Update nginx.conf to add /logout route with session termination and Keycloak logout, and remove unnecessary URL redirection logic.

2025-06-14 09:06:37 +02:00
parent 0c92eb5439
commit 07996fbbcc
1 changed files with 22 additions and 8 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,6 +1,7 @@
 worker_processes 1;
 env KEYCLOAK_CLIENT_SECRET;
 env KEYCLOAK_LOGOUT_URL;
 events {
  worker_connections 1024;
@@ -23,11 +24,6 @@ http {
  server {
    listen 80;
    # Automatically redirect URLs missing trailing slash (but not files like .js, .css, etc.)
    #if ($request_uri ~ ^([^.\?\#]*[^/])$) {
    #  return 301 $request_uri/;
    # }
    # Public route: /auth selection page, no login required
    location /auth {
      proxy_pass http://main-website:3000;
@@ -37,11 +33,29 @@ http {
      proxy_set_header X-Forwarded-Proto $scheme;
    }
    # Used by OpenID redirect after login
    location = /redirect_uri {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
    }
-    # Protected root route (main site)
+    # Full logout: clears local session and redirects to Keycloak logout
    location = /logout {
      access_by_lua_block {
        local session = require("resty.session").start()
        session:destroy()
        local logout_url = os.getenv("KEYCLOAK_LOGOUT_URL")
        if not logout_url then
          ngx.status = 500
          ngx.say("KEYCLOAK_LOGOUT_URL environment variable not set")
          return
        end
        return ngx.redirect(logout_url)
      }
    }
    # Protected main site
    location / {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
@@ -52,7 +66,7 @@ http {
      proxy_set_header X-Forwarded-Proto $scheme;
    }
-    # Protected demo route
+    # Protected demo route (example)
    location /lawfirm/demo1/ {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
@@ -67,4 +81,4 @@ http {
    # Add more locations as needed for other demos
  }
-}
+}