91 lines
3.0 KiB
Plaintext
91 lines
3.0 KiB
Plaintext
# backend service
|
|
upstream service {
|
|
ip_hash;
|
|
server 127.0.0.1:8000;
|
|
}
|
|
|
|
# variables computed by njs and which may possibly be passed among locations
|
|
js_var $auth_token;
|
|
js_var $account_record;
|
|
js_var $pep_credentials;
|
|
|
|
server {
|
|
|
|
listen *:80;
|
|
listen [::]:80;
|
|
|
|
# the vhost name
|
|
server_name peptest;
|
|
|
|
# for services that return large maounts of data
|
|
subrequest_output_buffer_size 200k;
|
|
|
|
location /health {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type "text/plain";
|
|
return 200;
|
|
# or just call the backend service's healt endpoint
|
|
}
|
|
|
|
location / {
|
|
js_content pep.enforce;
|
|
}
|
|
|
|
# internal location that redirects to backend will only be called from PEP JS code when all checks are passed
|
|
location /_backend {
|
|
internal;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-NginX-Proxy true;
|
|
proxy_cache_bypass $http_upgrade;
|
|
proxy_pass http://service$request_uri;
|
|
}
|
|
|
|
|
|
# internal location that redirects to Keycloak in order to verify a token's validity. This will be called only from PEP JS code
|
|
location /jwt_verify_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect";
|
|
|
|
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to exchange Basic auth credentials with token. This will be called only from PEP JS code
|
|
location /jwt_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization $pep_credentials;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_pass "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that redirects to Keycloak in order to perform a specific authorization request. This will be called only from PEP JS code
|
|
location /permission_request {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Content-Type "application/x-www-form-urlencoded";
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_pass "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
|
|
gunzip on;
|
|
}
|
|
|
|
# internal location that sends a record to accounting service. This will be called only from PEP JS code if requested.
|
|
location /accounting {
|
|
internal;
|
|
proxy_method POST;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Authorization "Bearer $auth_token";
|
|
proxy_set_header Content-Type "application/json";
|
|
proxy_pass https://accounting-service.d4science.org/accounting-service/record;
|
|
}
|
|
}
|