-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.conf
103 lines (83 loc) · 2.83 KB
/
server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# This nginx snippet should be included into the server context.
js_set $oidc_client_authorization oidc.client_authorization;
location = /-/oidc/login {
js_content oidc.login;
}
location = /-/oidc/logout {
js_content oidc.logout;
}
location = /-/oidc/callback {
js_content oidc.callback;
}
location = /-/internal/auth-access {
internal;
js_content oidc.auth_access;
}
location = /-/internal/auth-pages {
internal;
js_content oidc.auth_pages;
}
location = /-/internal/auth-proxy {
internal;
js_content oidc.auth_proxy;
}
location = /-/internal/error {
internal;
js_content oidc.error;
}
location = /-/internal/validate-jwt {
internal;
auth_jwt "" token=$arg_token;
auth_jwt_phase preaccess;
auth_jwt_key_file $oidc_jwks_file;
auth_jwt_validate_sig on;
# Expiration is validated in njs (so we can get better error reporting).
auth_jwt_validate_exp off;
# Note: The return directive is executed before auth_jwt, that's why try_files.
try_files "" =204;
}
location = /-/internal/request-token {
internal;
proxy_set_header Authorization $oidc_client_authorization;
proxy_set_header Accept application/json;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass $oidc_token_endpoint;
proxy_pass_request_headers off;
proxy_cache $oidc_cache_zone_tokens;
proxy_cache_methods POST;
proxy_cache_valid 200 30s;
proxy_cache_key $args;
# Don't allow simultaneous requests for same token.
proxy_cache_lock on;
# If the last request passed to the server has not completed for the specified time,
# one more request may be passed.
proxy_cache_lock_age 2s;
# Ignore caching headers (OIDC Provider sends no-cache) and Set-Cookie.
# If the OIDC server returns Set-Cookie, the response will not be cached,
# so we must ignore it.
proxy_ignore_headers Cache-Control Expires Set-Cookie;
}
location = /-/internal/introspect-token {
internal;
proxy_set_header Authorization $oidc_client_authorization;
proxy_set_header Accept application/json;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass_request_headers off;
proxy_pass $oidc_introspection_endpoint;
proxy_cache $oidc_cache_zone_tokens;
proxy_cache_methods POST;
proxy_cache_valid 200 10m;
proxy_cache_key $arg_token;
# Don't allow simultaneous requests for same token.
proxy_cache_lock on;
# If the last request passed to the server has not completed for the specified time,
# one more request may be passed.
proxy_cache_lock_age 2s;
# Use stale responses if we cannot reach the server.
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
# If the OIDC server returns Set-Cookie, the response will not be cached,
# so we must ignore it.
proxy_ignore_headers Set-Cookie;
# Don't include Set-Cookie in the cached payload.
proxy_hide_header Set-Cookie;
}