Untitled

worker_processes  1;
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

   lua_package_path '/usr/share/lua/5.1/?.lua;;';
   lua_shared_dict discovery 1m;
   lua_shared_dict jwks 1m;
   lua_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;

   variables_hash_max_size 2048;
   server_names_hash_bucket_size 128;
   server_tokens off;
   resolver 192.168.100.4 valid=30s ipv6=off;
   resolver_timeout 11s;

    server {
        listen       80;
        server_name  localhost;

        location / {
            root   html;
            index  index.html index.htm;
        }


        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

upstream keycloak {
         server 192.168.100.54:8080;
         server 192.168.100.55:8080;
        }

        server {
               server_name nas-10-keycloak nas-10-keycloak.lan;
               listen 80;
               access_log /var/log/access_keycloack.lan;
                error_log /var/log/error_keycloack.lan;
       large_client_header_buffers 4 32k;


        location / {
              proxy_pass       http://keycloak;
         proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
            }
        }


upstream metropolis {
        server 192.168.100.14:81       max_fails=3 fail_timeout=30s;
   }

   server {
        listen       80;
        server_name  nas-10-metropolis nas-10-metropolis.lan;
        proxy_intercept_errors off;
        access_log  logs/nas-10-metropolis.log;
        error_log  logs/nas-10-metropolis.error.log;

        root   /usr/share/nginx/html;

        lua_code_cache off;
        set $session_secret 723p4hR234t3986asdh1286dQAS65325IC0022G;

        access_by_lua '
          local opts = {
            redirect_uri_path = "/redirect_uri",
            discovery = "http://nas-10-keycloak.lan/auth/realms/sso/.well-known/openid-configuration",
            client_id = "metropolis",
            client_secret = "c1sda3asd5-1a75-443b-86eb-69e07b74244a",
            ssl_verify = "no",
            redirect_uri_scheme = "http",
            logout_path = "/logout",
            redirect_after_logout_uri = "http://nas-10-keycloak.lan/auth/realms/sso/protocol/openid-connect/logout",
            redirect_after_logout_with_id_token_hint = false,
            accept_none_alg = false,
            accept_unsupported_alg = false,
            renew_access_token_on_expiry = true,
            session_contents = {access_token=true, id_token=true}
          }
          local res, err = require("resty.openidc").authenticate(opts)

          if err then
            ngx.status = 403
            ngx.say(err)
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end
       ';

      expires           0;
      add_header        Cache-Control private;
      error_page 404 /404.html;
          location = /40x.html {
      }
      error_page 500 502 503 504 /50x.html;
          location = /50x.html {
      }
        location / {
           proxy_pass http://metropolis;
           proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
   }
}