Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow deployment on path other than / #253

Closed
innermatrix opened this issue Apr 28, 2020 · 4 comments
Closed

Allow deployment on path other than / #253

innermatrix opened this issue Apr 28, 2020 · 4 comments
Labels
enhancement help wanted

Comments

@innermatrix
Copy link
Contributor

I am deploying an app that is using vouch proxy for authentication, and the app has to be reachable form behind a firewall that restricts outbound ports. Therefore the usual approach of "run app on foo.example.com, run vouch on foo.example.com:9090" doesn't work, because :9090 is blocked by the firewall. The failing sequence is:

  1. UA requests foo.example.com
  2. nginx subrequests to foo.example.com/validate
  3. nginx proxy-passes /validate to foo.example.com:9090/validate
  4. foo.example.com:9090/validate finds user is not logged in and returns 401 from the subrequest
  5. nginx redirects to foo.example.com:9090/login
  6. UA fails to load :9090/login

Now, I could at this point add a location /login proxy pass to :9090/login, and change the redirect in step 5 to go to /login, which would let the UA reach the vouch login endpoint without going directly to :9090.

However, in some error scenarios :9090/login (regardless of how it's accessed) returns an error page (generated from index.tmpl) that has absolute references to /static. So, in order to make /login proxy-pass really work I also have to add a /static proxy-pass. Oh, but wait, is it possible that my app already uses /static? Yes. It is.

What I would really like to do is put a proxy-pass from foo.example.com/vouch to foo.example.com:9090 and be done with it (and then I can use /vouch/login and /vouch/auth for external endpoints), but that only works if vouch uses relative references to its static resources in its error pages. So, please make that work 🙂
@fbartels
Copy link

Why not use a dedicated domain for vouch?

@innermatrix
Copy link
Contributor Author

Adds more work every time I deploy the app on a new domain, when it could be fixed once for everyone forever in vouch.

Imagine that I am creating an app that allows users to deploy it on a custom BYO domain. The usual steps for this are "register your domain and create a DNS record to point your domain to your instance of the app". But now if the app uses vouch I have to ask people to create an additional DNS record?

Or imagine that I rolled my own solution to this previously and in the next version of my app I want to switch to using vouch. So now when my users upgrade from v1 to v2, they have to… add a DNS record?

None of that should be necessary.

@bnfinet
Copy link
Member

bnfinet commented Apr 28, 2020

@airbornemint thanks, PRs welcome

@bnfinet
Copy link
Member

bnfinet commented Jan 25, 2022

fixed in v0.33.0, see #373

@bnfinet bnfinet closed this as completed Jan 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fbartels @bnfinet @innermatrix