165 lines
4.9 KiB
Django/Jinja
165 lines
4.9 KiB
Django/Jinja
proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
|
|
js_var $auth_token;
|
|
js_var $pep_credentials;
|
|
subrequest_output_buffer_size 200k;
|
|
underscores_in_headers on;
|
|
map $http_authorization $source_auth {
|
|
default "";
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name {{ php_app_servername }} ;
|
|
location ~ /\.(?!well-known).* {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
return 404;
|
|
}
|
|
|
|
include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
|
access_log /var/log/nginx/{{ php_app_servername }}_access.log;
|
|
error_log /var/log/nginx/{{ php_app_servername }}_error.log;
|
|
server_tokens off;
|
|
location / {
|
|
return 301 https://{{ php_app_servername }}$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name {{ php_app_servername }} ;
|
|
access_log /var/log/nginx/{{ php_app_servername }}_ssl_access.log;
|
|
error_log /var/log/nginx/{{ php_app_servername }}_ssl_error.log;
|
|
root /var/www/html;
|
|
index index.php;
|
|
|
|
{% if haproxy_ips is defined %}
|
|
# We are behind haproxy
|
|
{% for ip in haproxy_ips %}
|
|
set_real_ip_from {{ ip }};
|
|
{% endfor %}
|
|
real_ip_header X-Forwarded-For;
|
|
{% endif %}
|
|
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /var/www/html/errors;
|
|
}
|
|
error_page 401 /401.html;
|
|
location = /401.html {
|
|
root /var/www/html/errors;
|
|
}
|
|
error_page 403 /403.html;
|
|
location = /403.html {
|
|
root /var/www/html/errors;
|
|
}
|
|
error_page 404 /404.html;
|
|
location = /404.html {
|
|
root /var/www/html/errors;
|
|
}
|
|
location = /favicon.ico {
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
location = /robots.txt {
|
|
allow all;
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
location ~ /\.(?!well-known).* {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
return 404;
|
|
}
|
|
location /sql {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
return 404;
|
|
}
|
|
|
|
client_max_body_size 100M;
|
|
client_body_timeout 240s;
|
|
|
|
include /etc/nginx/snippets/nginx-server-ssl.conf;
|
|
|
|
server_tokens off;
|
|
|
|
location /utente/ {
|
|
if (!-e $request_filename){
|
|
rewrite ^(.+)$ /utente/index.php last;
|
|
}
|
|
}
|
|
|
|
location /operatore/res/ {
|
|
root /var/www/html;
|
|
}
|
|
|
|
location /operatore/ {
|
|
js_content pep.enforce;
|
|
if (!-e $request_filename){
|
|
rewrite ^(.+)$ /operatore/index.php last;
|
|
}
|
|
}
|
|
|
|
location @backend {
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_set_header remote-user "$remote_user";
|
|
}
|
|
|
|
location ~ \.php$ {
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass unix:/run/php/php_app.sock;
|
|
fastcgi_index index.php;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
|
|
fastcgi_param HTTP_Authorization "Bearer $auth_token";
|
|
fastcgi_param HTTP_remote-user $remote_user;
|
|
include fastcgi_params;
|
|
}
|
|
location /gcube_user_info {
|
|
internal;
|
|
gunzip on;
|
|
proxy_method GET;
|
|
proxy_http_version 1.1;
|
|
resolver 146.48.122.10;
|
|
proxy_pass https://api.d4science.org/rest/2/people/profile?gcube-token=$auth_token;
|
|
}
|
|
|
|
location /jwt_verify_request {
|
|
internal;
|
|
gunzip on;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token/introspect;
|
|
proxy_cache token_responses; # Enable caching
|
|
proxy_cache_key $source_auth; # Cache for each source authentication
|
|
proxy_cache_lock on; # Duplicate tokens must wait
|
|
proxy_cache_valid 200 10s; # How long to use each response
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
}
|
|
location /jwt_request {
|
|
internal;
|
|
gunzip on;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token;
|
|
}
|
|
location /permission_request {
|
|
internal;
|
|
gunzip on;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_pass https://{{ keycloak_auth_server }}/auth/realms/d4science/protocol/openid-connect/token;
|
|
}
|
|
}
|