Skip to content

Commit

Permalink
Run identity provider on docker with a reverse proxy
Browse files Browse the repository at this point in the history
Added support for docker. Identity provider will run over http behind a reverse proxy ( traefik by default) with tls termination
  • Loading branch information
Nfactor26 committed Dec 1, 2021
1 parent 5f71258 commit 9052b15
Show file tree
Hide file tree
Showing 19 changed files with 457 additions and 30 deletions.
Empty file.
25 changes: 25 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
**/.classpath
**/.dockerignore
**/.env
**/.git
**/.gitignore
**/.project
**/.settings
**/.toolstarget
**/.vs
**/.vscode
**/*.*proj.user
**/*.dbmdl
**/*.jfm
**/azds.yaml
**/bin
**/charts
**/docker-compose*
**/Dockerfile*
**/node_modules
**/npm-debug.log
**/obj
**/secrets.dev.yaml
**/values.dev.yaml
LICENSE
README.md
20 changes: 20 additions & 0 deletions .traefik/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#Traefik router https://doc.traefik.io/traefik/routing/routers/
http:
routers:
traefik:
rule: "Host(`traefik.docker.localhost`)"
service: "api@internal"
tls:
domains:
- main: "docker.localhost"
sans:
- "*.docker.localhost"
- main: "domain.local"
sans:
- "*.domain.local"

#Traefik TLS https://doc.traefik.io/traefik/https/tls/
tls:
certificates:
- certFile: "/etc/certs/pixel-cert.pem"
keyFile: "/etc/certs/pixel-key.pem"
41 changes: 41 additions & 0 deletions .traefik/traefik.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
global:
sendAnonymousUsage: false

api:
dashboard: true
insecure: true

# we define docker based and file based provider.
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
useBindPortIP: false
httpClientTimeout: 30
network: pixel-network

file:
filename: /etc/traefik/config.yml
watch: true

log:
level: INFO
format: common

accessLog: {}

tracing:
jaeger: {}

entryPoints:
http:
address: ":80"
http:
# redirect any request on http to https
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
18 changes: 16 additions & 2 deletions Pixel.Identity.sln
Original file line number Diff line number Diff line change
@@ -1,14 +1,16 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.6.30114.105
# Visual Studio Version 17
VisualStudioVersion = 17.1.31911.260
MinimumVisualStudioVersion = 10.0.40219.1
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Pixel.Identity.Provider", "src\Server\Pixel.Identity.Provider.csproj", "{F779E136-A2F5-41FA-B4AB-02C9DE9C8CCB}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Pixel.Identity.UI.Client", "src\Client\Pixel.Identity.UI.Client.csproj", "{F7E50B7A-C3EB-4DD6-9B19-67020C1F9C97}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Pixel.Identity.Shared", "src\Shared\Pixel.Identity.Shared.csproj", "{A549C971-2306-45A0-BDCD-D210523FFBB3}"
EndProject
Project("{E53339B2-1760-4266-BCC7-CA923CBCF16C}") = "docker-compose", "docker-compose.dcproj", "{8F59DA83-60F4-485A-B8C7-B17936EC00A2}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Expand Down Expand Up @@ -55,6 +57,18 @@ Global
{A549C971-2306-45A0-BDCD-D210523FFBB3}.Release|x64.Build.0 = Release|Any CPU
{A549C971-2306-45A0-BDCD-D210523FFBB3}.Release|x86.ActiveCfg = Release|Any CPU
{A549C971-2306-45A0-BDCD-D210523FFBB3}.Release|x86.Build.0 = Release|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Debug|Any CPU.Build.0 = Debug|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Debug|x64.ActiveCfg = Debug|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Debug|x64.Build.0 = Debug|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Debug|x86.ActiveCfg = Debug|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Debug|x86.Build.0 = Debug|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Release|Any CPU.ActiveCfg = Release|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Release|Any CPU.Build.0 = Release|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Release|x64.ActiveCfg = Release|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Release|x64.Build.0 = Release|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Release|x86.ActiveCfg = Release|Any CPU
{8F59DA83-60F4-485A-B8C7-B17936EC00A2}.Release|x86.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
Expand Down
18 changes: 18 additions & 0 deletions docker-compose.dcproj
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" Sdk="Microsoft.Docker.Sdk">
<PropertyGroup Label="Globals">
<ProjectVersion>2.1</ProjectVersion>
<DockerTargetOS>Linux</DockerTargetOS>
<ProjectGuid>8f59da83-60f4-485a-b8c7-b17936ec00a2</ProjectGuid>
<DockerLaunchAction>LaunchBrowser</DockerLaunchAction>
<DockerServiceUrl>{Scheme}://localhost:{ServicePort}</DockerServiceUrl>
<DockerServiceName>pixel.identity.provider</DockerServiceName>
</PropertyGroup>
<ItemGroup>
<None Include="docker-compose.override.yml">
<DependentUpon>docker-compose.yml</DependentUpon>
</None>
<None Include="docker-compose.yml" />
<None Include=".dockerignore" />
</ItemGroup>
</Project>
120 changes: 120 additions & 0 deletions docker-compose.override.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
version: '3.4'

