aboutsummaryrefslogtreecommitdiffstats
path: root/server/nginx.template
diff options
context:
space:
mode:
Diffstat (limited to 'server/nginx.template')
-rw-r--r--server/nginx.template111
1 files changed, 111 insertions, 0 deletions
diff --git a/server/nginx.template b/server/nginx.template
new file mode 100644
index 0000000..98798bc
--- /dev/null
+++ b/server/nginx.template
@@ -0,0 +1,111 @@
+# Log format for onap logging
+log_format onap_logging '"$request_body"';
+
+lua_package_path '/usr/local/openresty/lualib/?.lua;;';
+
+# cache for discovery metadata documents
+lua_shared_dict discovery 1m;
+
+# cache for JWKs
+lua_shared_dict jwks 1m;
+
+# if run in local docker container add this resolver for the DNS to connect to Keycloak
+resolver ${CLUSTER_NAMESERVER_IP};
+
+error_log logs/error.log error;
+
+server { # simple reverse-proxy
+ listen ${NGINX_PORT};
+
+ location / {
+ root /usr/share/nginx/html;
+ index index.html;
+ try_files $uri $uri/ /index.html =404;
+ }
+
+ location /api/ {
+ add_header Access-Control-Allow-Origin *;
+ proxy_pass ${BFF_URL}/;
+ proxy_http_version 1.1;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location /auth/ {
+ add_header Access-Control-Allow-Origin *;
+ proxy_pass ${KEYCLOAK_INTERNAL_URL}/auth/;
+ proxy_http_version 1.1;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location = /onap_logging {
+ access_by_lua '
+ local openidc = require("resty.openidc");
+ -- uncomment for logging next line
+ -- openidc.set_logging(nil, { DEBUG = ngx.DEBUG });
+ local opts = {
+ discovery = "${KEYCLOAK_INTERNAL_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration",
+
+ -- the signature algorithm that you expect has been used;
+ -- can be a single string or a table.
+ -- You should set this for security reasons in order to
+ -- avoid accepting a token claiming to be signed by HMAC
+ -- using a public RSA key.
+ -- token_signing_alg_values_expected = { "HS256" },
+
+ -- if you want to accept unsigned tokens (using the
+ -- "none" signature algorithm) then set this to true.
+ accept_none_alg = false,
+
+ -- if you want to reject tokens signed using an algorithm
+ -- not supported by lua-resty-jwt set this to false. If
+ -- you leave it unset, the token signature will not be
+ -- verified at all.
+ accept_unsupported_alg = false
+ }
+ -- call introspect for OAuth 2.0 Bearer Access Token validation
+ local res, err = require("resty.openidc").bearer_jwt_verify(opts)
+
+ if err then
+ ngx.status = 403
+ ngx.say(err)
+ ngx.exit(ngx.HTTP_FORBIDDEN)
+ end
+
+ ';
+ access_log /dev/stdout onap_logging;
+ proxy_pass http://portal-ui/onap_logging_proxy;
+ proxy_http_version 1.1;
+ }
+
+ location = /onap_logging_proxy {
+ access_log off;
+ return 200 'Message logged';
+ }
+}
+
+##
+# Gzip Settings
+##
+
+gzip on;
+
+gzip_vary on;
+gzip_proxied any;
+gzip_min_length 1100;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+gzip_http_version 1.1;
+gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+