ory oathkeeper configuration on deployment

[rezakazemi928]

Hi.
I have faced an issue with my project and I would appreciate it if you help me on this one.
Sorry, I have one issue and I wanted to share it with you. I would appreciate it if you help me with this one.
I tested everything with httpbin.org and everything was ok until I tried to test my application with another valid URL. everything is ok with the URL, I even ping the URL and get a response., but whenever I entered the matching URL on my browser I get 503 HTTP response. can you help me to figure out why??
here is my oathkeeper log. If you need anything else please let me know.

oathkeeper config:

log:
  level: debug
  format: json
serve:
  proxy:
    tls:
      cert:
        path: /my_path/cert.pem
      key:
        path: /my_path/key.pem
    cors:
      enabled: true
      allowed_methods:
      - POST
      - GET
      - PUT
      - PATCH
      - DELETE
      allowed_headers:
      - Authorization
      - Content-Type
      exposed_headers:
      - Content-Type
      allow_credentials: true
      debug: true
errors:
  fallback:
  - json
  handlers:
    redirect:
      enabled: true
      config:
        to: https://host:4455/auth/login
        when:
        - error:
          - unauthorized
          - forbidden
          request:
            header:
              accept:
              - text/html
    json:
      enabled: true
      config:
        verbose: true
access_rules:
  matching_strategy: glob
  repositories:
  - file:///etc/config/oathkeeper/accessrules.yml
authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
cookie_session:
    enabled: true
    config:
      check_session_url: http://kratos:4433/sessions/whoami
      preserve_path: true
      extra_from: '@this'
      subject_from: identity.id
      only:
      - ory_kratos_session
  noop:
    enabled: true
authorizers:
  allow:
    enabled: true
  remote_json:
    enabled: true
    config:
      remote: http://apollo:5000/api/accessrules/authorization
      forward_response_headers_to_upstream:
      - test
      payload: '{          "subject": "{{ print .Subject }}",          ""url": "{{
        print .MatchContext.URL}}" }

        '
mutators:
  noop:
    enabled: true
  id_token:
    enabled: true
    config:
      issuer_url: https://host:4455/
      jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json
      claims: "{\n  \"session\": {{ .Extra | toJson }}\n}\n"`

Please help me with this. I even do not know what the problem is and I am running the project on docker ENV.
@vinckr

[vinckr]

access rules from slack:

- id: ory:kratos:public
  upstream:
    preserve_host: true
    url: http://kratos:4433
    strip_path: /.ory/kratos/public
  match:
    url: http://<{oathkeeper,iap.ir:4455}>/.ory/kratos/public/<**>
    methods:
    - GET
    - POST
    - PUT
    - DELETE
    - PATCH
  authenticators:
  - handler: noop
  authorizer:
    handler: allow
  mutators:
  - handler: noop
- id: ory:kratos-selfservice-ui-node:anonymous
  upstream:
    preserve_host: true
    url: http://kratos-selfservice-ui-node:4435
  match:
    url: http://<{oathkeeper,iap.ir:4455}>/<{error,recovery,verify,auth/*,**.css,**.js}{/,}>
    methods:
    - GET
  authenticators:
  - handler: anonymous
  authorizer:
    handler: allow
  mutators:
  - handler: noop
- id: ory:kratos-selfservice-ui-node:protected
  upstream:
    preserve_host: true
    url: http://kratos-selfservice-ui-node:4435
  match:
    url: http://iap.ir:4455/<{,debug,dashboard,settings}>
    methods:
    - GET
  authenticators:
  - handler: cookie_session
  authorizer:
    handler: allow
  mutators:
  - handler: id_token
  errors:
  - handler: redirect
    config:
      to: http://iap.ir:4455/auth/login
- id: 46857558-b8d5-451c-8214-d35d16cd351d/4d6161c6-d404-4273-9eab-f753cde8ba29
  upstream:
    preserve_host: true
    url: https://google.com
  match:
    url: http://httpbin.iap.ir:4455/<**>
    methods:
    - GET
    - POST
    - PUT
    - DELETE
    - PATCH
  authenticators:
  - handler: cookie_session
  authorizer:
    handler: remote_json
    config:
      remote: http://apollo:5000/api/accessrules/authorization
      payload: '{"subject": "{{ print .Subject }}", "url": "{{ print .MatchContext.URL}}"}'
  mutators:
  - handler: id_token
  errors:
  - handler: redirect
    config:
      to: http://iap.ir:4455/auth/login
- id: bebb81b9-8cf6-4bb9-bb6c-2e4539cf1e89/4581fd53-b3c4-4094-a7ea-445a6c99f954
  upstream:
    preserve_host: true
    strip_path: /app2
    url: https://google.com
  match:
    url: http://iap.ir:4455/app2/<**>
    methods:
    - POST
    - GET
    - PUT
    - PATCH
    - HEAD
    - DELETE
    - CONNECT
    - TRACE
  authenticators:
  - handler: cookie_session
  authorizer:
    handler: remote_json
    config:
      remote: http://apollo:5000/api/accessrules/authorization
      payload: '{"subject": "{{ print .Subject }}", "url": "{{ print .MatchContext.URL
        }}"}'
  mutators:
  - handler: noop
  errors:
  - handler: redirect
    config:
      to: http://iap.ir:4455/auth/login