services:

reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.5.4
container_name: pixel_identity_traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
# Enables the web UI and tells Traefik to listen to docker
# command: --api.insecure=true --providers.docker --log.level=DEBUG
labels:
- "traefik.enable=true"
# Use "traefik" router configuration defined into the dynamic config file: ./traefik/config.yml
- "traefik.http.routers.traefik=true"
#- "traefik.http.routers.reverse-proxy.middlewares=header-middleware@docker"
#- "traefik.http.middlewares.header-middleware.headers.accesscontrolallowmethods=*"
#- "traefik.http.middlewares.header-middleware.headers.accessControlAllowHeaders=*"
#- "traefik.http.middlewares.header-middleware.headers.accessControlAllowCredentials=true"
#- "traefik.http.middlewares.header-middleware.headers.accesscontrolalloworiginlist=https://identity.docker.localhost"
ports:
# The HTTP port
- "80:80"
# The Https port
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
# Map the static conf into the container
- ./.traefik/traefik.yml:/etc/traefik/traefik.yml:ro
# Map the dynamic conf into the container
- ./.traefik/config.yml:/etc/traefik/config.yml:ro
# Map the certificats into the container
- ./.certificates:/etc/certs:ro
networks:
- pixel-network
profiles:
- proxy

mongo:
image: mongo:latest
container_name: pixel_identity_mongo
command: --auth
restart: always
volumes:
- mongo-pixel-identiy-store:/data/db
networks:
- pixel-network
environment:
MONGO_INITDB_ROOT_USERNAME: mongoadmin
MONGO_INITDB_ROOT_PASSWORD: mongopass
#ports:
# - 27017:27017
#labels:
# - "traefik.enable=true"
# - "traefik.http.routers.pixel-identity.rule=Host(`mongo.docker.localhost`)"
profiles:
- mongo

mongo-express:
image: mongo-express:latest
container_name: pixel_identity_mongo_dashboard
restart: always
environment:
ME_CONFIG_MONGODB_ADMINUSERNAME: mongoadmin
ME_CONFIG_MONGODB_ADMINPASSWORD: mongopass
ME_CONFIG_MONGODB_URL: mongodb://mongoadmin:mongopass@mongo:27017/
depends_on:
- mongo
labels:
- "traefik.enable=true"
- "traefik.http.routers.mongo-express.rule=Host(`mongo.docker.localhost`)"
- "traefik.http.routers.mongo-express.tls=true"
profiles:
- mongo
networks:
- pixel-network

pixel-identity:
container_name: pixel_identity_provider
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://+
- MongoDbSettings:ConnectionString=mongodb://mongoadmin:mongopass@mongo:27017/
- IdentityHost=identity.docker.localhost
- AllowedOrigins=https://identity.docker.localhost;http://identity.docker.localhost
# Certificate settings when using https
#- Kestrel:Certificates:Default:Path=/etc/certs/pixel-identity-cert.pem
#- Kestrel:Certificates:Default:KeyPath=/etc/certs/pixel-identity-key.pem
#depends_on:
# - mongo
#ports:
# - "5050:80"
# - "5051:443"
volumes:
#- ./.certificates:/etc/certs:ro
- ${APPDATA}/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
- ${APPDATA}/ASP.NET/Https:/root/.aspnet/https:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.pixel-identity.rule=Host(`identity.docker.localhost`)"
- "traefik.http.routers.pixel-identity.tls=true"
#- "traefik.http.middlewares.header-middleware.headers.accesscontrolmaxage=100"
#- "traefik.http.middlewares.header-middleware.headers.addvaryheader=true"
#- "traefik.http.routers.pixel-identity.middlewares=test-redirectscheme"
#- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
#- "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
networks:
- pixel-network

