Skip to content

Security Authorization

The API image runs the .NET Core app directly inside the /app folder. The same image takes care of compiling the code. It is also prepared to be cached, so some steps could be skipped if has not been changes from previous builds.

Building the image

The image must be built from the /Source folder. The Dockerfile is inside the Projects/Sequel.Security.Authorization/docker folder. Building the image does not require any parameters, but the appsettings.json file will not be included in the image, this must be included either by creating a new image or using a volume or secret.

docker image build -f Projects/Sequel.Security.Authorization/docker/Dockerfile -t security/authorization .

There is also a SECURITY_VERSION build argument that is useful for CD pipelines to specify which is the version that is building.

Use BuildKit to build images

It is recommended to use BuildKit instead the classic build system to improve build times of the image and take advantage of advanced cache system that brings this new system.

Preparing the app settings

As mentioned before, the image does not include an appsettings.json file, so it will always fail to run if no one is provided. The are three ways to add the settings into the container:

  1. Create a new image which adds the file inside /app (not recommended)
  2. Create a volume that maps the file into the container (-v argument in docker)
  3. Create a secret in Swarm or Kubernetes and put it in /app/appsettings.json

There are also some settings that must be set taking into account the deployment environment:

  • The InitializeSSL must be always set to false, failing to do so, will cause some troubles in Authorization.
  • The TrustForwardedHeaders should be set to true if Authorization will be behind a reverse proxy/load balancer.
  • The EnableContainerEndpoint in HealthCheckSettings must be set to true, if not, the container will be marked as unhealthy.
  • The DoubleEncodingRevert in RewriterSettings must be set to true (it is outside IIS, it must be set to true)
  • The Logging context must point to the right SQL Server instance, using the right.hostname, and must use SQL Server Authentication login method (provide User Id and Password).
  • Ensure internal and external URLs for the API, Authentication and Authorization services are OK.
  • Check the RabbitMQ host to ensure it is accessible too.
  • Check the health check (example command curl -i -H "HealthCheck-ApiKey: cdb327e2-4f20-4a55-b44a-d3b948b84356" localhost/securityapi/health)

Access to hosts services from Docker

See the Security API section for more information about this.

SQL Server on Windows

See the Security API section for more information about this.

Running the image

Once the appsettings.json file is ready, you may start a container and check everything is fine. Authentication requires API and Authentication to be running too. Below there is an example running a container and using a bind mount to provide the appsettings.json file:

docker container run --rm -it -v /deployments/sec/appsettings.authorization.json:/app/appsettings.json -p 8002:80 security/authorization

Running behind Reverse Proxies

Usually, in a reverse proxy environment, the published services will have path prefixes to have several services run under the same domain. To avoid any issues with URLs in Security Authorization, it is recommended to fill the PATH_PREFIX environment variable in the container and disable any path prefix strip in the reverse proxy, Security Authorization will do the rest.