Update nginx.conf to add /logout route with session termination and Keycloak logout, and remove unnecessary URL redirection logic.

2025-06-14 09:06:37 +02:00
parent 0c92eb5439
commit 07996fbbcc
1 changed files with 22 additions and 8 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,6 +1,7 @@
 worker_processes 1;

 env KEYCLOAK_CLIENT_SECRET;
+env KEYCLOAK_LOGOUT_URL;

 events {
  worker_connections 1024;
@@ -23,11 +24,6 @@ http {
  server {
    listen 80;

-    # Automatically redirect URLs missing trailing slash (but not files like .js, .css, etc.)
-    #if ($request_uri ~ ^([^.\?\#]*[^/])$) {
-    #  return 301 $request_uri/;
-    # }
-
    # Public route: /auth selection page, no login required
    location /auth {
      proxy_pass http://main-website:3000;
@@ -37,11 +33,29 @@ http {
      proxy_set_header X-Forwarded-Proto $scheme;
    }

+    # Used by OpenID redirect after login
    location = /redirect_uri {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
    }

-    # Protected root route (main site)
+    # Full logout: clears local session and redirects to Keycloak logout
+    location = /logout {
+      access_by_lua_block {
+        local session = require("resty.session").start()
+        session:destroy()
+
+        local logout_url = os.getenv("KEYCLOAK_LOGOUT_URL")
+        if not logout_url then
+          ngx.status = 500
+          ngx.say("KEYCLOAK_LOGOUT_URL environment variable not set")
+          return
+        end
+
+        return ngx.redirect(logout_url)
+      }
+    }
+
+    # Protected main site
    location / {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

@@ -52,7 +66,7 @@ http {
      proxy_set_header X-Forwarded-Proto $scheme;
    }

-    # Protected demo route
+    # Protected demo route (example)
    location /lawfirm/demo1/ {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

@@ -67,4 +81,4 @@ http {

    # Add more locations as needed for other demos
  }
-}
+}