Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save BRUS1NATOR/ded6ae9f634f8a1e09c3371d87d34275 to your computer and use it in GitHub Desktop.
Save BRUS1NATOR/ded6ae9f634f8a1e09c3371d87d34275 to your computer and use it in GitHub Desktop.

This gists created after struggling to setup IdentityServer4 in Docker.

The idea is to create local certificates for development, and setup developement environment. In this example proxy is outside Docker.

network setup

Generating certificates taken from How to create an HTTPS certificate

Certificate authority (CA)

Generate RootCA.pem, RootCA.key & RootCA.crt:

openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=RU/CN=Example-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt

Note that Example-Root-CA is an example, you can customize the name.

Domain name certificate

Let's say you have two domains fake1.local and fake2.local that are hosted on your local machine for development (using the hosts file to point them to 127.0.0.1).

First, create a file domains.ext that lists all your local domains:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = *.local.dev

Generate localhost.key, localhost.csr, and localhost.crt:

openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt

Note that the country / state / city / name in the first command can be customized.

Trust the local CA

At this point, the site would load with a warning about self-signed certificates. In order to get a green lock, your new local CA has to be added to the trusted Root Certificate Authorities.

Windows 10: Chrome, IE11 & Edge

Windows 10 recognizes .crt files, so you can right-click on RootCA.crt > Install to open the import dialog.

Make sure to select "Trusted Root Certification Authorities" and confirm.

You should now get a green lock in Chrome, IE11 and Edge.

Setting up local machine

For example our protected containaer is https://localhost:5001 => https://identity-server.local.dev Other APIs: https://localhost:65101 => api2.local.dev and https://localhost:65102 => http://api1.local.dev Edit C:\Windows\System32\drivers\etc\hosts file accordingly

127.0.0.1 identity-server.local.dev api1.local.dev api2.local.dev

Setting up NGINX

Setup certificates and increase proxy [buffers] (IdentityServer/IdentityServer4#1670 (comment)) for nginx

http{
    	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	
	ssl_certificate ..\etc\localhost.crt;
	ssl_certificate_key ..\etc\localhost.key;
	
	server {...}
}	

Redirect 443 requst to identity-server

server {
	listen     443 ssl;
	server_name "";

	return 301 $scheme://identity-server.local.dev$request_uri;
}

Proxy identity server

server {
	listen	443 ssl;

	server_name  identity-server.local.dev;

	location / {
		proxy_pass https://localhost:5001;

		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection keep-alive;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_cache_bypass $http_upgrade;
    	}
	}

Proxy api1 and api2

server {
	listen	443 ssl;

	server_name  api1.local.dev;

	location / {
		proxy_pass http://localhost:65101;
	}
}

server {
	listen	443 ssl;

	server_name  api2.local.dev;

	location / {
		proxy_pass http://localhost:65102;
	}
}

Add routes in containers to protected site

Connect to docker container and run, where 192.168.0.3 address of your machine in local network

echo 192.168.0.3 identity-server.local.dev >> /etc/hosts

or use this command in docker-compose

extra_hosts:
   - "identity-server.local.dev:192.168.0.3"

Add certificates to containers

You could use COPY command in DockerFile to place CA certificate to container and update certificates with RUN. Place this lines right after 'FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base'

COPY ./certs/RootCA.crt /usr/local/share/ca-certificates/RootCA.crt
RUN update-ca-certificates

After that restart your .NET app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment