-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
113 lines (97 loc) · 4.13 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
access_log /var/log/nginx/acces.log;
error_log /var/log/nginx/error.log;
# Maggot web application
upstream maggot { server mmdt-web:80; }
lua_package_path '/opt/lua/?.lua;;';
# cache for JWT verification results
lua_shared_dict introspection 10m;
# Storage for Maggot session
lua_shared_dict session_cache_realm1 10m;
resolver 8.8.8.8;
server {
listen 0.0.0.0:80 default_server;
listen [::]:80 default_server;
server_name 10.0.0.106;
root /usr/local/openresty/nginx/html/;
# Timeoout
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
# Upload max size
client_max_body_size 300M;
# caching is disabled so the browser won't cache the site.
expires 0;
add_header Cache-Control private;
location /maggot/ {
access_by_lua_block {
if ngx.req.get_headers()["API-KEY"] ~= nil then
local opts = {
discovery = "http://10.0.0.106:8080/realms/Maggot/.well-known/openid-configuration",
client_id = "api-maggot",
client_secret = "FYFBOxpWl6spQ9of62ljGhR7v6NcnBS7",
session_contents = {id_token=true}
}
-- call bearer_jwt_verify for OAuth 2.0 JWT validation
local res, err = require("resty.openidc").bearer_jwt_verify(opts)
if err then
ngx.status = 403
ngx.exit(ngx.HTTP_FORBIDDEN)
end
else
require("sessions_store")
local opts = {
redirect_uri_path = "/maggot/Maggot/redirect_uri",
discovery = "http://10.0.0.106:8080/realms/Maggot/.well-known/openid-configuration",
client_id = "maggot",
client_secret = "GUWHrrBXnJp3dtT3Nl15olqDgyxaGGx2",
scope = "openid email",
access_token_expires_leeway = 30,
renew_access_token_on_expiry = true,
redirect_uri_scheme = "http",
logout_path = "/maggot/logout",
revoke_tokens_on_logout = true,
redirect_after_logout_uri = "http://10.0.0.106:8080/realms/Maggot/protocol/openid-connect/logout?client_id=maggot",
redirect_after_logout_with_id_token_hint = false,
session_contents = {id_token=true, access_token=true},
session_store = shared_dict_session_store("session_cache_realm1")
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts,nil,nil,{name=opts.client_id, audience=opts.client_id})
if err then
ngx.status = 403
ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.set_header("Authorization", "Bearer " .. res.access_token)
ngx.req.set_header("IP_NAME", "KEYCLOAK")
end
}
proxy_set_header Host $host;
proxy_set_header X-App-Name 'maggot';
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://maggot/;
}
location / {
autoindex on;
autoindex_exact_size off;
root /usr/local/openresty/nginx/html/;
}
# redirect server error pages to the static page /40x.html
error_page 404 /404.html;
location = /40x.html { }
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/openresty/nginx/html/;
}
}