Feat/enable https

.env.example

@@ -1,13 +1,48 @@
 AUTH_TYPE = waltid
 WALTID_VERIFIER_URL=https://verifier2.demo.oceanenterprise.io
 OCEAN_NODE_URL=https://ocean-node-vm1.oceanenterprise.io
+
+#Success/error URLS
 WALTID_SUCCESS_REDIRECT_URL=https://example.com/success?id=$id
 WALTID_ERROR_REDIRECT_URL=https://example.com/error?id=$id
+
+#Redirects to policy server proxy
 WALTID_VERIFY_RESPONSE_REDIRECT_URL=https://psproxy1.demo.oceanenterprise.io/verify/$id
 WALTID_VERIFY_PRESENTATION_DEFINITION_URL=https://psproxy1.demo.oceanenterprise.io/pd/$id
+
+#Default policies applicable to all certificate requests
 DEFAULT_VP_POLICIES=expired,signature,revoked-status-list,not-before
 DEFAULT_VC_POLICIES=expired,signature,revoked-status-list,not-before
+
+#Logging. 1 - active; 0 - inactive
 ENABLE_LOGS=1
+
+# Operating mode: Policy Server or Policy Server Proxy. Can't be both of them at the same time
 MODE_PROXY=0
 MODE_PS=1
-PORT=3000
+
+PORT=3000
+
+# Optional: if set, POST / requires X-API-Key to match this value.
+#POLICY_SERVER_API_KEY=api_key_example`
+
+# Optional: if set, maintenance endpoints require this X-API-Key.
+#ADMIN_API_KEY=admin_apy_key_example
+
+# Comma-separated list of allowed Ocean Node addresses in `0x` + 40 hex format.
+# If this is empty or unset, node access-list authorization is disabled.
+#POLICY_SERVER_NODE_ACCESS_LIST=0x1111111111111111111111111111111111111111,0x2222222222222222222222222222222222222222
+
+#URL from where the list of allowed node addresses in read
+#POLICY_SERVER_NODE_ACCESS_LIST_URL=https://example.com/trustedNodes
+
+# Comma-separated list of allowed consumer addresses in `0x` + 40 hex format.
+# If this is empty or unset, consumer access-list authorization is disabled.
+#POLICY_SERVER_CONSUMER_ACCESS_LIST=0x7777777777777777777777777777777777777777,0x8888888888888888888888888888888888888888
+
+#URL from where the list of allowed consumer addresses in read
+#POLICY_SERVER_CONSUMER_ACCESS_LIST_URL=https://example.com/trustedConsumers
+
+# Certificate and private key locations. If these variables are set, policy server will run HTTPS 
+#HTTP_CERT_PATH=/etc/ssl/certs/cert.pem
+#HTTP_KEY_PATH=/etc/ssl/certs/key.pem

README.md

@@ -21,6 +21,10 @@ DEFAULT_VC_POLICIES=expired,signature,revoked-status-list,not-before
 ENABLE_LOGS=1
 MODE_PROXY=1
 MODE_PS=1
+PORT=3000
+# Optional: enable HTTPS directly in policy-server when both cert and key are set.
+HTTP_CERT_PATH=/usr/src/app/certs/cert.pem
+HTTP_KEY_PATH=/usr/src/app/certs/key.pem
 # Optional: if set, POST / requires X-API-Key to match this value
 POLICY_SERVER_API_KEY=API_KEY_EXAMPLE
 # Optional: if set, admin maintenance endpoints require this X-API-Key
@@ -1458,6 +1462,9 @@ LOCAL_PORT=8100
 CONTAINER_PORT=8100
 
