d4s-nginx-pep-examples/sergencovid-19/nginx_virtualhost.conf.j2

proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
js_var $auth_token;
js_var $pep_credentials;
subrequest_output_buffer_size 200k;
underscores_in_headers on;
map $http_authorization $source_auth {
  default "";
}

server {
    listen 80;
    server_name {{ php_app_servername }} ;
    location ~ /\.(?!well-known).* {
        deny all;
        access_log off;
        log_not_found off;
        return 404;
    }

    include /etc/nginx/snippets/letsencrypt-proxy.conf;
    access_log /var/log/nginx/{{ php_app_servername }}_access.log;
    error_log /var/log/nginx/{{ php_app_servername }}_error.log;
    server_tokens off;
    location / {
        return 301 https://{{ php_app_servername }}$request_uri;
    }
}

server {
    listen  443  ssl  http2;
    server_name {{ php_app_servername }} ;
    access_log /var/log/nginx/{{ php_app_servername }}_ssl_access.log;
    error_log /var/log/nginx/{{ php_app_servername }}_ssl_error.log;
    root /var/www/html;
    index index.php;

    {% if haproxy_ips is defined %}
    # We are behind haproxy
    {% for ip in haproxy_ips %}
    set_real_ip_from {{ ip }};
    {% endfor %}
    real_ip_header X-Forwarded-For;
    {% endif %}
    
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /var/www/html/errors;
    }
    error_page 401 /401.html;
    location = /401.html {
        root /var/www/html/errors;
    }
    error_page 403 /403.html;
    location = /403.html {
        root /var/www/html/errors;
    }
    error_page 404 /404.html;
    location = /404.html {
        root /var/www/html/errors;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location ~ /\.(?!well-known).* {
        deny all;
        access_log off;
        log_not_found off;
        return 404;
    }
    location /sql {
        deny all;
        access_log off;
        log_not_found off;
        return 404;
    }

    client_max_body_size 100M;
    client_body_timeout 240s;

    include /etc/nginx/snippets/nginx-server-ssl.conf;

    server_tokens off;

    location /utente/ {
        if (!-e $request_filename){
            rewrite ^(.+)$ /utente/index.php last;
        }
    }

    location /operatore/res/ {
        root /var/www/html;
    }

    location /operatore/ {
        js_content pep.enforce;
        if (!-e $request_filename){
            rewrite ^(.+)$ /operatore/index.php last;
        }
    }

    location @backend {
        proxy_set_header Authorization "Bearer $auth_token";
        proxy_set_header remote-user "$remote_user";        
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php_app.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
        fastcgi_param HTTP_Authorization "Bearer $auth_token";
        fastcgi_param HTTP_remote-user $remote_user;
        include fastcgi_params;
    }
    location /gcube_user_info {
        internal;
        gunzip on;
        proxy_method      GET;
        proxy_http_version 1.1;
        resolver 146.48.122.10;
        proxy_pass        https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;
    }

    location /jwt_verify_request {
        internal;
        gunzip on;
        proxy_method      POST;
        proxy_http_version 1.1;
        proxy_set_header  Authorization $pep_credentials;
        proxy_set_header  Content-Type "application/x-www-form-urlencoded";
        proxy_pass        https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect;
        proxy_cache           token_responses; # Enable caching
        proxy_cache_key       $source_auth;    # Cache for each source authentication
        proxy_cache_lock      on;              # Duplicate tokens must wait
        proxy_cache_valid     200 10s;         # How long to use each response
        proxy_ignore_headers  Cache-Control Expires Set-Cookie;
    }
    location /jwt_request {
        internal;
        gunzip on;
        proxy_method      POST;
        proxy_http_version 1.1;
        proxy_set_header  Authorization $pep_credentials;
        proxy_set_header  Content-Type "application/x-www-form-urlencoded";
        proxy_pass        https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token;
    }
    location /permission_request {
        internal;
        gunzip on;
        proxy_method      POST;
        proxy_http_version 1.1;
        proxy_set_header  Content-Type "application/x-www-form-urlencoded";
        proxy_set_header  Authorization "Bearer $auth_token";
        proxy_pass        https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token;
    }
}