-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to make vouch to secure https? #64
Comments
I've put vouch proxy behind the same nginx instance serving the protected
sites. The proxy pass directive of /validate uses the upstream config.
See the nginx docs for 'upstream' and 'internal':
https://nginx.org/en/docs/http/ngx_http_upstream_module.html
https://nginx.org/en/docs/http/ngx_http_core_module.html#internal
If you have a cert issued from letsencrypt it's pretty straight forward to
get that running.
…On Sun, Feb 3, 2019, 6:18 AM jayb1122 ***@***.*** wrote:
Unless I didn't see it, the README doesn't talk about how to enable secure
https. If I wanted to provide my own certs, where would I put them? Btw,
the latest NGINX complains about non-secure connections - suspect those are
from using the vouch server section (running with Chrome, F12 and
monitoring Network traffic). Great app! This was the only complete openid
client solution I found that actually works in a production environment.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#64>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABNK67RBZZbuz1px3-bw3Afw4HlEcGSsks5vJu-0gaJpZM4agIPm>
.
|
Were you able to get nginx configured with https in front of Vouch Proxy? |
Not yet. Not sure how to get my certs into the scratch-built container or where to place them. Maybe during Docker image build or perhaps using config file? Maybe I'm overthinking this...
On Tuesday, February 5, 2019, 3:52:21 AM MST, Benjamin Foote <[email protected]> wrote:
Were you able to get nginx configured with https in front of Vouch Proxy?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Is there a reason you can't use the same nginx reverse proxy? I'd like to
better understand your use case.
…On Tue, Feb 5, 2019, 7:04 AM jayb1122 ***@***.*** wrote:
Not yet. Not sure how to get my certs into the scratch-built container or
where to place them. Maybe during Docker image build or perhaps using
config file? Maybe I'm overthinking this...
On Tuesday, February 5, 2019, 3:52:21 AM MST, Benjamin Foote <
***@***.***> wrote:
Were you able to get nginx configured with https in front of Vouch Proxy?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#64 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABNK66je-hcsDbOwZKchl8AwH3aJEj8kks5vKZ2LgaJpZM4agIPm>
.
|
Hope this helps... Here are my nginx and vouch-proxy config.yml settings. Both are running as services in a docker swarm.
Does this look correct for the case of deploying a vouch-proxy with a secure front-end? Thanks!
Vouch-Proxy config.yml
|
That looks generally correct though personally I'd use both |
here's an example I like...
|
@jayb1122 did you have an opportunity to try this out? |
Thanks! With your help, I've deployed vouch proxy into a production swarm. |
I'm so glad to hear it!
…On Mon, Feb 25, 2019, 9:36 PM jayb1122 ***@***.***> wrote:
Thanks! With your help, I've deployed vouch proxy into a production swarm.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#64 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABNK68x_XHFNt7lP13l__2rJbNUtHdpgks5vRAoFgaJpZM4agIPm>
.
|
This would rely on the upstream (vouch.yourdomain.com) being secure, no? |
I aware of the config examples utilising a reverse proxy such an nginx and
have implemented it like that for now. However, I was interested in this
example since I have divided my services into lxc containers including
vouch and nginx. I was only curious to the security of this setup as I only
knew the loopback to be secure for on device ip communication.
…On Thu, 25 Jul 2024, 18:28 Benjamin Foote, ***@***.***> wrote:
@Xavantex <https://github.com/Xavantex> this is a very old thread. Please
look at the /config examples and #332
<#332> for how to secure VP
—
Reply to this email directly, view it on GitHub
<#64 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHA6V3IJCPHFRFF4LFU7LDDZOERUBAVCNFSM6AAAAABLONOLVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJQHA4TGOJQGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Unless I didn't see it, the README doesn't talk about how to enable secure https. If I wanted to provide my own certs, where would I put them? Btw, the latest NGINX complains about non-secure connections - suspect those are from using the vouch server section (running with Chrome, F12 and monitoring Network traffic). Great app! This was the only complete openid client solution I found that actually works in a production environment.
The text was updated successfully, but these errors were encountered: