summaryrefslogtreecommitdiffstats
path: root/server/nginx.template
blob: 2b8edd06fd4591b34a2a1b3373bf90306134d091 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Log format for onap logging
log_format onap_logging '"$request_body"';

lua_package_path '/usr/local/openresty/lualib/?.lua;;';
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;

# if run in local docker container add this resolver for the DNS to connect to Keycloak
resolver ${CLUSTER_NAMESERVER_IP};

error_log logs/error.log error;

server {
    listen       ${NGINX_PORT};

    location / {
        root /usr/share/nginx/html;
        index index.html;
        try_files $uri $uri/ /index.html =404;
    }

    location /api/ {
        set                 $upstream           ${BFF_URL};
        rewrite             /api/(.*) /$1 break;
        add_header          Access-Control-Allow-Origin *;
        proxy_pass                              $upstream/$1$is_args$args;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Host    $host;
        proxy_set_header    X-Forwarded-Server  $host;
        proxy_set_header    X-Forwarded-Port    $server_port;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_http_version 1.1;
    }

    location /auth/ {
            set                 $upstream           ${KEYCLOAK_INTERNAL_URL};
            rewrite             /auth/(.*) /$1 break;
            add_header          Access-Control-Allow-Origin *;
            proxy_pass                              $upstream/$1$is_args$args;
            proxy_http_version                     1.1;
            proxy_set_header    Host               $host;
            proxy_set_header    X-Real-IP          $remote_addr;
            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Host   $host;
            proxy_set_header    X-Forwarded-Server $host;
            proxy_set_header    X-Forwarded-Port   $server_port;
            proxy_set_header    X-Forwarded-Proto  $scheme;
    }

    location = /onap_logging {
        access_by_lua '
                  local openidc = require("resty.openidc");
                  -- uncomment for logging next line
                  -- openidc.set_logging(nil, { DEBUG = ngx.DEBUG });
                  local opts = {
                   discovery = "${KEYCLOAK_INTERNAL_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration",

                   -- the signature algorithm that you expect has been used;
                   -- can be a single string or a table.
                   -- You should set this for security reasons in order to
                   -- avoid accepting a token claiming to be signed by HMAC
                   -- using a public RSA key.
                   -- token_signing_alg_values_expected = { "HS256" },

                   -- if you want to accept unsigned tokens (using the
                   -- "none" signature algorithm) then set this to true.
                   accept_none_alg = false,

                   -- if you want to reject tokens signed using an algorithm
                   -- not supported by lua-resty-jwt set this to false. If
                   -- you leave it unset, the token signature will not be
                   -- verified at all.
                   accept_unsupported_alg = false
                 }
                 -- call introspect for OAuth 2.0 Bearer Access Token validation
                 local res, err = require("resty.openidc").bearer_jwt_verify(opts)

                 if err then
                   ngx.status = 403
                   ngx.say(err)
                   ngx.exit(ngx.HTTP_FORBIDDEN)
                 end

               ';
            access_log /dev/stdout onap_logging;
            proxy_pass http://portal-ui/onap_logging_proxy;
            proxy_http_version 1.1;
    }

    location = /onap_logging_proxy {
          access_log off;
          return 200 'Message logged';
    }
}

##
# Gzip Settings
##
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_min_length 1100;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;