From bd446a90f0c3e6d0852e504c93b685e3250d7de9 Mon Sep 17 00:00:00 2001
From: Phong Tran <phongttran01@gmail.com>
Date: Mon, 28 Oct 2024 13:17:47 -0500
Subject: [PATCH] Update Dockerfile and nginx template

---
 Dockerfile          |  6 ++-
 nginx.conf.template | 99 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 nginx.conf.template

diff --git a/Dockerfile b/Dockerfile
index 6ab80f9..6e42f32 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,8 +10,12 @@ WORKDIR /
 
 # Installs lua_resty_openidc 
 RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-openidc 
+RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-http
+RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-session 
 
 # Copy custom nginx.conf
-COPY ./CILogon/nginx.conf.template /usr/local/openresty/nginx/conf/
+COPY ./nginx.conf.template /usr/local/openresty/nginx/conf/
+#COPY /etc/letsencrypt/live/ /etc/letsencrypt/live/
 
 CMD ["/bin/sh", "-c", "envsubst '${CLIENT_ID} ${CLIENT_SECRET} ${PAT} ${PROXY_FQDN} ${TARGET_FQDN} ${DNS_RESOLVER}' < /usr/local/openresty/nginx/conf/nginx.conf.template > /usr/local/openresty/nginx/conf/nginx.conf && openresty -g 'daemon off;'"]
+
diff --git a/nginx.conf.template b/nginx.conf.template
new file mode 100644
index 0000000..18eb5a6
--- /dev/null
+++ b/nginx.conf.template
@@ -0,0 +1,99 @@
+# Specify the number of processes
+worker_processes 1;
+
+error_log  /usr/local/openresty/nginx/conf/error.log debug;
+
+events {
+    # The total number of connections nginx can have including client and upstream connections
+    worker_connections  1024;
+}
+
+http {
+    # Specify DNS servers for resolving domain names during runtime
+    # Tells nginx to only try to resolve IPv4 addresses
+    resolver ${DNS_RESOLVER} ipv6=off;
+
+    # Include the lua packages 
+    lua_package_path '~/lua/?.lua;;';
+
+
+    # The lua_shared_dict create a shared memory zone/dictionary where data are 
+    # accessible by different worker processes. "discovery" and "jwks" are the 
+    # names of these shared zones. 
+    # Since there is a problem with having multiple worker processes for 
+    #lua_resty_openidc, comment out both of the lua_shared_dict directives. 
+
+    #lua_shared_dict discovery 1m;
+    #lua_shared_dict jwks 1m;
+    
+    # Controls whether lua_code is cached between requests. 
+    # If on, lua code is kept in memory between requests
+    #lua_code_cache on;
+
+    # Enables system call sendfile(). Transfer static files from disk to network 
+    # without going through user space
+    sendfile on;
+
+    # Specifies in seconds how long the connection should be kept open 
+    # since the last request. Reduces overhead of establishing new connections 
+    # for each request
+    keepalive_timeout 65;
+
+    access_log /usr/local/openresty/nginx/conf/access.log;
+
+    server {
+        listen 443 ssl;
+        server_name ${PROXY_FQDN};
+
+        ssl_certificate /etc/letsencrypt/live/${PROXY_FQDN}-006/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${PROXY_FQDN}-006/privkey.pem;	
+
+        location / {
+
+            lua_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
+
+            access_by_lua_block {
+                local opts = {
+                    redirect_uri = "https://${PROXY_FQDN}/redirect_uri", 
+                    discovery = "https://cilogon.org/.well-known/openid-configuration",
+                    client_id = "cilogon:/client_id/9c02e8c0e767934c8e0bb60807dfa39",
+                    client_secret = "${CLIENT_SECRET}",
+                    ssl_verify = "true",
+                    scope = "openid email profile org.cilogon.userinfo",
+                    redirect_uri_scheme = "https",
+                    session_contents = {id_token=true, access_token=true},
+                    refresh_session_interval = 900,
+                    renew_access_token_on_expiry = true,
+                }
+                ngx.log(ngx.ERR, "Starting OpenID Connect authentication")
+
+                local res, err = require("resty.openidc").authenticate(opts)
+
+                if err then
+                    ngx.log(ngx.ERR, "Authentication failed: " .. err)
+                    ngx.status = 403
+                    ngx.say(err)
+                    ngx.exit(ngx.HTTP_FORBIDDEN)
+                end
+            }
+           
+            # The Content-Type to match with
+            sub_filter_types text/html application/json text/plain;
+
+            # Replaces every occurence of wiki.ncsa.illinois.edu with wiki-p-dev.ncsa.illinois.edu 
+            sub_filter 'https://wiki.ncsa.illinois.edu/' 'https://wiki-p-dev.ncsa.illinois.edu/';
+
+            # Turn off matching only once
+            sub_filter_once off;
+
+            proxy_set_header Host ${TARGET_FQDN};
+            proxy_set_header Origin https://${TARGET_FQDN};
+            proxy_set_header Referer https://${TARGET_FQDN};
+      	    proxy_set_header X-Real-IP $remote_addr;
+            #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	          proxy_set_header Authorization "Bearer ${PAT}";  # Your PAT
+            proxy_pass_header Set-Cookie;
+            proxy_pass https://${TARGET_FQDN};
+        }
+    }
+}