188 lines
5.8 KiB
Plaintext
188 lines
5.8 KiB
Plaintext
# Websockets
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
# Prometheus metrics
|
|
# upstream prometheus {
|
|
# ip_hash;
|
|
# server {{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}:{{ shinyproxy_prometheus_port }};
|
|
# }
|
|
|
|
# backend service
|
|
upstream service {
|
|
ip_hash;
|
|
server shinyproxy_bluecloud_erl_shinyproxy_bluecloud_erl:8000;
|
|
}
|
|
|
|
|
|
# variables computed by njs and which may possibly be passed among locations
|
|
js_var $auth_token;
|
|
js_var $account_record;
|
|
js_var $pep_credentials;
|
|
|
|
proxy_cache_path /tmp levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off;
|
|
|
|
|
|
server {
|
|
|
|
listen *:80;
|
|
listen [::]:80;
|
|
|
|
server_name shinyproxy-ecologicalrestorationlab-pep.d4science.org;
|
|
|
|
subrequest_output_buffer_size 8192k;
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
add_header X-Frame-Options "";
|
|
proxy_hide_header Content-Security-Policy;
|
|
add_header Content-Security-Policy "";
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
location /health {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type "text/plain";
|
|
return 200;
|
|
}
|
|
|
|
# location /login {
|
|
# proxy_set_header Host $http_host;
|
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# proxy_set_header X-NginX-Proxy true;
|
|
# proxy_pass https://shinyproxy-ecologicalrestorationlab.d4science.org/;
|
|
# }
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Host "$remote_addr";
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
proxy_set_header nginx-request-uri $request_uri;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering on;
|
|
proxy_buffer_size 8k;
|
|
proxy_buffers 4 8k;
|
|
proxy_busy_buffers_size 16k;
|
|
proxy_temp_file_write_size 16k;
|
|
proxy_redirect off;
|
|
proxy_connect_timeout 30s;
|
|
proxy_read_timeout 2400s;
|
|
proxy_send_timeout 120s;
|
|
|
|
location ~ /app/ {
|
|
proxy_read_timeout 300;
|
|
proxy_send_timeout 300;
|
|
js_content pep.enforce_legacy;
|
|
}
|
|
|
|
|
|
|
|
location /gcube_user_info {
|
|
internal;
|
|
gunzip on;
|
|
proxy_method GET;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header gcube-token "$auth_token";
|
|
proxy_pass https://api.d4science.org/rest/2/people/profile;
|
|
|
|
proxy_cache social_cache;
|
|
proxy_cache_key $auth_token;
|
|
}
|
|
|
|
# location /login {
|
|
# proxy_set_header Host $http_host;
|
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# proxy_set_header X-NginX-Proxy true;
|
|
# proxy_cache_bypass $http_upgrade;
|
|
# resolver 127.0.0.11;
|
|
# proxy_pass http://service/;
|
|
# }
|
|
|
|
location / {
|
|
access_log /var/log/nginx/proxy.access.log;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-NginX-Proxy true;
|
|
proxy_cache_bypass $http_upgrade;
|
|
# resolver 127.0.0.11;
|
|
proxy_pass http://service$request_uri;
|
|
}
|
|
|
|
|
|
# internal location that redirects to backend will only be called from PEP JS code when all checks are passed
|
|
location /_backend {
|
|
internal;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-NginX-Proxy true;
|
|
proxy_cache_bypass $http_upgrade;
|
|
# proxy_redirect off;
|
|
proxy_pass http://service$request_uri;
|
|
}
|
|
|
|
|
|
# internal location that redirects to Keycloak in order to verify a token's validity. This will be called only from PEP JS code
|
|
location /jwt_verify_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect";
|
|
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to exchange Basic auth credentials with token. This will be called only from PEP JS code
|
|
location /jwt_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to perform a specific authorization request. This will be called only from PEP JS code
|
|
location /permission_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_pass "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that sends a record to accounting service. This will be called only from PEP JS code if requested.
|
|
location /accounting {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_set_header Content-Type "application/json";
|
|
proxy_pass "https://accounting-service.d4science.org/accounting-service/record";
|
|
}
|
|
|
|
location /_accounting_legacy {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header gcube-token "$auth_token";
|
|
proxy_set_header Content-Type "application/json";
|
|
proxy_pass https://accounting-service.d4science.org/accounting-service/record;
|
|
}
|
|
|
|
|
|
}
|