proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m; js_var $auth_token; js_var $pep_credentials; subrequest_output_buffer_size 200k; underscores_in_headers on; map $http_authorization $source_auth { default ""; } server { listen 80; server_name {{ php_app_servername }} ; location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; return 404; } include /etc/nginx/snippets/letsencrypt-proxy.conf; access_log /var/log/nginx/{{ php_app_servername }}_access.log; error_log /var/log/nginx/{{ php_app_servername }}_error.log; server_tokens off; location / { return 301 https://{{ php_app_servername }}$request_uri; } } server { listen 443 ssl http2; server_name {{ php_app_servername }} ; access_log /var/log/nginx/{{ php_app_servername }}_ssl_access.log; error_log /var/log/nginx/{{ php_app_servername }}_ssl_error.log; root /var/www/html; index index.php; {% if haproxy_ips is defined %} # We are behind haproxy {% for ip in haproxy_ips %} set_real_ip_from {{ ip }}; {% endfor %} real_ip_header X-Forwarded-For; {% endif %} error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www/html/errors; } error_page 401 /401.html; location = /401.html { root /var/www/html/errors; } error_page 403 /403.html; location = /403.html { root /var/www/html/errors; } error_page 404 /404.html; location = /404.html { root /var/www/html/errors; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; return 404; } location /sql { deny all; access_log off; log_not_found off; return 404; } client_max_body_size 100M; client_body_timeout 240s; include /etc/nginx/snippets/nginx-server-ssl.conf; server_tokens off; location /utente/ { if (!-e $request_filename){ rewrite ^(.+)$ /utente/index.php last; } } location /operatore/res/ { root /var/www/html; } location /operatore/ { js_content pep.enforce; if (!-e $request_filename){ rewrite ^(.+)$ /operatore/index.php last; } } location @backend { proxy_set_header Authorization "Bearer $auth_token"; proxy_set_header remote-user "$remote_user"; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php/php_app.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REMOTE_ADDR $http_x_forwarded_for; fastcgi_param HTTP_Authorization "Bearer $auth_token"; fastcgi_param HTTP_remote-user $remote_user; include fastcgi_params; } location /gcube_user_info { internal; gunzip on; proxy_method GET; proxy_http_version 1.1; resolver 146.48.122.10; proxy_pass https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token; } location /jwt_verify_request { internal; gunzip on; proxy_method POST; proxy_http_version 1.1; proxy_set_header Authorization $pep_credentials; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_pass https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect; proxy_cache token_responses; # Enable caching proxy_cache_key $source_auth; # Cache for each source authentication proxy_cache_lock on; # Duplicate tokens must wait proxy_cache_valid 200 10s; # How long to use each response proxy_ignore_headers Cache-Control Expires Set-Cookie; } location /jwt_request { internal; gunzip on; proxy_method POST; proxy_http_version 1.1; proxy_set_header Authorization $pep_credentials; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_pass https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token; } location /permission_request { internal; gunzip on; proxy_method POST; proxy_http_version 1.1; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_set_header Authorization "Bearer $auth_token"; proxy_pass https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token; } }