proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m; js_var $auth_token; js_var $pep_credentials; js_var $remote_user_js; underscores_in_headers on; upstream _inception-server { ip_hash; server {{ inception_project_docker_service_name }}:{{ inception_project_server_port }}; } map $http_authorization $source_auth { default ""; } server { listen *:{{ pep_port }}; server_name {{ inception_project_docker_service_name }}; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log{% if nginx_pep_debug_enabled %} debug{% endif %}; {% if inception_project_pep_allow_iframe %} proxy_hide_header X-Frame-Options; add_header X-Frame-Options ""; {% endif %} proxy_buffering off; # Required for HTTP-based CLI to work over SSL # Required for new HTTP-based CLI proxy_request_buffering off; client_max_body_size {{ nginx_pep_max_body_size }}; client_body_timeout {{ nginx_pep_body_timeout }}; {% if inception_project_websockets_enabled == 'true' %} location /ws { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header Authorization "Bearer $auth_token"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header remote_user "$remote_user_js"; proxy_pass http://_inception-server; } {% endif %} location / { proxy_http_version 1.1; proxy_set_header Host $host; proxy_redirect https://{{ inception_project_server_endpoint }}/ /; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; # Clear for keepalive proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto "https"; proxy_max_temp_file_size 0; proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_temp_file_write_size 64k; proxy_set_header Authorization "Bearer $auth_token"; proxy_set_header remote_user "$remote_user_js"; proxy_pass http://_inception-server; } location /_d4sauth { js_content pep.enforce; } location @backend { proxy_http_version 1.1; proxy_redirect https://{{ inception_project_server_endpoint }}/ /; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; # Clear for keepalive proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto "https"; proxy_max_temp_file_size 0; proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_temp_file_write_size 64k; proxy_set_header Authorization "Bearer $auth_token"; proxy_set_header remote_user "$remote_user_js"; proxy_pass http://_inception-server; rewrite ^/_d4sauth / last; } location /gcube_user_info { internal; gunzip on; proxy_method GET; proxy_http_version 1.1; resolver 146.48.122.10; proxy_pass https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token; } location /jwt_verify_request { internal; proxy_method POST; proxy_http_version 1.1; proxy_set_header Authorization $pep_credentials; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect"; proxy_ignore_headers Cache-Control Expires Set-Cookie; gunzip on; proxy_cache token_responses; # Enable caching proxy_cache_key $source_auth; # Cache for each source authentication proxy_cache_lock on; # Duplicate tokens must wait proxy_cache_valid 200 10s; # How long to use each response } location /jwt_request { internal; proxy_method POST; proxy_http_version 1.1; proxy_set_header Authorization $pep_credentials; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token"; gunzip on; } location /permission_request { internal; proxy_method POST; proxy_http_version 1.1; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_set_header Authorization "Bearer $auth_token"; proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token"; gunzip on; } }