# Log format for onap logging log_format onap_logging '"$request_body"'; lua_package_path '/usr/local/openresty/lualib/?.lua;;'; # cache for discovery metadata documents lua_shared_dict discovery 1m; # cache for JWKs lua_shared_dict jwks 1m; # if run in local docker container add this resolver for the DNS to connect to Keycloak resolver ${CLUSTER_NAMESERVER_IP}; error_log logs/error.log error; server { # simple reverse-proxy listen ${NGINX_PORT}; location / { root /usr/share/nginx/html; index index.html; try_files $uri $uri/ /index.html =404; } location /api/ { add_header Access-Control-Allow-Origin *; proxy_pass ${BFF_URL}/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; } location /auth/ { add_header Access-Control-Allow-Origin *; proxy_pass ${KEYCLOAK_INTERNAL_URL}/auth/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; } location = /onap_logging { access_by_lua ' local openidc = require("resty.openidc"); -- uncomment for logging next line -- openidc.set_logging(nil, { DEBUG = ngx.DEBUG }); local opts = { discovery = "${KEYCLOAK_INTERNAL_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration", -- the signature algorithm that you expect has been used; -- can be a single string or a table. -- You should set this for security reasons in order to -- avoid accepting a token claiming to be signed by HMAC -- using a public RSA key. -- token_signing_alg_values_expected = { "HS256" }, -- if you want to accept unsigned tokens (using the -- "none" signature algorithm) then set this to true. accept_none_alg = false, -- if you want to reject tokens signed using an algorithm -- not supported by lua-resty-jwt set this to false. If -- you leave it unset, the token signature will not be -- verified at all. accept_unsupported_alg = false } -- call introspect for OAuth 2.0 Bearer Access Token validation local res, err = require("resty.openidc").bearer_jwt_verify(opts) if err then ngx.status = 403 ngx.say(err) ngx.exit(ngx.HTTP_FORBIDDEN) end '; access_log /dev/stdout onap_logging; proxy_pass http://portal-ui/onap_logging_proxy; proxy_http_version 1.1; } location = /onap_logging_proxy { access_log off; return 200 'Message logged'; } } ## # Gzip Settings ## gzip on; gzip_vary on; gzip_proxied any; gzip_min_length 1100; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;