https://cerbos.dev logo
#help
Title
# help
s

sdktr

03/24/2023, 9:00 PM
How can Cerbos be made aware of it running behind a frontend proxy running tls/https offload? So cerbos is running on http, but the clients use https schema to access the api
c

Charith (Cerbos)

03/25/2023, 8:30 AM
Why do you need to make Cerbos aware that it's running behind a proxy? If you're thinking of audit logs, they record the
x-forwarded-for
header and you can configure Cerbos to record any other custom headers that identify the client as well. https://docs.cerbos.dev/cerbos/latest/configuration/audit.html
s

sdktr

03/26/2023, 11:22 AM
The links that are used in the /api playground are tied to the scheme that cerbos thinks it’s running on. So in our case these fields target http://cerbos.domain/api/bla.
c

Charith (Cerbos)

03/27/2023, 8:27 AM
Oh you mean the Swagger API docs? I am afraid there's no way to change the scheme on that. It's meant to be used as a local development aid so we haven't considered adding any options to make it accessible over proxies and such.
s

sdktr

03/27/2023, 8:29 AM
Having a full featured playground in there (with the policies in cerbos preloaded but changeable for testing) would be helpfull
c

Charith (Cerbos)

03/27/2023, 8:36 AM
Noted. That's a common request and we have it in our list of things to do.
j

Jesum Yip

03/29/2023, 12:36 PM
Fyi I use Istio to do tls termination and cerbos runs on http inside my gke cluster. I also use istio to disable the swagger docs. Alternatively, you could also get istio to write a routing rule to redirect the user to the Cerbos public web page for api documentation i.e https://docs.cerbos.dev/cerbos/latest/api/index.html
Most ingress gateways in k8s can do the above.
@Charith (Cerbos) if you ever implement a playground, please make it optional during installation.
c

Charith (Cerbos)

03/29/2023, 12:58 PM
Absolutely. We are keen to keep the Cerbos contact area small so any optional features will always ship disabled by default.
23 Views