ansible-role-inception/templates/nginx.default.conf.j2

proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
js_var $auth_token;
js_var $pep_credentials;
js_var $remote_user_js;
underscores_in_headers on;

upstream _inception-server {
  ip_hash;
  server {{ inception_project_docker_service_name }}:{{ inception_project_server_port }};
}

map $http_authorization $source_auth {
  default "";
}

server {
  listen *:{{ pep_port }};
  server_name {{ inception_project_docker_service_name }};
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log{% if nginx_pep_debug_enabled %} debug{% endif %};

{% if inception_project_pep_allow_iframe %}
  proxy_hide_header X-Frame-Options;
  add_header X-Frame-Options "";
{% endif %}
  proxy_buffering off; # Required for HTTP-based CLI to work over SSL
  # Required for new HTTP-based CLI
  proxy_request_buffering off;

  client_max_body_size {{ nginx_pep_max_body_size }};
  client_body_timeout {{ nginx_pep_body_timeout }};

{% if inception_project_websockets_enabled == 'true' %}
  location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header Authorization "Bearer $auth_token";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_set_header remote_user "$remote_user_js";
    proxy_pass http://_inception-server;
  }
{% endif %}

  location / {
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_redirect https://{{ inception_project_server_endpoint }}/ /;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection ""; # Clear for keepalive
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_max_temp_file_size   0;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    proxy_temp_file_write_size 64k;
    proxy_set_header Authorization "Bearer $auth_token";
    proxy_set_header remote_user "$remote_user_js";
    proxy_pass http://_inception-server;
  }

  location /_d4sauth {
    js_content pep.enforce;
  }

  location @backend {
    proxy_http_version 1.1;
    proxy_redirect https://{{ inception_project_server_endpoint }}/ /;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection ""; # Clear for keepalive
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_max_temp_file_size   0;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    proxy_temp_file_write_size 64k;
    proxy_set_header Authorization "Bearer $auth_token";
    proxy_set_header remote_user "$remote_user_js";
    proxy_pass http://_inception-server;
    rewrite ^/_d4sauth / last;
  }

  location /gcube_user_info {
        internal;
        gunzip on;
        proxy_method      GET;
        proxy_http_version 1.1;
        resolver 146.48.122.10;
        proxy_pass        https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;
    }
  location /jwt_verify_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect";

    proxy_ignore_headers  Cache-Control Expires Set-Cookie;
    gunzip on;

    proxy_cache           token_responses; # Enable caching
    proxy_cache_key       $source_auth;    # Cache for each source authentication
    proxy_cache_lock      on;              # Duplicate tokens must wait
    proxy_cache_valid     200 10s;         # How long to use each response
  }

  location /jwt_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }

  location /permission_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_set_header  Authorization "Bearer $auth_token";
    proxy_pass        "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }
}
the nginx configuration skips the call to pep.js. 2021-11-04 10:54:41 +01:00			`proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;`
			`js_var $auth_token;`
			`js_var $pep_credentials;`
var remote_user -> remote_user_js 2021-11-04 18:30:20 +01:00			`js_var $remote_user_js;`
the nginx configuration skips the call to pep.js. 2021-11-04 10:54:41 +01:00			`underscores_in_headers on;`

Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`upstream _inception-server {`
			`ip_hash;`
Fix the nginx configuration. 2021-11-03 17:56:07 +01:00			`server {{ inception_project_docker_service_name }}:{{ inception_project_server_port }};`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`}`

			`map $http_authorization $source_auth {`
			`default "";`
			`}`

			`server {`
			`listen *:{{ pep_port }};`
			`server_name {{ inception_project_docker_service_name }};`
the nginx configuration skips the call to pep.js. 2021-11-04 10:54:41 +01:00			`access_log /var/log/nginx/access.log;`
Fix a typo 2021-11-04 17:04:30 +01:00			`error_log /var/log/nginx/error.log{% if nginx_pep_debug_enabled %} debug{% endif %};`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00
Try to be iframe friendly. 2021-11-04 14:23:53 +01:00			`{% if inception_project_pep_allow_iframe %}`
			`proxy_hide_header X-Frame-Options;`
			`add_header X-Frame-Options "";`
			`{% endif %}`
			`proxy_buffering off; # Required for HTTP-based CLI to work over SSL`
			`# Required for new HTTP-based CLI`
			`proxy_request_buffering off;`

client_max_body_size in the nginx configuration. 2021-11-09 13:44:26 +01:00			`client_max_body_size {{ nginx_pep_max_body_size }};`
			`client_body_timeout {{ nginx_pep_body_timeout }};`

