Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- worker_processes 1;
- events {
- worker_connections 1024;
- }
- http {
- include mime.types;
- default_type application/octet-stream;
- sendfile on;
- keepalive_timeout 65;
- lua_package_path '/usr/share/lua/5.1/?.lua;;';
- lua_shared_dict discovery 1m;
- lua_shared_dict jwks 1m;
- lua_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
- variables_hash_max_size 2048;
- server_names_hash_bucket_size 128;
- server_tokens off;
- resolver 192.168.100.4 valid=30s ipv6=off;
- resolver_timeout 11s;
- server {
- listen 80;
- server_name localhost;
- location / {
- root html;
- index index.html index.htm;
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root html;
- }
- }
- upstream keycloak {
- server 192.168.100.54:8080;
- server 192.168.100.55:8080;
- }
- server {
- server_name nas-10-keycloak nas-10-keycloak.lan;
- listen 80;
- access_log /var/log/access_keycloack.lan;
- error_log /var/log/error_keycloack.lan;
- large_client_header_buffers 4 32k;
- location / {
- proxy_pass http://keycloak;
- proxy_http_version 1.1;
- proxy_buffering off;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- }
- }
- upstream metropolis {
- server 192.168.100.14:81 max_fails=3 fail_timeout=30s;
- }
- server {
- listen 80;
- server_name nas-10-metropolis nas-10-metropolis.lan;
- proxy_intercept_errors off;
- access_log logs/nas-10-metropolis.log;
- error_log logs/nas-10-metropolis.error.log;
- root /usr/share/nginx/html;
- lua_code_cache off;
- set $session_secret 723p4hR234t3986asdh1286dQAS65325IC0022G;
- access_by_lua '
- local opts = {
- redirect_uri_path = "/redirect_uri",
- discovery = "http://nas-10-keycloak.lan/auth/realms/sso/.well-known/openid-configuration",
- client_id = "metropolis",
- client_secret = "c1sda3asd5-1a75-443b-86eb-69e07b74244a",
- ssl_verify = "no",
- redirect_uri_scheme = "http",
- logout_path = "/logout",
- redirect_after_logout_uri = "http://nas-10-keycloak.lan/auth/realms/sso/protocol/openid-connect/logout",
- redirect_after_logout_with_id_token_hint = false,
- accept_none_alg = false,
- accept_unsupported_alg = false,
- renew_access_token_on_expiry = true,
- session_contents = {access_token=true, id_token=true}
- }
- local res, err = require("resty.openidc").authenticate(opts)
- if err then
- ngx.status = 403
- ngx.say(err)
- ngx.exit(ngx.HTTP_FORBIDDEN)
- end
- ';
- expires 0;
- add_header Cache-Control private;
- error_page 404 /404.html;
- location = /40x.html {
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- }
- location / {
- proxy_pass http://metropolis;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement