2021-05-18 15:10:08 +02:00
|
|
|
upstream _conductor-server {
|
|
|
|
ip_hash;
|
2021-05-31 18:04:17 +02:00
|
|
|
server {{ conductor_service }}:8080;
|
2021-05-18 15:10:08 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
upstream _conductor-ui {
|
|
|
|
ip_hash;
|
2021-05-31 18:04:17 +02:00
|
|
|
server {{ conductor_ui_service }}:5000;
|
2021-05-18 15:10:08 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
map $http_authorization $source_auth {
|
|
|
|
default "";
|
|
|
|
}
|
|
|
|
|
|
|
|
js_var $auth_token;
|
|
|
|
js_var $pep_credentials;
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
|
|
|
listen *:80;
|
|
|
|
listen [::]:80;
|
2021-05-19 17:02:57 +02:00
|
|
|
server_name {{ conductor_server_name }};
|
2021-05-18 15:10:08 +02:00
|
|
|
|
2021-05-19 17:02:57 +02:00
|
|
|
{% if conductor_server_name != conductor_ui_server_name %}
|
|
|
|
# When there is the possibility to separate vhosts for ui and apis as in local-site deployment forward also / to swagger docs
|
2021-05-18 15:10:08 +02:00
|
|
|
location / {
|
2021-05-26 18:42:29 +02:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_pass http://_conductor-server;
|
2021-05-18 15:10:08 +02:00
|
|
|
}
|
2021-05-19 17:02:57 +02:00
|
|
|
{% endif %}
|
2021-05-18 15:10:08 +02:00
|
|
|
|
2021-05-26 18:42:29 +02:00
|
|
|
location /health {
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_pass http://_conductor-server;
|
|
|
|
}
|
|
|
|
|
2021-05-18 15:10:08 +02:00
|
|
|
location /api/ {
|
|
|
|
js_content pep.enforce;
|
|
|
|
}
|
|
|
|
|
|
|
|
location @backend {
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
|
|
proxy_pass http://_conductor-server;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /jwt_verify_request {
|
|
|
|
internal;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Authorization $pep_credentials;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_pass "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token/introspect";
|
2021-10-22 15:02:05 +02:00
|
|
|
|
|
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
|
|
gunzip on;
|
|
|
|
|
2021-05-18 15:10:08 +02:00
|
|
|
proxy_cache token_responses; # Enable caching
|
|
|
|
proxy_cache_key $source_auth; # Cache for each source authentication
|
|
|
|
proxy_cache_lock on; # Duplicate tokens must wait
|
|
|
|
proxy_cache_valid 200 10s; # How long to use each response
|
|
|
|
}
|
|
|
|
|
|
|
|
location /jwt_request {
|
|
|
|
internal;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Authorization $pep_credentials;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_pass "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token";
|
2021-10-22 15:02:05 +02:00
|
|
|
gunzip on;
|
2021-05-18 15:10:08 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
location /permission_request {
|
|
|
|
internal;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
|
|
proxy_pass "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token";
|
2021-10-22 15:02:05 +02:00
|
|
|
gunzip on;
|
2021-05-18 15:10:08 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
|
|
|
listen *:80 default_server;
|
|
|
|
listen [::]:80 default_server;
|
2021-05-19 17:02:57 +02:00
|
|
|
server_name {{ conductor_ui_server_name }};
|
2021-05-18 15:10:08 +02:00
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_pass http://_conductor-ui;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|