forked from dbca-wa/oim-cms
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf.example
66 lines (58 loc) · 2.87 KB
/
nginx.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# In a shared file like /etc/nginx/custom/sso_location
# This location just has to return a 401 forbidden if cookie is invalid
location = /auth {
uwsgi_param QUERY_STRING "";
uwsgi_param REQUEST_METHOD "GET";
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME 'cookies-for-creds.example';
uwsgi_param HTTP_X_UPSTREAM_SERVER_NAME $server_name;
uwsgi_pass backend.domain:port;
}
# In another shared file to easily include headers to copy like /etc/nginx/custom/sso_auth
# Include this in each nginx location block you want to authenticate to the above sso endpoint
auth_request /auth;
# Note for below have to use uwsgi_param as well as proxy_set_header
# because proxy_set_header doesn't set header for uwsgi backends
auth_request_set $username $upstream_http_x_username;
proxy_set_header remote-user $username;
uwsgi_param REMOTE_USER $username;
uwsgi_param HTTP_REMOTE_USER $username;
auth_request_set $setcookie $upstream_http_set_cookie;
proxy_set_header set-cookie $setcookie;
uwsgi_param HTTP_SET_COOKIE $setcookie;
auth_request_set $email $upstream_http_x_email;
proxy_set_header x-email $email;
uwsgi_param HTTP_X_EMAIL $email;
auth_request_set $firstname $upstream_http_x_first_name;
proxy_set_header x-first-name $firstname;
uwsgi_param HTTP_X_FIRST_NAME $firstname;
auth_request_set $lastname $upstream_http_x_last_name;
proxy_set_header x-last-name $lastname;
uwsgi_param HTTP_X_LAST_NAME $lastname;
auth_request_set $sharedid $upstream_http_x_shared_id;
proxy_set_header x-shared-id $sharedid;
uwsgi_param HTTP_X_SHARED_ID $sharedid;
auth_request_set $logouturl $upstream_http_x_logout_url;
proxy_set_header x-logout-url $logouturl;
uwsgi_param HTTP_X_LOGOUT_URL $logouturl;
auth_request_set $sessionkey $upstream_http_x_session_key;
proxy_set_header x-session-key $sessionkey;
uwsgi_param HTTP_X_SESSION_KEY $sessionkey;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Below line is optional, if you would like to redirect to an external service to set
# cookie instead of getting api endpoint to do it
error_page 401 https://give.me.a.cookie/then/go/here/$host$request_uri;
# All the set headers above give the backend server some useful info
# Note: the api endpoint and the location using sso have to share the same
# cookie, ideally a subdomain one such as .mycooldomain.com would let
# *.mycooldomain.com applications all use the same endpoint.