["GET"]
|
"methods": ["GET"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-preflight",
|
"id": "public-preflight",
|
||||||
"description": "CORS preflight",
|
"description": "CORS preflight (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["OPTIONS"]
|
"methods": ["OPTIONS"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-auth",
|
"id": "public-auth",
|
||||||
"description": "인증/회원가입 등 공개 엔드포인트",
|
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/auth/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
|
||||||
"methods": ["GET", "POST", "OPTIONS"]
|
"methods": ["GET", "POST", "OPTIONS"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-command",
|
"id": "backend-command",
|
||||||
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
|
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["POST", "PUT", "PATCH", "DELETE"]
|
"methods": ["POST", "PUT", "PATCH", "DELETE"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-query",
|
"id": "backend-query",
|
||||||
"description": "Backend Query (admin/dev 포함)",
|
"description": "Backend Query (admin/dev 포함)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "http://<.*>/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["GET"]
|
"methods": ["GET"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
},
|
||||||
]
|
{
|
||||||
|
"id": "hydra-well-known",
|
||||||
|
"description": "Hydra OIDC Discovery & JWKS",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
|
||||||
|
"methods": ["GET", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "hydra-oauth2",
|
||||||
|
"description": "Hydra OAuth2 Endpoints",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
|
||||||
|
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "hydra-userinfo",
|
||||||
|
"description": "Hydra Userinfo",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/userinfo",
|
||||||
|
"methods": ["GET", "POST", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
40
docker/ory/oathkeeper/rules.prod.json
Normal file → Executable file
40
docker/ory/oathkeeper/rules.prod.json
Normal file → Executable file
@@ -9,13 +9,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-preflight",
|
"id": "public-preflight",
|
||||||
@@ -27,13 +23,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-auth",
|
"id": "public-auth",
|
||||||
@@ -45,13 +37,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-command",
|
"id": "backend-command",
|
||||||
@@ -63,13 +51,9 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-query",
|
"id": "backend-query",
|
||||||
@@ -81,12 +65,8 @@
|
|||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|||||||
94
docker/ory/oathkeeper/rules.stage.json
Normal file → Executable file
94
docker/ory/oathkeeper/rules.stage.json
Normal file → Executable file
@@ -3,90 +3,112 @@
|
|||||||
"id": "public-health",
|
"id": "public-health",
|
||||||
"description": "공개 헬스체크 (STAGE 도메인)",
|
"description": "공개 헬스체크 (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "https://sso.hmac.kr/health",
|
"url": "<.*>://sso-test.hmac.kr/health",
|
||||||
"methods": ["GET"]
|
"methods": ["GET"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-preflight",
|
"id": "public-preflight",
|
||||||
"description": "CORS preflight (STAGE 도메인)",
|
"description": "CORS preflight (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "https://sso.hmac.kr/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["OPTIONS"]
|
"methods": ["OPTIONS"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "public-auth",
|
"id": "public-auth",
|
||||||
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
|
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "https://sso.hmac.kr/api/v1/auth/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
|
||||||
"methods": ["GET", "POST", "OPTIONS"]
|
"methods": ["GET", "POST", "OPTIONS"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "noop" }],
|
||||||
{ "handler": "noop" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "allow" },
|
"authorizer": { "handler": "allow" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-command",
|
"id": "backend-command",
|
||||||
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
|
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "https://sso.hmac.kr/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["POST", "PUT", "PATCH", "DELETE"]
|
"methods": ["POST", "PUT", "PATCH", "DELETE"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "backend-query",
|
"id": "backend-query",
|
||||||
"description": "Backend Query (admin/dev 포함)",
|
"description": "Backend Query (admin/dev 포함)",
|
||||||
"match": {
|
"match": {
|
||||||
"url": "https://sso.hmac.kr/api/v1/<.*>",
|
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
|
||||||
"methods": ["GET"]
|
"methods": ["GET"]
|
||||||
},
|
},
|
||||||
"upstream": {
|
"upstream": {
|
||||||
"url": "http://baron_backend:3000"
|
"url": "http://baron_backend:3000"
|
||||||
},
|
},
|
||||||
"authenticators": [
|
"authenticators": [{ "handler": "cookie_session" }],
|
||||||
{ "handler": "cookie_session" }
|
|
||||||
],
|
|
||||||
"authorizer": { "handler": "remote_json" },
|
"authorizer": { "handler": "remote_json" },
|
||||||
"mutators": [
|
"mutators": [{ "handler": "noop" }]
|
||||||
{ "handler": "noop" }
|
},
|
||||||
]
|
{
|
||||||
|
"id": "hydra-well-known",
|
||||||
|
"description": "Hydra OIDC Discovery & JWKS",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
|
||||||
|
"methods": ["GET", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "hydra-oauth2",
|
||||||
|
"description": "Hydra OAuth2 Endpoints",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
|
||||||
|
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "hydra-userinfo",
|
||||||
|
"description": "Hydra Userinfo",
|
||||||
|
"match": {
|
||||||
|
"url": "<.*>://sso-test.hmac.kr/userinfo",
|
||||||
|
"methods": ["GET", "POST", "OPTIONS"]
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"url": "http://hydra:4444"
|
||||||
|
},
|
||||||
|
"authenticators": [{ "handler": "noop" }],
|
||||||
|
"authorizer": { "handler": "allow" },
|
||||||
|
"mutators": [{ "handler": "noop" }]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
@@ -26,10 +26,39 @@ server {
|
|||||||
error_log /dev/stderr warn;
|
error_log /dev/stderr warn;
|
||||||
access_log /var/log/nginx/access.log json_combined;
|
access_log /var/log/nginx/access.log json_combined;
|
||||||
|
|
||||||
# --- UserFront 정적 파일 ---
|
# --- Backend API Proxy ---
|
||||||
|
location /api {
|
||||||
|
proxy_pass http://baron_backend:3000;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
# --- Ory Stack Proxy (via Oathkeeper) ---
|
||||||
|
# Kratos Public API
|
||||||
|
location /auth {
|
||||||
|
proxy_pass http://oathkeeper:4455;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Hydra Public API (Rewrite /oidc/... to /...)
|
||||||
|
location /oidc {
|
||||||
|
rewrite ^/oidc/(.*)$ /$1 break;
|
||||||
|
proxy_pass http://oathkeeper:4455;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
# --- UserFront Static Files ---
|
||||||
location / {
|
location / {
|
||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
try_files $uri $uri/ /index.html;
|
try_files $uri $uri/ /index.html;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user