volumes:
mongo-pixel-identiy-store:

networks:
pixel-network:
external: true
9 changes: 9 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
version: '3.4'

services:

pixel-identity:
image: ${DOCKER_REGISTRY-}pixelidentityprovider
build:
context: .
dockerfile: src/Server/Dockerfile
16 changes: 16 additions & 0 deletions launchSettings.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"profiles": {
"Docker Compose": {
"commandName": "DockerCompose",
"composeLaunchAction": "LaunchBrowser",
"composeLaunchServiceName": "pixel-identity",
"composeLaunchUrl": "{Scheme}://identity.dashboard.local",
"commandVersion": "1.0",
"serviceActions": {
"mongo": "StartWithoutDebugging",
"pixel-identity": "StartDebugging",
"reverse-proxy": "StartWithoutDebugging"
}
}
}
}
10 changes: 6 additions & 4 deletions src/Client/Program.cs
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
using FluentValidation;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using MudBlazor;
using MudBlazor.Services;
Expand Down Expand Up @@ -56,19 +57,20 @@ public static async Task Main(string[] args)
builder.Services.AddOidcAuthentication(options =>
{
options.ProviderOptions.ClientId = "pixel-identity-ui";
options.ProviderOptions.Authority = "https://localhost:44382/";
options.ProviderOptions.ResponseType = "code";
//options.ProviderOptions.DefaultScopes.Add("pixel_identity_api");
options.ProviderOptions.Authority = builder.HostEnvironment.BaseAddress;
options.ProviderOptions.ResponseType = "code";
//options.ProviderOptions.DefaultScopes.Add("pixel_identity_ui");

// Note: response_mode=fragment is the best option for a SPA. Unfortunately, the Blazor WASM
// authentication stack is impacted by a bug that prevents it from correctly extracting
// authorization error responses (e.g error=access_denied responses) from the URL fragment.
// For more information about this bug, visit https://github.com/dotnet/aspnetcore/issues/28344.
//
options.ProviderOptions.ResponseMode = "query";
options.AuthenticationPaths.RemoteRegisterPath = "https://localhost:44382/Identity/Account/Register";
options.AuthenticationPaths.RemoteRegisterPath = $"{builder.HostEnvironment.BaseAddress}/Identity/Account/Register";
});


builder.Services.AddApiAuthorization();
builder.Services.AddMudServices(config =>
{
Expand Down
13 changes: 7 additions & 6 deletions src/Client/wwwroot/appsettings.json
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{
"PixelIdentityUI": {
"Authority": "https://localhost:5001",
"ClientId": "Pixel.Identity.UI",
"Authority": "http://localhost:44382",
"ClientId": "pixel-identity-ui",
"DefaultScopes": [
"openid",
"profile",
"email"
"email"
],
"RedirectUri": "https://localhost:5001/authentication/login-callback",
"PostLogoutRedirectUri": "https://localhost:5001/authentication/logout-callback",
"ResponseType": "code"
"RedirectUri": "http://localhost:44382/authentication/login-callback",
"PostLogoutRedirectUri": "http://localhost:44382/authentication/logout-callback",
"ResponseType": "code",
"ResponseMode": "query"
}
}
24 changes: 24 additions & 0 deletions src/Server/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 80
#EXPOSE 443

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["src/Server/Pixel.Identity.Provider.csproj", "src/Server/"]
COPY ["src/Client/Pixel.Identity.UI.Client.csproj", "src/Client/"]
COPY ["src/Shared/Pixel.Identity.Shared.csproj", "src/Shared/"]
RUN dotnet restore "src/Server/Pixel.Identity.Provider.csproj"
COPY . .
WORKDIR "/src/src/Server"
RUN dotnet build "Pixel.Identity.Provider.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "Pixel.Identity.Provider.csproj" -c Release -o /app/publish

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "Pixel.Identity.Provider.dll"]
Loading

0 comments on commit 9052b15

Please sign in to comment.