Can you run me through the steps to reproduce maybe? Could not find an immediate problem. I will also ask around.

[rezakazemi928]

yeah sure. As you know, the first 3 steps are the default rules on the Kratos project. the rules that I have added with my project had no problem on running the program because I tested everything with httpbin.org and I got some responses, but it turns out I cannot redirect to some other websites such as Microsoft or google.com whenever I entered the matching URL such as http://iap.ir:4455/app2/ it redirect to the website, but some websites return 503 response and some of them 404. I thought it might have something to do with CORS config. let me send you the oathkeeper config if there is anything wrong with it. `` log: level: debug format: json serve: proxy: cors: enabled: true allowed_origins: - '*' allowed_methods: - POST - GET - PUT - PATCH - HEAD - DELETE - CONNECT - TRACE allowed_headers: - Authorization - Content-Type exposed_headers: - Content-Type - Authorization allow_credentials: true debug: true errors: fallback: - json handlers: redirect: enabled: true config: to: https://iap.ir:4455/auth/login when: - error: - unauthorized - forbidden request: header: accept: - text/html json: enabled: true config: verbose: true access_rules: matching_strategy: glob repositories: - file:///etc/config/oathkeeper/accessrules.yml authenticators: anonymous: enabled: true config: subject: guest cookie_session: enabled: true config: check_session_url: http://kratos:4433/sessions/whoami preserve_path: true extra_from: ***@***.***' subject_from: identity.id only: - ory_kratos_session noop: enabled: true authorizers: allow: enabled: true remote_json: enabled: true config: remote: http://apollo:5000/api/accessrules/authorization forward_response_headers_to_upstream: [] payload: '{ "subject": "{{ print .Subject }}", ""url": "{{ print .MatchContext.URL}}" } mutators: noop: enabled: true id_token: enabled: true config: issuer_url: https://iap.ir:4455/ jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json claims: "{\n \"session\": {{ .Extra | toJson }}\n}\n"` `` I even set the env variable for the cors configuration but noting has changed. ``` oathkeeper: image: registry.hamim.co/iap/apollo/access-proxy:latest depends_on: - kratos ports: - "4455:4455" - "4456:4456" command: serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml" environment: - LOG_LEVEL=debug - SERVE_PROXY_CORS_ALLOWED_ORIGINS=* - CORS_ALLOWED_ORIGINS=* - CORS_ALLOWED_HEADERS=Authorization,Accept,Accept-Language,Content-Language,Content-Type,Origin - CORS_ENABLED=true - CORS_DEBUG=true restart: on-failure networks: - intranet volumes: - ./static:/etc/config/oathkeeper ``` let me send my response page from google whenever I type that url. Screenshot from 2021-10-12 08-49-24.png (79K) <https://mail.google.com/mail/u/0?ui=2&ik=715afe4800&attid=0.1&permmsgid=msg-a:r6336266132033239907&view=att&disp=safe&realattid=f_kunn0qjl0>I checked the remote json authorization and it works perfectly fine. if there is anything you need I would be happy to give you more info on my config. Thank's again.

…

On Mon, Oct 11, 2021 at 8:18 PM Vincent ***@***.***> wrote: access rules from slack: - id: ory:kratos:public upstream: preserve_host: true url: http://kratos:4433 strip_path: /.ory/kratos/public match: url: http://<{oathkeeper,iap.ir:4455}>/.ory/kratos/public/<**> methods: - GET - POST - PUT - DELETE - PATCH authenticators: - handler: noop authorizer: handler: allow mutators: - handler: noop - id: ory:kratos-selfservice-ui-node:anonymous upstream: preserve_host: true url: http://kratos-selfservice-ui-node:4435 match: url: http://<{oathkeeper,iap.ir:4455}>/<{error,recovery,verify,auth/*,**.css,**.js}{/,}> methods: - GET authenticators: - handler: anonymous authorizer: handler: allow mutators: - handler: noop - id: ory:kratos-selfservice-ui-node:protected upstream: preserve_host: true url: http://kratos-selfservice-ui-node:4435 match: url: http://iap.ir:4455/<{,debug,dashboard,settings}> methods: - GET authenticators: - handler: cookie_session authorizer: handler: allow mutators: - handler: id_token errors: - handler: redirect config: to: http://iap.ir:4455/auth/login - id: 46857558-b8d5-451c-8214-d35d16cd351d/4d6161c6-d404-4273-9eab-f753cde8ba29 upstream: preserve_host: true url: https://google.com match: url: http://httpbin.iap.ir:4455/<**> methods: - GET - POST - PUT - DELETE - PATCH authenticators: - handler: cookie_session authorizer: handler: remote_json config: remote: http://apollo:5000/api/accessrules/authorization payload: '{"subject": "{{ print .Subject }}", "url": "{{ print .MatchContext.URL}}"}' mutators: - handler: id_token errors: - handler: redirect config: to: http://iap.ir:4455/auth/login - id: bebb81b9-8cf6-4bb9-bb6c-2e4539cf1e89/4581fd53-b3c4-4094-a7ea-445a6c99f954 upstream: preserve_host: true strip_path: /app2 url: https://google.com match: url: http://iap.ir:4455/app2/<**> methods: - POST - GET - PUT - PATCH - HEAD - DELETE - CONNECT - TRACE authenticators: - handler: cookie_session authorizer: handler: remote_json config: remote: http://apollo:5000/api/accessrules/authorization payload: '{"subject": "{{ print .Subject }}", "url": "{{ print .MatchContext.URL }}"}' mutators: - handler: noop errors: - handler: redirect config: to: http://iap.ir:4455/auth/login Can you run me through the steps to reproduce maybe? Could not find an immediate problem. I will also ask around. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#850 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AR3NGDNGDNS743P37G54KITUGMINZANCNFSM5FU3KZZA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[vinckr]

Hey @rezakazemi928
I had a look at it again and couldn't see what is causing an issue here.
Otherwise, if you could give us access to a repo or dockerfile and steps to reproduce your setup it would be possible to debug further.

@Demonsthere If you have a minute, can you take a quick look? Maybe something obvious I am missing here.

[rezakazemi928]

@vinckr, I cannot thank you enough.
I solve the first problem by disabling the mutator option.
However, I would appreciate it to tell if you find something wrong with my config.
one more question. Does oathkeeper can support all the cipher suite. I have one application with the following cipher suits:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,256 bit key, TLS 1.2
nothing wrong would happen if I use oathkeeper as a reverse proxy???

[vinckr]

Hey @rezakazemi928 , I will mark this as answered, but feel free to open a new discussion for the cipher issue.
Thanks a ton 🐝