worker_processes 1; env KEYCLOAK_CLIENT_SECRET; env KEYCLOAK_LOGOUT_URL; events { worker_connections 1024; } http { resolver 192.168.21.2 ipv6=off; lua_package_path "/usr/local/openresty/lualib/?.lua;;"; lua_shared_dict discovery 1m; lua_shared_dict jwks 1m; lua_shared_dict sessions 10m; include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; # Public route: /auth selection page, no login required location /auth { proxy_pass http://main-website:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Used by OpenID redirect after login location = /redirect_uri { access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua; } # Full logout: clears local session and redirects to Keycloak logout location = /logout { limit_except GET POST { deny all; } # allow both GET and POST access_by_lua_block { local session = require("resty.session").start() session:destroy() local logout_url = os.getenv("KEYCLOAK_LOGOUT_URL") if not logout_url then ngx.status = 500 ngx.say("KEYCLOAK_LOGOUT_URL environment variable not set") return end return ngx.redirect(logout_url) } } # Protected main site location / { access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua; proxy_pass http://main-website:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Protected demo route (example) location /lawfirm/demo1/ { access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua; rewrite ^/lawfirm/demo1(/.*)$ $1 break; proxy_pass http://ld1:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Add more locations as needed for other demos } }