 PORT=8100
+# Optional direct HTTPS. Reverse proxy TLS offload remains supported without these.
+HTTP_CERT_PATH=/usr/src/app/certs/cert.pem
+HTTP_KEY_PATH=/usr/src/app/certs/key.pem
 AUTH_TYPE=waltid
 OCEAN_NODE_URL=http://ocean-node-vm1.oceanenterprise.io:8000
 WALTID_VERIFIER_URL=https://verifier.demo.walt.id

certs/cert.pem

@@ -0,0 +1 @@
+your certificate here

certs/key.pem

@@ -0,0 +1 @@
+your private key here

docker-compose/.env.example

@@ -1,13 +1,48 @@
-AUTH_TYPE=waltid
+AUTH_TYPE = waltid
 WALTID_VERIFIER_URL=https://verifier2.demo.oceanenterprise.io
 OCEAN_NODE_URL=https://ocean-node-vm1.oceanenterprise.io
-WALTID_SUCCESS_REDIRECT_URL=https://example.com/success?id=$$id
-WALTID_ERROR_REDIRECT_URL=https://example.com/error?id=$$id
-WALTID_VERIFY_RESPONSE_REDIRECT_URL=https://psproxy1.demo.oceanenterprise.io/verify/$$id
-WALTID_VERIFY_PRESENTATION_DEFINITION_URL=https://psproxy1.demo.oceanenterprise.io/pd/$$id
+
+#Success/error URLS
+WALTID_SUCCESS_REDIRECT_URL=https://example.com/success?id=$id
+WALTID_ERROR_REDIRECT_URL=https://example.com/error?id=$id
+
+#Redirects to policy server proxy
+WALTID_VERIFY_RESPONSE_REDIRECT_URL=https://psproxy1.demo.oceanenterprise.io/verify/$id
+WALTID_VERIFY_PRESENTATION_DEFINITION_URL=https://psproxy1.demo.oceanenterprise.io/pd/$id
+
+#Default policies applicable to all certificate requests
 DEFAULT_VP_POLICIES=expired,signature,revoked-status-list,not-before
 DEFAULT_VC_POLICIES=expired,signature,revoked-status-list,not-before
+
+#Logging. 1 - active; 0 - inactive
 ENABLE_LOGS=1
+
+# Operating mode: Policy Server or Policy Server Proxy. Can't be both of them at the same time
 MODE_PROXY=0
 MODE_PS=1
+
 PORT=3000
+
+# Optional: if set, POST / requires X-API-Key to match this value.
+#POLICY_SERVER_API_KEY=api_key_example`
+
+# Optional: if set, maintenance endpoints require this X-API-Key.
+#ADMIN_API_KEY=admin_apy_key_example
+
+# Comma-separated list of allowed Ocean Node addresses in `0x` + 40 hex format.
+# If this is empty or unset, node access-list authorization is disabled.
+#POLICY_SERVER_NODE_ACCESS_LIST=0x1111111111111111111111111111111111111111,0x2222222222222222222222222222222222222222
+
+#URL from where the list of allowed node addresses in read
+#POLICY_SERVER_NODE_ACCESS_LIST_URL=https://example.com/trustedNodes
+
+# Comma-separated list of allowed consumer addresses in `0x` + 40 hex format.
+# If this is empty or unset, consumer access-list authorization is disabled.
+#POLICY_SERVER_CONSUMER_ACCESS_LIST=0x7777777777777777777777777777777777777777,0x8888888888888888888888888888888888888888
+
+#URL from where the list of allowed consumer addresses in read
+#POLICY_SERVER_CONSUMER_ACCESS_LIST_URL=https://example.com/trustedConsumers
+
+# Certificate and private key locations. If these variables are set, policy server will run HTTPS 
+#HTTP_CERT_PATH=/etc/ssl/certs/cert.pem
+#HTTP_KEY_PATH=/etc/ssl/certs/key.pem

docker-compose/docker-compose.yml

@@ -7,4 +7,6 @@ services:
     env_file:
       - .env
     ports:
-      - "8001:3000"
+      - "8001:3000"
+    volumes:
+      - ../certs:/etc/ssl/certs:ro