pep/src/_nginx.default.conf

# Websockets
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# Prometheus metrics
# upstream prometheus {
#   ip_hash;
#   server {{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}:{{ shinyproxy_prometheus_port }};
# }

# backend service
upstream service {
  ip_hash;
  server shinyproxy_bluecloud_erl_shinyproxy_bluecloud_erl:8000;
}


# variables computed by njs and which may possibly be passed among locations
js_var $auth_token;
js_var $account_record;
js_var $pep_credentials;

proxy_cache_path /tmp levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off;


server {

  listen *:80;
  listen [::]:80;

  server_name shinyproxy-ecologicalrestorationlab-pep.d4science.org;

  subrequest_output_buffer_size 8192k;

  proxy_hide_header X-Frame-Options;
  add_header X-Frame-Options "";
  proxy_hide_header Content-Security-Policy;
  add_header Content-Security-Policy "";

  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;

  location /health {
    add_header Content-Length 0;
    add_header Content-Type "text/plain";
	return 200;
  }

  # location /login {
  #   proxy_set_header Host $http_host;
  #   proxy_set_header X-Real-IP $remote_addr;
  #   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  #   proxy_set_header X-NginX-Proxy true;
  #   proxy_pass https://shinyproxy-ecologicalrestorationlab.d4science.org/;
  # }

  proxy_http_version 1.1;
  proxy_set_header Connection "";
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Host "$remote_addr";
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header nginx-request-uri $request_uri;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_buffering on;
  proxy_buffer_size 8k;
  proxy_buffers 4 8k;
  proxy_busy_buffers_size 16k;
  proxy_temp_file_write_size 16k;
  proxy_redirect off;
  proxy_connect_timeout 30s;
  proxy_read_timeout 2400s;
  proxy_send_timeout 120s;

  location ~ /app/ {
    proxy_read_timeout 300;
    proxy_send_timeout 300;
    js_content pep.enforce_legacy;
  }

  

  location /gcube_user_info {
     internal;
     gunzip on;
     proxy_method      GET;
     proxy_http_version 1.1;
     proxy_set_header  gcube-token "$auth_token";
     proxy_pass        https://api.d4science.org/rest/2/people/profile;
  
     proxy_cache social_cache;
     proxy_cache_key $auth_token;
  }

  # location /login {
  #   proxy_set_header Host $http_host;
  #   proxy_set_header X-Real-IP $remote_addr;
  #   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  #   proxy_set_header X-NginX-Proxy true;
  #   proxy_cache_bypass $http_upgrade;
  #   resolver 127.0.0.11;
  #   proxy_pass  http://service/;
  # }
  
  location / {
    access_log /var/log/nginx/proxy.access.log;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_cache_bypass $http_upgrade;
    # resolver 127.0.0.11;
    proxy_pass  http://service$request_uri;
  }


# internal location that redirects to backend will only be called from PEP JS code when all checks are passed
  location /_backend {
    internal;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_cache_bypass $http_upgrade;
  # proxy_redirect off;
    proxy_pass http://service$request_uri;
  }

  
  # internal location that redirects to Keycloak in order to verify a token's validity. This will be called only from PEP JS code
  location /jwt_verify_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect";
    
    proxy_ignore_headers  Cache-Control Expires Set-Cookie;
    gunzip on;
  }
  
  # internal location that redirects to Keycloak in order to exchange Basic auth credentials with token. This will be called only from PEP JS code
  location /jwt_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }
  
  # internal location that redirects to Keycloak in order to perform a specific authorization request. This will be called only from PEP JS code
  location /permission_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_set_header  Authorization "Bearer $auth_token";
    proxy_pass        "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }

  # internal location that sends a record to accounting service. This will be called only from PEP JS code if requested.
  location /accounting {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization "Bearer $auth_token";
    proxy_set_header  Content-Type "application/json";
    proxy_pass        "https://accounting-service.d4science.org/accounting-service/record";
  }

  location /_accounting_legacy {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  gcube-token "$auth_token";
    proxy_set_header  Content-Type "application/json";
    proxy_pass        https://accounting-service.d4science.org/accounting-service/record;
  }


}