-
Notifications
You must be signed in to change notification settings - Fork 165
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a page that describes secure servers and JwtProxy as backend for it
- Loading branch information
1 parent
7eebeae
commit 00c77d5
Showing
2 changed files
with
99 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| title: "Secure Servers" | ||
| keywords: workspace, runtime, recipe, kubernetes, openshift, stack, servers, server, secure server | ||
| tags: [workspace, runtime, docker, kubernetes] | ||
| sidebar: user_sidebar | ||
| permalink: secure-servers.html | ||
| folder: workspace-admin | ||
| --- | ||
|
|
||
| Now that you have made yourself familiar with [secure servers](servers.html#secure-server) concept, let’s take a closer look at enabling this functionality and implementation details. | ||
|
|
||
| ## How to enable secure servers functionality? | ||
|
|
||
| This functionality is in beta phase now and it is disabled by default. | ||
| It is needed to set `CHE_SERVER_SECURE__EXPOSER` environment variable to `jwtproxy` to enable secure servers with JwtProxy as proxy backend. | ||
| Note that it is supported by Kubernetes and OpenShift infrastructures but not Docker. | ||
|
|
||
| ## How to access to secure server | ||
|
|
||
| To request secure server it is needed to provide machine token. Machine token may be fetched from workspace runtime. | ||
|
|
||
| There are three possible ways to specify token in request to secure server: | ||
| - specify token in `Authorization` request header. Note that `Bearer` prefix should be specified as token type; | ||
| - specify token in `access_token` cookie. This option can be configured and is disabled by default. | ||
| - specify it in `token` query parameter. This way is not recommended to be used since token will be present in URL. But there can be limited cases when it’s not possible to use `Authorization` header or cookies. An example of such exceptional case can be: OAuth authentification initialization. | ||
|
|
||
| ## Cookies Authentication | ||
| Because of authentication with cookies, CSRF attack is possible and it is a reason why it is disabled by default for servers. | ||
| Authentication with cookies may be enabled manually for the particular server if server doesn't have any methods that processes modifying GET, POST requests which accepts html form supported content types or it server has additional protection from CSRF attack. | ||
|
|
||
| ## JwtProxy | ||
|
|
||
| Now [JwtProxy](https://github.com/eclipse/che-jwtproxy) is the only supported backend for secure servers. It proxies all requests to secure servers an verify incoming requests. | ||
|
|
||
| To make cookies authentication easier JwtProxy has authentication endpoint that may be used for automatically putting machine token into cookies. The following diagram shows how it works | ||
|
|
||
| {% include image.html file="diagrams/servers-cookies-auth.svg" %} |