blob: 2b8edd06fd4591b34a2a1b3373bf90306134d091 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
# Log format for onap logging
log_format onap_logging '"$request_body"';
lua_package_path '/usr/local/openresty/lualib/?.lua;;';
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
# if run in local docker container add this resolver for the DNS to connect to Keycloak
resolver ${CLUSTER_NAMESERVER_IP};
error_log logs/error.log error;
server {
listen ${NGINX_PORT};
location / {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /index.html =404;
}
location /api/ {
set $upstream ${BFF_URL};
rewrite /api/(.*) /$1 break;
add_header Access-Control-Allow-Origin *;
proxy_pass $upstream/$1$is_args$args;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
}
location /auth/ {
set $upstream ${KEYCLOAK_INTERNAL_URL};
rewrite /auth/(.*) /$1 break;
add_header Access-Control-Allow-Origin *;
proxy_pass $upstream/$1$is_args$args;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
location = /onap_logging {
access_by_lua '
local openidc = require("resty.openidc");
-- uncomment for logging next line
-- openidc.set_logging(nil, { DEBUG = ngx.DEBUG });
local opts = {
discovery = "${KEYCLOAK_INTERNAL_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration",
-- the signature algorithm that you expect has been used;
-- can be a single string or a table.
-- You should set this for security reasons in order to
-- avoid accepting a token claiming to be signed by HMAC
-- using a public RSA key.
-- token_signing_alg_values_expected = { "HS256" },
-- if you want to accept unsigned tokens (using the
-- "none" signature algorithm) then set this to true.
accept_none_alg = false,
-- if you want to reject tokens signed using an algorithm
-- not supported by lua-resty-jwt set this to false. If
-- you leave it unset, the token signature will not be
-- verified at all.
accept_unsupported_alg = false
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").bearer_jwt_verify(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
';
access_log /dev/stdout onap_logging;
proxy_pass http://portal-ui/onap_logging_proxy;
proxy_http_version 1.1;
}
location = /onap_logging_proxy {
access_log off;
return 200 'Message logged';
}
}
##
# Gzip Settings
##
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_min_length 1100;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
