171 lines
5.1 KiB
Plaintext
171 lines
5.1 KiB
Plaintext
# Websockets
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
# Prometheus metrics
|
|
upstream prometheus {
|
|
ip_hash;
|
|
server {{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}:{{ shinyproxy_prometheus_port }};
|
|
}
|
|
|
|
# backend service
|
|
upstream service {
|
|
ip_hash;
|
|
server ${DOCKER_FULL_STACK_SERVICE_NAME}:${DOCKER_SERVICE_PORT};
|
|
}
|
|
|
|
|
|
# variables computed by njs and which may possibly be passed among locations
|
|
js_var $auth_token;
|
|
js_var $account_record;
|
|
js_var $pep_credentials;
|
|
|
|
proxy_cache_path /tmp levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off;
|
|
|
|
|
|
server {
|
|
|
|
listen *:80;
|
|
listen [::]:80;
|
|
|
|
server_name ${SERVICE_HOST};
|
|
|
|
subrequest_output_buffer_size ${SUBREQUEST_OUTPUT_BUFFER_SIZE};
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
add_header X-Frame-Options "";
|
|
proxy_hide_header Content-Security-Policy;
|
|
add_header Content-Security-Policy "";
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
location /health {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type "text/plain";
|
|
return 200;
|
|
}
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Host "$remote_addr";
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
proxy_set_header nginx-request-uri $request_uri;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering on;
|
|
proxy_buffer_size 8k;
|
|
proxy_buffers 4 8k;
|
|
proxy_busy_buffers_size 16k;
|
|
proxy_temp_file_write_size 16k;
|
|
proxy_redirect off;
|
|
proxy_connect_timeout 30s;
|
|
proxy_read_timeout 2400s;
|
|
proxy_send_timeout 120s;
|
|
|
|
|
|
location ~ /app/ {
|
|
proxy_read_timeout 300;
|
|
proxy_send_timeout 300;
|
|
js_content pep.enforce_legacy;
|
|
}
|
|
|
|
|
|
|
|
location /gcube_user_info {
|
|
internal;
|
|
gunzip on;
|
|
proxy_method GET;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header gcube-token "$auth_token";
|
|
proxy_pass https://api.d4science.org/rest/2/people/profile;
|
|
|
|
proxy_cache social_cache;
|
|
proxy_cache_key $auth_token;
|
|
}
|
|
|
|
|
|
location / {
|
|
access_log /var/log/nginx/proxy.access.log;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-NginX-Proxy true;
|
|
proxy_cache_bypass $http_upgrade;
|
|
# resolver 127.0.0.11;
|
|
proxy_pass http://service$request_uri;
|
|
}
|
|
|
|
|
|
# internal location that redirects to backend will only be called from PEP JS code when all checks are passed
|
|
location /_backend {
|
|
internal;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-NginX-Proxy true;
|
|
proxy_cache_bypass $http_upgrade;
|
|
# proxy_redirect off;
|
|
proxy_pass http://service$request_uri;
|
|
}
|
|
|
|
|
|
# internal location that redirects to Keycloak in order to verify a token's validity. This will be called only from PEP JS code
|
|
location /jwt_verify_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://${KEYCLOACK_SERVER}/auth/realms/d4science/protocol/openid-connect/token/introspect";
|
|
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to exchange Basic auth credentials with token. This will be called only from PEP JS code
|
|
location /jwt_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://${KEYCLOACK_SERVER}/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to perform a specific authorization request. This will be called only from PEP JS code
|
|
location /permission_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_pass "https://${KEYCLOACK_SERVER}/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that sends a record to accounting service. This will be called only from PEP JS code if requested.
|
|
location /accounting {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_set_header Content-Type "application/json";
|
|
proxy_pass "${ACCOUNTING_SERVICE_BASEURL}/record";
|
|
}
|
|
|
|
location /_accounting_legacy {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header gcube-token "$auth_token";
|
|
proxy_set_header Content-Type "application/json";
|
|
proxy_pass ${ACCOUNTING_SERVICE_BASEURL}/record;
|
|
}
|
|
|
|
|
|
}
|