95 lines
3.1 KiB
Plaintext
95 lines
3.1 KiB
Plaintext
# backend service
|
|
upstream service {
|
|
ip_hash;
|
|
server ${DOCKER_FULL_STACK_SERVICE_NAME}:${DOCKER_SERVICE_PORT};
|
|
}
|
|
|
|
|
|
# variables computed by njs and which may possibly be passed among locations
|
|
js_var $auth_token;
|
|
js_var $account_record;
|
|
js_var $pep_credentials;
|
|
|
|
# proxy_cache_path /tmp levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off;
|
|
|
|
|
|
server {
|
|
|
|
listen *:80;
|
|
listen [::]:80;
|
|
|
|
server_name ${SERVICE_HOST};
|
|
|
|
subrequest_output_buffer_size ${SUBREQUEST_OUTPUT_BUFFER_SIZE};
|
|
|
|
location /health {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type "text/plain";
|
|
return 200;
|
|
}
|
|
|
|
location / {
|
|
proxy_read_timeout 300;
|
|
proxy_send_timeout 300;
|
|
js_content pep.enforce;
|
|
}
|
|
|
|
# internal location that redirects to backend will only be called from PEP JS code when all checks are passed
|
|
location /_backend {
|
|
internal;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-NginX-Proxy true;
|
|
proxy_cache_bypass $http_upgrade;
|
|
# proxy_redirect off;
|
|
proxy_pass http://service$request_uri;
|
|
}
|
|
|
|
|
|
# internal location that redirects to Keycloak in order to verify a token's validity. This will be called only from PEP JS code
|
|
location /jwt_verify_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://${KEYCLOACK_SERVER}/auth/realms/d4science/protocol/openid-connect/token/introspect";
|
|
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to exchange Basic auth credentials with token. This will be called only from PEP JS code
|
|
location /jwt_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://${KEYCLOACK_SERVER}/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to perform a specific authorization request. This will be called only from PEP JS code
|
|
location /permission_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_pass "https://${KEYCLOACK_SERVER}/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that sends a record to accounting service. This will be called only from PEP JS code if requested.
|
|
location /accounting {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_set_header Content-Type "application/json";
|
|
proxy_pass "${ACCOUNTING_SERVICE_BASEURL}/record";
|
|
}
|
|
}
|