ansible-role-inception/templates/nginx.default.conf.j2

95 lines
3.2 KiB
Django/Jinja

upstream _inception-server {
ip_hash;
server {{ inception_project_docker_service_name }}:{{ inception_project_server_port }};
}
map $http_authorization $source_auth {
default "";
}
js_var $auth_token;
js_var $pep_credentials;
server {
listen *:{{ pep_port }};
server_name {{ inception_project_docker_service_name }};
{% if inception_project_websockets_enabled == 'true' %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
location / {
js_content pep.enforce;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
proxy_set_header Connection ""; # Clear for keepalive
proxy_set_header Host $host;
proxy_pass http://_inception-server;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# Required for new HTTP-based CLI
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
proxy_set_header Connection ""; # Clear for keepalive
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Authorization "Bearer $auth_token";
proxy_set_header remote_user "$remote_user";
proxy_pass http://_inception-server;
}
location /gcube_user_info {
internal;
gunzip on;
proxy_method GET;
proxy_http_version 1.1;
resolver 146.48.122.10;
proxy_pass https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;
}
location /jwt_verify_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect";
proxy_ignore_headers Cache-Control Expires Set-Cookie;
gunzip on;
proxy_cache token_responses; # Enable caching
proxy_cache_key $source_auth; # Cache for each source authentication
proxy_cache_lock on; # Duplicate tokens must wait
proxy_cache_valid 200 10s; # How long to use each response
}
location /jwt_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
location /permission_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Bearer $auth_token";
proxy_pass "{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
}