ghuntley/nginx.conf Secret

## nginx.conf
user  www-data;
worker_processes  3;

error_log  /var/log/nginx/error.log warn;
pid        /run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    proxy_http_version 1.1;

    proxy_cache_path /srv/cache/validate levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;

    server {
        server_name  redacted.com;

        # send all requests to the `/validate` endpoint for authorization
        auth_request /validate;

        location = /validate {
          internal;

          proxy_cache_valid 200 30s;
          proxy_cache auth_cache;
          proxy_cache_methods GET;
          proxy_cache_key $cookie_vouchcookie;

          proxy_buffer_size 128k;
          proxy_buffers 4 256k;
          proxy_busy_buffers_size 256k;

          proxy_set_header Host redacted.com;
          proxy_pass http://localhost:9090;

          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
	  proxy_read_timeout 86400;

          proxy_pass_request_body off;
          proxy_set_header Content-Length "";

          auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
          auth_request_set $auth_resp_x_vouch_idtoken $upstream_http_x_vouch_idtoken;

          auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
          auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
          auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
        }

        error_page 401 = @error401;

        location @error401 {
            # redirect to Vouch Proxy for login
            return 302 https://auth.redacted.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
        }

        location / {
            proxy_pass http://localhost:8443;
            proxy_ssl_verify off;
            auth_request_set $auth_resp_x_vouch_idtoken $upstream_http_x_vouch_idtoken;
            proxy_set_header Authorization "Bearer $auth_resp_x_vouch_idtoken";
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
	    proxy_read_timeout 86400;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.redacted.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.redacted.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

    server {
        server_name auth.redacted.com;
        location / {
          proxy_set_header Host auth.redacted.com;
          proxy_pass http://localhost:9090;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
	  proxy_read_timeout 86400;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.redacted.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.redacted.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


    server {
    if ($host = auth.redacted.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name auth.redacted.com;
    return 404; # managed by Certbot


}

    server {
    if ($host = redacted.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen       80;
        server_name  redacted.com;
    return 404; # managed by Certbot


}}
	user www-data;
	worker_processes 3;

	error_log /var/log/nginx/error.log warn;
	pid /run/nginx.pid;


	events {
	worker_connections 1024;
	}

	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;
	sendfile on;
	keepalive_timeout 65;
	proxy_http_version 1.1;

	proxy_cache_path /srv/cache/validate levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;

	server {
	server_name redacted.com;

	# send all requests to the `/validate` endpoint for authorization
	auth_request /validate;

	location = /validate {
	internal;

	proxy_cache_valid 200 30s;
	proxy_cache auth_cache;
	proxy_cache_methods GET;
	proxy_cache_key $cookie_vouchcookie;

	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;

	proxy_set_header Host redacted.com;
	proxy_pass http://localhost:9090;

	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_read_timeout 86400;

	proxy_pass_request_body off;
	proxy_set_header Content-Length "";

	auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
	auth_request_set $auth_resp_x_vouch_idtoken $upstream_http_x_vouch_idtoken;

	auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
	auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
	auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
	}

	error_page 401 = @error401;

	location @error401 {
	# redirect to Vouch Proxy for login
	return 302 https://auth.redacted.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
	}

	location / {
	proxy_pass http://localhost:8443;
	proxy_ssl_verify off;
	auth_request_set $auth_resp_x_vouch_idtoken $upstream_http_x_vouch_idtoken;
	proxy_set_header Authorization "Bearer $auth_resp_x_vouch_idtoken";
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_read_timeout 86400;
	}

	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/auth.redacted.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/auth.redacted.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	}

	server {
	server_name auth.redacted.com;
	location / {
	proxy_set_header Host auth.redacted.com;
	proxy_pass http://localhost:9090;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_read_timeout 86400;
	}

	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/auth.redacted.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/auth.redacted.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	}



	server {
	if ($host = auth.redacted.com) {
	return 301 https://$host$request_uri;
	} # managed by Certbot


	listen 80;
	server_name auth.redacted.com;
	return 404; # managed by Certbot


	}

	server {
	if ($host = redacted.com) {
	return 301 https://$host$request_uri;
	} # managed by Certbot


	listen 80;
	server_name redacted.com;
	return 404; # managed by Certbot


	}}