chore: experimental do not use auth subpath

clepski · clepski · commit a0e2fbc8821e · 2024-09-16T14:17:28.000+02:00
diff --git a/compas/docker-compose-postgresql.yml b/compas/docker-compose-postgresql.yml
@@ -33,10 +33,10 @@ services:
       compas: true
     ports:
       - "8089:8080"
-      - "8080:8080"
+     # - "8080:8080"
     environment:
-      - KC_HOSTNAME=${COMPAS_HOSTNAME}
-      - KC_HTTP_RELATIVE_PATH=auth
+      - KC_HOSTNAME=http://${COMPAS_HOSTNAME}
+      # - KC_HTTP_RELATIVE_PATH=auth
       - KC_HTTP_ENABLED=true
       - KC_PROXY_HEADERS=xforwarded
     volumes:
diff --git a/compas/reverse-proxy/authenticate.include b/compas/reverse-proxy/authenticate.include
@@ -1,11 +1,11 @@
 access_by_lua_block {
   local opts = {
     redirect_uri = "http://##COMPAS_HOSTNAME##/redirect_uri",
-    discovery = "http://keycloak:8080/auth/realms/compas/.well-known/openid-configuration",
+    discovery = "http://keycloak:8080/realms/compas/.well-known/openid-configuration",
     client_id = "openscd",
     redirect_uri_scheme = "http",
     logout_path = "/logout",
-    redirect_after_logout_uri = "http://##COMPAS_HOSTNAME##/auth/realms/compas/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F##COMPAS_HOSTNAME##%2F",
+    redirect_after_logout_uri = "http://##COMPAS_HOSTNAME##/realms/compas/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F##COMPAS_HOSTNAME##%2F",
     redirect_after_logout_with_id_token_hint = false,
     session_contents = {id_token=true, access_token=true},
     renew_access_token_on_expiry = true,
diff --git a/compas/reverse-proxy/nginx.conf b/compas/reverse-proxy/nginx.conf
@@ -63,6 +63,34 @@ http {
        proxy_redirect off;
      }
 
+      # Forwarding to KeyCloak container 2.
+     location /realms/ {
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+
+       proxy_pass http://keycloak:8080/realms/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+      # Forwarding to KeyCloak container resources.
+     location /resources/ {
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+
+       proxy_pass http://keycloak:8080/resources/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
      # Forwarding to the SCL Validator Service container (websockets).
      location /compas-scl-data-service/scl-ws/ {
        include /etc/nginx/include/authenticate.include;
