symfony/mercure-bundle

Running Mercure on https with Symfony certificate

Opened this issue · 1 comments

stephanvierkant commented

As of Chrome 88, cookies must be SiteSite=Lax/Strict or SiteSite=none; Secure. That means running a Mercure server on http isn't possible when running a Symfony dev server on https. I've tried upgrading to Mercure v0.11 with HTTPS, but that uses a self-signed certificate that isn't trusted by Chrome. I tried to use the "allow-insecure-localhost" flag in Chrome, but that flag has been removed in Chrome 88. I found a workaround by setting temporary-unexpire-flags-m87. That works only temporarily and isn't a great developer experience either.

It would be great if we can use the Symfony certificate for Mercure as well, like we can with Webpack Encore's dev server.

finnef commented

I use this docker-compose.yml
and copy the symfony certificates to caddy.

version: '3'

services:
  caddy:
    image: dunglas/mercure:v0.13.0
    ports:
      - "3000:80"
      - "3001:443"
    volumes:
      # copy the ~/.symfony/certs/rootCA.pem to scripts/mercure/data/caddy/pki/authorities/local/intermediate.crt
      # do the same with the key file, and again for the caddy root.crt and root.key files.
      - ./scripts/mercure/Caddyfile.docker:/etc/caddy/Caddyfile
      - ./scripts/mercure/data:/data
      - ./scripts/mercure/config:/config
    environment:
      SERVER_NAME: "127.0.0.1:443"
      MERCURE_PUBLISHER_JWT_KEY: <myKey>
      MERCURE_SUBSCRIBER_JWT_KEY: <myKey>
      MERCURE_EXTRA_DIRECTIVES: |
        cors_origins https://127.0.0.1
        publish_origins https://127.0.0.1
        ui
      GLOBAL_OPTIONS: |
        local_certs
        default_sni 127.0.0.1

and the custom Caddyfile.docker


# Learn how to configure the Mercure.rocks Hub on https://mercure.rocks/docs/hub/config
{
    {$GLOBAL_OPTIONS}
}

{$SERVER_NAME:localhost}
tls internal
log

#cors
header Access-Control-Allow-Origin https://127.0.0.1:8000
header Access-Control-Allow-Credentials true

route {
    redir / /.well-known/mercure/ui/
    encode zstd gzip

    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt://mercure.db}
        # Publisher JWT key
        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
        # Subscriber JWT key
        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
   }

    respond /healthz 200
    respond "Not Found" 404
}