2021-11-04 10:54:41 +01:00
|
|
|
proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
|
|
|
|
js_var $auth_token;
|
|
|
|
js_var $pep_credentials;
|
2021-11-04 18:30:20 +01:00
|
|
|
js_var $remote_user_js;
|
2021-11-04 10:54:41 +01:00
|
|
|
underscores_in_headers on;
|
|
|
|
|
2021-11-02 19:47:36 +01:00
|
|
|
upstream _inception-server {
|
|
|
|
ip_hash;
|
2021-11-03 17:56:07 +01:00
|
|
|
server {{ inception_project_docker_service_name }}:{{ inception_project_server_port }};
|
2021-11-02 19:47:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
map $http_authorization $source_auth {
|
|
|
|
default "";
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen *:{{ pep_port }};
|
|
|
|
server_name {{ inception_project_docker_service_name }};
|
2021-11-04 10:54:41 +01:00
|
|
|
access_log /var/log/nginx/access.log;
|
2021-11-04 17:04:30 +01:00
|
|
|
error_log /var/log/nginx/error.log{% if nginx_pep_debug_enabled %} debug{% endif %};
|
2021-11-02 19:47:36 +01:00
|
|
|
|
2021-11-04 14:23:53 +01:00
|
|
|
{% if inception_project_pep_allow_iframe %}
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
add_header X-Frame-Options "";
|
|
|
|
{% endif %}
|
|
|
|
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
|
|
|
|
# Required for new HTTP-based CLI
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
2021-11-09 13:44:26 +01:00
|
|
|
client_max_body_size {{ nginx_pep_max_body_size }};
|
|
|
|
client_body_timeout {{ nginx_pep_body_timeout }};
|
|
|
|
|
2022-04-29 18:40:15 +02:00
|
|
|
{% if inception_project_websockets_enabled == 'true' %}
|
|
|
|
location /inception/ws {
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection "Upgrade";
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
|
|
proxy_set_header remote_user "$remote_user_js";
|
|
|
|
proxy_pass http://_inception-server;
|
|
|
|
}
|
|
|
|
{% endif %}
|
|
|
|
|
2021-11-04 17:48:52 +01:00
|
|
|
location / {
|
2022-04-29 18:40:15 +02:00
|
|
|
proxy_http_version 1.1;
|
2021-11-04 11:44:21 +01:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header Connection ""; # Clear for keepalive
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
2022-04-29 18:18:12 +02:00
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
2022-04-29 18:40:15 +02:00
|
|
|
proxy_max_temp_file_size 0;
|
|
|
|
proxy_connect_timeout 180;
|
|
|
|
proxy_send_timeout 180;
|
|
|
|
proxy_read_timeout 180;
|
|
|
|
proxy_temp_file_write_size 64k;
|
2021-11-04 18:48:58 +01:00
|
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
|
|
proxy_set_header remote_user "$remote_user_js";
|
2021-11-04 11:36:49 +01:00
|
|
|
proxy_pass http://_inception-server;
|
|
|
|
}
|
|
|
|
|
2021-11-04 17:48:52 +01:00
|
|
|
location /_d4sauth {
|
2021-11-02 19:47:36 +01:00
|
|
|
js_content pep.enforce;
|
|
|
|
}
|
|
|
|
|
|
|
|
location @backend {
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header Connection ""; # Clear for keepalive
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
2021-11-04 18:44:53 +01:00
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
2021-11-02 19:47:36 +01:00
|
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
2021-11-04 18:30:20 +01:00
|
|
|
proxy_set_header remote_user "$remote_user_js";
|
2021-11-02 19:47:36 +01:00
|
|
|
proxy_pass http://_inception-server;
|
2021-11-04 17:59:43 +01:00
|
|
|
rewrite ^/_d4sauth / last;
|
2021-11-02 19:47:36 +01:00
|
|
|
}
|
|
|
|
|
2021-11-04 10:54:41 +01:00
|
|
|
location /gcube_user_info {
|
2021-11-02 19:47:36 +01:00
|
|
|
internal;
|
|
|
|
gunzip on;
|
|
|
|
proxy_method GET;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
resolver 146.48.122.10;
|
|
|
|
proxy_pass https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;
|
|
|
|
}
|
|
|
|
location /jwt_verify_request {
|
|
|
|
internal;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Authorization $pep_credentials;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
2021-11-03 17:59:07 +01:00
|
|
|
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect";
|
2021-11-02 19:47:36 +01:00
|
|
|
|
|
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
|
|
gunzip on;
|
|
|
|
|
|
|
|
proxy_cache token_responses; # Enable caching
|
|
|
|
proxy_cache_key $source_auth; # Cache for each source authentication
|
|
|
|
proxy_cache_lock on; # Duplicate tokens must wait
|
|
|
|
proxy_cache_valid 200 10s; # How long to use each response
|
|
|
|
}
|
|
|
|
|
|
|
|
location /jwt_request {
|
|
|
|
internal;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Authorization $pep_credentials;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
|
|
|
|
gunzip on;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /permission_request {
|
|
|
|
internal;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
|
|
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
|
|
|
|
gunzip on;
|
|
|
|
}
|
|
|
|
}
|