112 lines
3.2 KiB
Nginx Configuration File
112 lines
3.2 KiB
Nginx Configuration File
worker_processes 1;
|
|
|
|
env KEYCLOAK_CLIENT_SECRET;
|
|
env KEYCLOAK_LOGOUT_URL;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
resolver 192.168.21.2 ipv6=off;
|
|
|
|
lua_package_path "/usr/local/openresty/lualib/?.lua;;";
|
|
|
|
lua_shared_dict discovery 1m;
|
|
lua_shared_dict jwks 1m;
|
|
lua_shared_dict sessions 10m;
|
|
|
|
include mime.types;
|
|
default_type application/octet-stream;
|
|
sendfile on;
|
|
keepalive_timeout 65;
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
# Public route: /auth selection page, no login required
|
|
location /auth {
|
|
proxy_pass http://main-website:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Used by OpenID redirect after login
|
|
location = /redirect_uri {
|
|
access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
|
|
}
|
|
|
|
# Full logout: clears local session and redirects to Keycloak logout
|
|
location = /logout {
|
|
limit_except GET POST { deny all; }
|
|
|
|
access_by_lua_block {
|
|
local session = require("resty.session").start()
|
|
local id_token = session.data and session.data.id_token
|
|
session:destroy()
|
|
|
|
local redirect_uri = "https://demo.rhein-software.dev"
|
|
local logout_url = "https://sso.rhein-software.dev/realms/rheinsw/protocol/openid-connect/logout"
|
|
.. "?post_logout_redirect_uri=" .. ngx.escape_uri(redirect_uri)
|
|
|
|
if id_token then
|
|
logout_url = logout_url .. "&id_token_hint=" .. ngx.escape_uri(id_token)
|
|
end
|
|
|
|
return ngx.redirect(logout_url)
|
|
}
|
|
}
|
|
|
|
# Protected main site
|
|
location / {
|
|
access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
|
|
|
|
proxy_pass http://main-website:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Protected demo route (example)
|
|
location /lawfirm/demo1/ {
|
|
access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
|
|
|
|
rewrite ^/lawfirm/demo1(/.*)$ $1 break;
|
|
proxy_pass http://ld1:3000;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /lawfirm/demo2/ {
|
|
access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
|
|
|
|
rewrite ^/lawfirm/demo2(/.*)$ $1 break;
|
|
proxy_pass http://ld2:3000;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /lawfirm/demo3/ {
|
|
access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
|
|
|
|
rewrite ^/lawfirm/demo2(/.*)$ $1 break;
|
|
proxy_pass http://tld1:3000;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Add more locations as needed for other demos
|
|
}
|
|
} |