Add a new location for the websocket. 2022-04-29 18:40:15 +02:00			`{% if inception_project_websockets_enabled == 'true' %}`
Fix the ws URL. 2022-04-29 18:49:54 +02:00			`location /ws {`
Add a new location for the websocket. 2022-04-29 18:40:15 +02:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "Upgrade";`
			`proxy_set_header Host $host;`
			`proxy_set_header Authorization "Bearer $auth_token";`
Try to impose https. 2022-05-02 19:09:45 +02:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Proto "https";`
Add a new location for the websocket. 2022-04-29 18:40:15 +02:00			`proxy_set_header remote_user "$remote_user_js";`
			`proxy_pass http://_inception-server;`
			`}`
			`{% endif %}`

Alternative auth entry point. 2021-11-04 17:48:52 +01:00			`location / {`
Add a new location for the websocket. 2022-04-29 18:40:15 +02:00			`proxy_http_version 1.1;`
Every location must set the proxy header. 2021-11-04 11:44:21 +01:00			`proxy_set_header Host $host;`
Another attempt to fix the mixed content problem. 2022-04-29 19:08:34 +02:00			`proxy_redirect https://{{ inception_project_server_endpoint }}/ /;`
Every location must set the proxy header. 2021-11-04 11:44:21 +01:00			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Connection ""; # Clear for keepalive`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Try to impose https. 2022-05-02 19:09:45 +02:00			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Proto "https";`
Add a new location for the websocket. 2022-04-29 18:40:15 +02:00			`proxy_max_temp_file_size 0;`
			`proxy_connect_timeout 180;`
			`proxy_send_timeout 180;`
			`proxy_read_timeout 180;`
			`proxy_temp_file_write_size 64k;`
Set the remote_user in / again. 2021-11-04 18:48:58 +01:00			`proxy_set_header Authorization "Bearer $auth_token";`
			`proxy_set_header remote_user "$remote_user_js";`
Exclude some URLs from authz. 2021-11-04 11:36:49 +01:00			`proxy_pass http://_inception-server;`
			`}`

Alternative auth entry point. 2021-11-04 17:48:52 +01:00			`location /_d4sauth {`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`js_content pep.enforce;`
			`}`

			`location @backend {`
Fix the nginx headers, again. 2022-04-29 19:00:07 +02:00			`proxy_http_version 1.1;`
Another attempt to fix the mixed content problem. 2022-04-29 19:08:34 +02:00			`proxy_redirect https://{{ inception_project_server_endpoint }}/ /;`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Connection ""; # Clear for keepalive`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Try to impose https. 2022-05-02 19:09:45 +02:00			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Proto "https";`
Fix the nginx headers, again. 2022-04-29 19:00:07 +02:00			`proxy_max_temp_file_size 0;`
			`proxy_connect_timeout 180;`
			`proxy_send_timeout 180;`
			`proxy_read_timeout 180;`
			`proxy_temp_file_write_size 64k;`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`proxy_set_header Authorization "Bearer $auth_token";`
var remote_user -> remote_user_js 2021-11-04 18:30:20 +01:00			`proxy_set_header remote_user "$remote_user_js";`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`proxy_pass http://_inception-server;`
Simplify the rewrite URL. 2021-11-04 17:59:43 +01:00			`rewrite ^/_d4sauth / last;`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`}`

the nginx configuration skips the call to pep.js. 2021-11-04 10:54:41 +01:00			`location /gcube_user_info {`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00			`internal;`
			`gunzip on;`
			`proxy_method GET;`
			`proxy_http_version 1.1;`
			`resolver 146.48.122.10;`
			`proxy_pass https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;`
			`}`
			`location /jwt_verify_request {`
			`internal;`
			`proxy_method POST;`
			`proxy_http_version 1.1;`
			`proxy_set_header Authorization $pep_credentials;`
			`proxy_set_header Content-Type "application/x-www-form-urlencoded";`
Fix the variable that defines the IAM host. 2021-11-03 17:59:07 +01:00			`proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect";`
Add PEP support via NGINX + JS. 2021-11-02 19:47:36 +01:00
			`proxy_ignore_headers Cache-Control Expires Set-Cookie;`
			`gunzip on;`

			`proxy_cache token_responses; # Enable caching`
			`proxy_cache_key $source_auth; # Cache for each source authentication`
			`proxy_cache_lock on; # Duplicate tokens must wait`
			`proxy_cache_valid 200 10s; # How long to use each response`
			`}`

			`location /jwt_request {`
			`internal;`
			`proxy_method POST;`
			`proxy_http_version 1.1;`
			`proxy_set_header Authorization $pep_credentials;`
			`proxy_set_header Content-Type "application/x-www-form-urlencoded";`
			`proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";`
			`gunzip on;`
			`}`

			`location /permission_request {`
			`internal;`
			`proxy_method POST;`
			`proxy_http_version 1.1;`
			`proxy_set_header Content-Type "application/x-www-form-urlencoded";`
			`proxy_set_header Authorization "Bearer $auth_token";`
			`proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";`
			`gunzip on;`
			`}`
			`}`