-
Notifications
You must be signed in to change notification settings - Fork 0
/
nms-http-simple.conf
executable file
·91 lines (73 loc) · 3.98 KB
/
nms-http-simple.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# This is the backend site/application we are protecting with OpenID Connect
upstream my_backend {
zone my_frontend_site 64k;
server 127.0.0.1:80;
}
# Custom log format to include the 'sub' claim in the REMOTE_USER field
log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
'$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
# The frontend server - reverse proxy with OpenID Connect authentication
#
server {
include /etc/nms/nginx/oidc/openid_connect.conf; # Authorization code flow and Relying Party processing
error_log /var/log/nginx/error.log debug; # Reduce severity level as required
listen 8010; # Use SSL/TLS in production
server_name www.example.com;
resolver 127.0.0.11; # For DNS lookup of IdP endpoints;
location / {
# This site can be either directly protected with OpenID Connect(OIDC) or
# shown with just a landing page without login.
# Disable when you need to show a default landing page before login, or
# Enable when you protect all site/backend with OIDC.
# auth_jwt "" token=$session_jwt;
# error_page 401 = @do_oidc_flow;
# auth_jwt_key_request /_jwks_uri; # Enable when using URL
# #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
# Enable when blocking API access from anonymous who holds session cookie.
# auth_request /_session_cookie_validation;
# auth_request_set $session_cookie_status $upstream_status;
# error_page 403 = @do_oidc_flow; # Enable when invoking the new RP flow from the browser to get user authenticated
# #error_page 403 = @session_cookie_error; # Enable when responsing an error to the API request.
# Successfully authenticated users are proxied to the backend site/app
# with 'sub' claim passed as HTTP header. It is empty before login.
proxy_set_header userid $jwt_claim_sub;
# proxy_set_header Authorization "Bearer $access_token"; # Enable when using access token
proxy_pass http://my_backend; # The frontend landing page & backend
access_log /var/log/nginx/access.log main_jwt;
}
location = /login {
# This location can be called by SPA for starting OIDC flow via 'login'
# button after starting a landing page.
auth_jwt "" token=$session_jwt;
error_page 401 = @do_oidc_flow;
auth_jwt_key_request /_jwks_uri; # Enable when using URL
# auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
access_log /var/log/nginx/access.log main_jwt;
}
location /v1/public-api {
# This location is an example of public API where authorization is not
# required. So the landing page can call this API without OIDC workflow.
# Enable security directives like rate limiter to mitigate DoS attacks.
proxy_pass http://my_backend;
access_log /var/log/nginx/access.log main_jwt;
}
location /v1/private-api {
# This location is an example of private API authorization after login.
# Enable this if the token format is a JWT that can be extracted.
# Otherwise(e.g., opaque token), disable auth_jwt directives, and handle
# API authorization by your customization.
error_page 401 = @do_oidc_flow;
auth_jwt "" token=$access_token;
auth_jwt_key_request /_jwks_uri; # Enable when using URL
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
# The 'sub' claim is empty when unauthenticated.
# When the landing page calls /login endpoint, its claim is set.
proxy_set_header userid $jwt_claim_sub;
# The 'access_token' is set when authorized in the /login endpoint.
# Otherwise, it is empty.
proxy_set_header Authorization "Bearer $access_token";
proxy_pass http://my_backend;
access_log /var/log/nginx/access.log main_jwt;
}
}
# vim: syntax=nginx