Skip to main content

Datawiza Access-Proxy WordPress Integration

About 3 min

Background

We have a WordPress running in docker on port 8081: http://{your_WordPress_url}:8081. And the docker-compose.yml is like:

version: '3.1'
services:
  wordpress:
    image: wordpress
    depends_on:
      - db
    ports:
      - 8081:80
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - wordpress:/var/www/html

  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_DATABASE: exampledb
      MYSQL_USER: exampleuser
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql

volumes:
  wordpress:
  db:

Now we want to deploy Datawiza Access-Proxy (DAP) for WordPress.

Deploy

1. Config in Datawiza Cloud Management Console (DCMC)

Firstly, we need to create a deployment for WordPress in DCMC. You can follow the instruction on how to config in DCMC. In this tutorial, we use Okta as IdP.

2. Deploy in host

After creating the deployment in DCMC, we can use docker-compose file to deploy DAP. We can set Upstream Servers to http://wordpress:80 or http://{your_WordPress_url}:8081:

If we set Upstream Servers to http://wordpress:80, the docker-compose.yml file will be like:

version: '3.1'
services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "8081:8081"
    environment:
      PROVISIONING_KEY: replace-it-with-your-provisioning-key
      PROVISIONING_SECRET: replace-it-with-your-provisioning-secret

  wordpress:
    image: wordpress
    depends_on:
      - db
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - wordpress:/var/www/html

  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_DATABASE: exampledb
      MYSQL_USER: exampleuser
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql

volumes:
  wordpress:
  db:

We need to recreate WordPress to assign 8081 port to DAP.

Use docker-compose -f docker-compose.yml up -d to start service. Then we can visit http://{your_WordPress_url}:8081 and will be redirected to Okta login page.

If we set Upstream Servers to http://{your_WordPress_url}:8081, the docker-compose.yml file will be like:

version: '3.1'
services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "9772:9772"
    environment:
      PROVISIONING_KEY: replace-it-with-your-provisioning-key
      PROVISIONING_SECRET: replace-it-with-your-provisioning-secret

Use docker-compose -f docker-compose.yml up -d to start service.
Meanwhile, we need to change WordPress configuration:

wordpress configuration

The WordPress Address (URL) and Site Address (URL) need to be changed to http://localhost:9772.
Now we can visit http://{your_WordPress_url}:9772 and will be redirected to Okta login page.

3. Delegate the Authentication to DAP (Optional)

After login Okta, the follow page will be shown

wordpress page

If you go to http://{your_WordPress_url}:{port}/wp-admin/, you will be redirected to WordPress login page.

wordpress page
With WordPress plugin Datawiza Proxy Auth Plugin - SSOopen in new window, here is a way to delegate the authentication to DAP:

Add New Attribute

We will see four basic attributes in tab Profile. We need to add role since the plugin retrieves email and role from JWT

DCMC profile

Add Mapping

In tab Mappings, you will see the default mappings. Also, we need to add mapping for role

DCMC mappings

Add New Attribute Pass

We need to add email and role in Attribute Pass for the plugin. And email is necessary, role is optional.

DCMC attribute pass

If we didn't config the attributes correctly, error notification will be shown

Proxy Auth Plugin expects email attribute to identify user, but it does not exist in JWT token. Please check your reverse proxy configuration

wordpress error notification

Install Plugin in WordPress:

wordpress plugin configuration

Search for datawiza and click Install Now:

wordpress plugin configuration

Activate it:

wordpress plugin configuration

In SettingsDatawiza Proxy Auth, input your private secret and save changes:
If you use the plugin with DAP, the private secret should be the PROVISIONING_SECRET in your docker-compose file.

wordpress plugin configuration

If the secret is wrong, you may see the error notification:

Proxy Auth Plugin cannot verify JWT token. Please double check your JWT token's private secret is configured correctly

wordpress error notification

Then, click logout and you will be redirected to Okta login page:

wordpress configuration

Re-login with Okta and the headline will be shown.

wordpress configuration

Assign role to the user in Okta (Optional): Add attribute role:
In UsersProfile Editor, select the profile:

okta profile

Add Attribute

Assign role to the user:

okta add attr

In UserPeople, select the people:

okta select people

In Profile tab, edit role:

okta edit profile

okta edit profile

NOTES:

  • If admin doesn’t assign role to the user, user’s role will be subscriber by default.
  • If user’s role has been updated in Okta, the plugin will update the role in WordPress accordingly.

4. Secure your WordPress with HTTPS (Optional)

If you need DAP to decrypt HTTPS traffic, you can refer to here to configure DAP.

Otherwise, if you already have a Loadbalancer in front of your WordPress to decrypt HTTPS traffic, and the DAP sits between your Loadbalancer and WordPress, you need to:

  1. Set Public Domain to https://your-domain.

  2. Set Listen Port to the port forwarded by your Loadbalancer after decrypting HTTPS traffic. In the example below, the Loadbalancer will decrypt the HTTPS traffic which access to https://localhost. Then forward the decrypted traffic to DAP on port 80. Finally, DAP will forward the traffic to Upstream Server http://host.docker.internal. https config

  3. Keep the SSL button to off. https config