This gists created after struggling to setup IdentityServer4 in Docker.
The idea is to create local certificates for development, and setup developement environment. In this example proxy is outside Docker.
Generating certificates taken from How to create an HTTPS certificate
Generate RootCA.pem
, RootCA.key
& RootCA.crt
:
openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=RU/CN=Example-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
Note that Example-Root-CA
is an example, you can customize the name.
Let's say you have two domains fake1.local
and fake2.local
that are hosted on your local machine
for development (using the hosts
file to point them to 127.0.0.1
).
First, create a file domains.ext
that lists all your local domains:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = *.local.dev
Generate localhost.key
, localhost.csr
, and localhost.crt
:
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
Note that the country / state / city / name in the first command can be customized.
At this point, the site would load with a warning about self-signed certificates. In order to get a green lock, your new local CA has to be added to the trusted Root Certificate Authorities.
Windows 10 recognizes .crt
files, so you can right-click on RootCA.crt
> Install
to open the import dialog.
Make sure to select "Trusted Root Certification Authorities" and confirm.
You should now get a green lock in Chrome, IE11 and Edge.
For example our protected containaer is https://localhost:5001 => https://identity-server.local.dev Other APIs: https://localhost:65101 => api2.local.dev and https://localhost:65102 => http://api1.local.dev Edit C:\Windows\System32\drivers\etc\hosts file accordingly
127.0.0.1 identity-server.local.dev api1.local.dev api2.local.dev
Setup certificates and increase proxy [buffers] (IdentityServer/IdentityServer4#1670 (comment)) for nginx
http{
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
ssl_certificate ..\etc\localhost.crt;
ssl_certificate_key ..\etc\localhost.key;
server {...}
}
Redirect 443 requst to identity-server
server {
listen 443 ssl;
server_name "";
return 301 $scheme://identity-server.local.dev$request_uri;
}
Proxy identity server
server {
listen 443 ssl;
server_name identity-server.local.dev;
location / {
proxy_pass https://localhost:5001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}
Proxy api1 and api2
server {
listen 443 ssl;
server_name api1.local.dev;
location / {
proxy_pass http://localhost:65101;
}
}
server {
listen 443 ssl;
server_name api2.local.dev;
location / {
proxy_pass http://localhost:65102;
}
}
Connect to docker container and run, where 192.168.0.3 address of your machine in local network
echo 192.168.0.3 identity-server.local.dev >> /etc/hosts
or use this command in docker-compose
extra_hosts:
- "identity-server.local.dev:192.168.0.3"
You could use COPY command in DockerFile to place CA certificate to container and update certificates with RUN. Place this lines right after 'FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base'
COPY ./certs/RootCA.crt /usr/local/share/ca-certificates/RootCA.crt
RUN update-ca-certificates
After that restart your .NET app.