ansible-role-inception/templates/nginx.default.conf.j2

proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
js_var $auth_token;
js_var $pep_credentials;
js_var $remote_user_js;
underscores_in_headers on;

upstream _inception-server {
  ip_hash;
  server {{ inception_project_docker_service_name }}:{{ inception_project_server_port }};
}

map $http_authorization $source_auth {
  default "";
}

server {
  listen *:{{ pep_port }};
  server_name {{ inception_project_docker_service_name }};
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log{% if nginx_pep_debug_enabled %} debug{% endif %};

{% if inception_project_pep_allow_iframe %}
  proxy_hide_header X-Frame-Options;
  add_header X-Frame-Options "";
{% endif %}
  proxy_buffering off; # Required for HTTP-based CLI to work over SSL
  # Required for new HTTP-based CLI
  proxy_request_buffering off;

  client_max_body_size {{ nginx_pep_max_body_size }};
  client_body_timeout {{ nginx_pep_body_timeout }};

{% if inception_project_websockets_enabled == 'true' %}
  location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header Authorization "Bearer $auth_token";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_set_header remote_user "$remote_user_js";
    proxy_pass http://_inception-server;
  }
{% endif %}

  location / {
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_redirect https://{{ inception_project_server_endpoint }}/ /;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection ""; # Clear for keepalive
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_max_temp_file_size   0;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    proxy_temp_file_write_size 64k;
    proxy_set_header Authorization "Bearer $auth_token";
    proxy_set_header remote_user "$remote_user_js";
    proxy_pass http://_inception-server;
  }

  location /_d4sauth {
    js_content pep.enforce;
  }

  location @backend {
    proxy_http_version 1.1;
    proxy_redirect https://{{ inception_project_server_endpoint }}/ /;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection ""; # Clear for keepalive
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_max_temp_file_size   0;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    proxy_temp_file_write_size 64k;
    proxy_set_header Authorization "Bearer $auth_token";
    proxy_set_header remote_user "$remote_user_js";
    proxy_pass http://_inception-server;
    rewrite ^/_d4sauth / last;
  }

  location /gcube_user_info {
        internal;
        gunzip on;
        proxy_method      GET;
        proxy_http_version 1.1;
        resolver 146.48.122.10;
        proxy_pass        https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;
    }
  location /jwt_verify_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect";

    proxy_ignore_headers  Cache-Control Expires Set-Cookie;
    gunzip on;

    proxy_cache           token_responses; # Enable caching
    proxy_cache_key       $source_auth;    # Cache for each source authentication
    proxy_cache_lock      on;              # Duplicate tokens must wait
    proxy_cache_valid     200 10s;         # How long to use each response
  }

  location /jwt_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }

  location /permission_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_set_header  Authorization "Bearer $auth_token";
    proxy_pass        "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }
}