2022-01-05 17:39:07 +01:00
|
|
|
upstream d4s-cdn {
|
2021-12-15 15:22:30 +01:00
|
|
|
ip_hash;
|
2022-01-05 17:39:07 +01:00
|
|
|
server d4s-cdn:8984;
|
2021-12-15 15:22:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
js_var $auth_token;
|
|
|
|
js_var $pep_credentials;
|
|
|
|
js_var $user;
|
|
|
|
js_var $user_display;
|
|
|
|
|
|
|
|
map $http_authorization $source_auth {
|
|
|
|
default "";
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
|
|
|
listen *:80;
|
|
|
|
listen [::]:80;
|
2022-01-05 17:39:07 +01:00
|
|
|
server_name d4s-cdn-pep;
|
2021-12-15 15:22:30 +01:00
|
|
|
|
|
|
|
subrequest_output_buffer_size 200k;
|
|
|
|
|
2022-01-05 17:39:07 +01:00
|
|
|
location /config/d4s-cdn/1 {
|
|
|
|
proxy_pass http://d4s-cdn;
|
2021-12-15 15:22:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
js_content pep.enforce;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /resources/ {
|
2022-01-05 17:39:07 +01:00
|
|
|
proxy_pass http://d4s-cdn;
|
2021-12-15 15:22:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
location @backend {
|
|
|
|
add_header Access-Control-Allow-Origin *;
|
|
|
|
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
|
|
|
|
add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept, Origin";
|
|
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
|
|
proxy_set_header X-User "$user";
|
|
|
|
proxy_set_header X-User-display "$user_display";
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_set_header X-Original-URI $request_uri;
|
2022-01-05 17:39:07 +01:00
|
|
|
proxy_pass http://d4s-cdn;
|
2021-12-15 15:22:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
location /jwt_verify_request {
|
|
|
|
internal;
|
|
|
|
gunzip on;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Authorization $pep_credentials;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_pass https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect;
|
|
|
|
|
|
|
|
proxy_cache token_responses; # Enable caching
|
|
|
|
proxy_cache_key $source_auth; # Cache for each source authentication
|
|
|
|
proxy_cache_lock on; # Duplicate tokens must wait
|
|
|
|
proxy_cache_valid 200 10s; # How long to use each response
|
|
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /jwt_request {
|
|
|
|
internal;
|
|
|
|
gunzip on;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Authorization $pep_credentials;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_pass https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /permission_request {
|
|
|
|
internal;
|
|
|
|
gunzip on;
|
|
|
|
proxy_method POST;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
|
|
proxy_pass https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|