mercure-bundle icon indicating copy to clipboard operation
mercure-bundle copied to clipboard
verified publisher icon symfony

Running Mercure on https with Symfony certificate

Open stephanvierkant opened this issue 4 years ago • 2 comments

As of Chrome 88, cookies must be SiteSite=Lax/Strict or SiteSite=none; Secure. That means running a Mercure server on http isn't possible when running a Symfony dev server on https. I've tried upgrading to Mercure v0.11 with HTTPS, but that uses a self-signed certificate that isn't trusted by Chrome. I tried to use the "allow-insecure-localhost" flag in Chrome, but that flag has been removed in Chrome 88. I found a workaround by setting temporary-unexpire-flags-m87. That works only temporarily and isn't a great developer experience either.

It would be great if we can use the Symfony certificate for Mercure as well, like we can with Webpack Encore's dev server.

stephanvierkant avatar Feb 04 '21 10:02 stephanvierkant

I use this docker-compose.yml and copy the symfony certificates to caddy.

version: '3'

services:
  caddy:
    image: dunglas/mercure:v0.13.0
    ports:
      - "3000:80"
      - "3001:443"
    volumes:
      # copy the ~/.symfony/certs/rootCA.pem to scripts/mercure/data/caddy/pki/authorities/local/intermediate.crt
      # do the same with the key file, and again for the caddy root.crt and root.key files.
      - ./scripts/mercure/Caddyfile.docker:/etc/caddy/Caddyfile
      - ./scripts/mercure/data:/data
      - ./scripts/mercure/config:/config
    environment:
      SERVER_NAME: "127.0.0.1:443"
      MERCURE_PUBLISHER_JWT_KEY: <myKey>
      MERCURE_SUBSCRIBER_JWT_KEY: <myKey>
      MERCURE_EXTRA_DIRECTIVES: |
        cors_origins https://127.0.0.1
        publish_origins https://127.0.0.1
        ui
      GLOBAL_OPTIONS: |
        local_certs
        default_sni 127.0.0.1

and the custom Caddyfile.docker


# Learn how to configure the Mercure.rocks Hub on https://mercure.rocks/docs/hub/config
{
    {$GLOBAL_OPTIONS}
}

{$SERVER_NAME:localhost}
tls internal
log

#cors
header Access-Control-Allow-Origin https://127.0.0.1:8000
header Access-Control-Allow-Credentials true

route {
    redir / /.well-known/mercure/ui/
    encode zstd gzip

    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt://mercure.db}
        # Publisher JWT key
        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
        # Subscriber JWT key
        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
   }

    respond /healthz 200
    respond "Not Found" 404
}

finnef avatar Aug 25 '23 09:08 finnef