ansible-role-inception/templates/nginx.default.conf.j2

127 lines
4.3 KiB
Plaintext
Raw Normal View History

proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
js_var $auth_token;
js_var $pep_credentials;
2021-11-04 18:30:20 +01:00
js_var $remote_user_js;
underscores_in_headers on;
2021-11-02 19:47:36 +01:00
upstream _inception-server {
ip_hash;
2021-11-03 17:56:07 +01:00
server {{ inception_project_docker_service_name }}:{{ inception_project_server_port }};
2021-11-02 19:47:36 +01:00
}
map $http_authorization $source_auth {
default "";
}
server {
listen *:{{ pep_port }};
server_name {{ inception_project_docker_service_name }};
access_log /var/log/nginx/access.log;
2021-11-04 17:04:30 +01:00
error_log /var/log/nginx/error.log{% if nginx_pep_debug_enabled %} debug{% endif %};
2021-11-02 19:47:36 +01:00
2021-11-04 14:23:53 +01:00
{% if inception_project_pep_allow_iframe %}
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "";
{% endif %}
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
# Required for new HTTP-based CLI
proxy_request_buffering off;
client_max_body_size {{ nginx_pep_max_body_size }};
client_body_timeout {{ nginx_pep_body_timeout }};
2022-04-29 18:40:15 +02:00
{% if inception_project_websockets_enabled == 'true' %}
location /inception/ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header Authorization "Bearer $auth_token";
proxy_set_header remote_user "$remote_user_js";
proxy_pass http://_inception-server;
}
{% endif %}
2021-11-04 17:48:52 +01:00
location / {
2022-04-29 18:40:15 +02:00
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection ""; # Clear for keepalive
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
2022-04-29 18:40:15 +02:00
proxy_max_temp_file_size 0;
proxy_connect_timeout 180;
proxy_send_timeout 180;
proxy_read_timeout 180;
proxy_temp_file_write_size 64k;
2021-11-04 18:48:58 +01:00
proxy_set_header Authorization "Bearer $auth_token";
proxy_set_header remote_user "$remote_user_js";
2021-11-04 11:36:49 +01:00
proxy_pass http://_inception-server;
}
2021-11-04 17:48:52 +01:00
location /_d4sauth {
2021-11-02 19:47:36 +01:00
js_content pep.enforce;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection ""; # Clear for keepalive
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
2021-11-04 18:44:53 +01:00
proxy_set_header X-Forwarded-Proto $scheme;
2021-11-02 19:47:36 +01:00
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Authorization "Bearer $auth_token";
2021-11-04 18:30:20 +01:00
proxy_set_header remote_user "$remote_user_js";
2021-11-02 19:47:36 +01:00
proxy_pass http://_inception-server;
2021-11-04 17:59:43 +01:00
rewrite ^/_d4sauth / last;
2021-11-02 19:47:36 +01:00
}
location /gcube_user_info {
2021-11-02 19:47:36 +01:00
internal;
gunzip on;
proxy_method GET;
proxy_http_version 1.1;
resolver 146.48.122.10;
proxy_pass https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;
}
location /jwt_verify_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect";
2021-11-02 19:47:36 +01:00
proxy_ignore_headers Cache-Control Expires Set-Cookie;
gunzip on;
proxy_cache token_responses; # Enable caching
proxy_cache_key $source_auth; # Cache for each source authentication
proxy_cache_lock on; # Duplicate tokens must wait
proxy_cache_valid 200 10s; # How long to use each response
}
location /jwt_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
location /permission_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Bearer $auth_token";
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
}