From f796e969903a0cacd6424f8a17310fd0b270753f Mon Sep 17 00:00:00 2001 From: Phong Tran Date: Thu, 12 Sep 2024 17:08:11 -0500 Subject: [PATCH] Testing --- CILogon/nginx.conf.template | 120 ++---------------------------------- 1 file changed, 4 insertions(+), 116 deletions(-) diff --git a/CILogon/nginx.conf.template b/CILogon/nginx.conf.template index adcfd4d..fce12a7 100644 --- a/CILogon/nginx.conf.template +++ b/CILogon/nginx.conf.template @@ -14,10 +14,10 @@ http { lua_shared_dict jwks 1m; lua_shared_dict sessions 10m; - init_by_lua_block { - require("resty.core") - ngx.log(ngx.ERR, "OpenResty initialization started") - } + #init_by_lua_block { + # require("resty.core") + # ngx.log(ngx.ERR, "OpenResty initialization started") + #} sendfile on; @@ -61,119 +61,7 @@ http { ngx.log(ngx.ERR, "Authentication successful, session created") } - - # proxy_set_header Host ${TARGET_FQDN}; - proxy_set_header Host $host; - proxy_set_header Authorization "Bearer ${PAT}"; # Your PAT - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-NginX-Proxy true; - proxy_set_header Connection Keep-Alive; - proxy_cache_bypass $http_pragma; - proxy_no_cache $http_pragma; proxy_pass https://${TARGET_FQDN}; - - proxy_set_header Accept-Encoding ""; - proxy_set_header Accept-Language $http_accept_language; - proxy_set_header Cookie $http_cookie; - proxy_set_header User-Agent $http_user_agent; - - proxy_set_header Origin "https://wiki.ncsa.illinois.edu"; - proxy_set_header Referer "https://wiki.ncsa.illinois.edu/plugins/personalaccesstokens/usertokens.action"; - - proxy_set_header X-Atlassian-Token no-check; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "Upgrade"; - - #proxy_hide_header Content-Security-Policy; - - #add_header Content-Security-Policy "default-src 'self' https://wiki.ncsa.illinois.edu 'unsafe-inline' 'unsafe-eval' data:; img-src 'self' https://wiki.ncsa.illinois.edu data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://wiki.ncsa.illinois.edu; style-src 'self' 'unsafe-inline' https://wiki.ncsa.illinois.edu; connect-src 'self' https://wiki.ncsa.illinois.edu https://wiki.ncsa.illinois.edu/synchrony; frame-src 'self' https://wiki.ncsa.illinois.edu;" always; - - add_header Access-Control-Allow-Origin * always; - add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; - add_header Access-Control-Allow-Headers "Origin, Authorization, X-Requested-With, Content-Type, Accept" always; - - add_header X-Content-Type-Options nosniff always; - add_header X-Frame-Options SAMEORIGIN always; - add_header X-XSS-Protection "1; mode=block" always; - #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - } - - - location /redirect_uri { - access_by_lua_block { - local opts = { - redirect_uri = "http://${PROXY_FQDN}/redirect_uri", - discovery = "https://cilogon.org/.well-known/openid-configuration", - client_id = "cilogon:/client_id/9c02e8c0e767934c8e0bb60807dfa39", - client_secret = "${CLIENT_SECRET}", - ssl_verify = "no", - scope = "openid email profile org.cilogon.userinfo", - redirect_uri_scheme = "http", - session_contents = {id_token=true}, - renew_access_token_on_expiry = true, - accept_none_alg = false - } - - ngx.log(ngx.ERR, "Starting OpenID Connect authentication") - - local res, err = require("resty.openidc").authenticate(opts) - - if err then - ngx.log(ngx.ERR, "Authentication failed: " .. err) - ngx.status = 403 - ngx.say(err) - ngx.exit(ngx.HTTP_FORBIDDEN) - end - - ngx.log(ngx.ERR, "Authentication successful, session created") - } - - proxy_set_header Host ${TARGET_FQDN}; - proxy_set_header Authorization "Bearer ${PAT}"; # Your PAT - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-NginX-Proxy true; - proxy_set_header Connection Keep-Alive; - proxy_set_body $request_body; - proxy_pass https://${TARGET_FQDN}; - - proxy_set_header Accept-Encoding ""; - proxy_set_header Accept-Language $http_accept_language; - proxy_set_header Cookie $http_cookie; - proxy_set_header User-Agent $http_user_agent; - - proxy_set_header Origin "https://wiki.ncsa.illinois.edu"; - proxy_set_header Referer "https://wiki.ncsa.illinois.edu/plugins/personalaccesstokens/usertokens.action"; - - proxy_set_header X-Atlassian-Token no-check; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "Upgrade"; - - #proxy_hide_header Content-Security-Policy; - - #add_header Content-Security-Policy "default-src 'self' https://wiki.ncsa.illinois.edu 'unsafe-inline' 'unsafe-eval' data:; img-src 'self' https://wiki.ncsa.illinois.edu data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://wiki.ncsa.illinois.edu; style-src 'self' 'unsafe-inline' https://wiki.ncsa.illinois.edu; connect-src 'self' https://wiki.ncsa.illinois.edu https://wiki.ncsa.illinois.edu/synchrony; frame-src 'self' https://wiki.ncsa.illinois.edu;" always; - - add_header Access-Control-Allow-Origin * always; - add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; - add_header Access-Control-Allow-Headers "Origin, Authorization, X-Requested-With, Content-Type, Accept" always; - - add_header X-Content-Type-Options nosniff always; - add_header X-Frame-Options SAMEORIGIN always; - add_header X-XSS-Protection "1; mode=block" always; - #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - } - - } } \ No newline at end of file