nginx-gists/nlk_openid_frontend.conf

## nlk_openid_frontend.conf
# This is the backend application we are protecting with OpenID Connect
upstream cluster1-https {
   zone cluster1-https 256k;
   least_time last_byte;
   keepalive 16;
   #servers managed by NKL Controller
   state /var/lib/nginx/state/cluster1-https.state;
}

# Custom log format to include the 'sub' claim in the REMOTE_USER field
log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
                    '$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

# The frontend server - reverse proxy with OpenID Connect authentication
#
server {
    include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
    error_log /var/log/nginx/error.log debug;  # Reduce severity level as required

    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;
    server_name example.work.gd;
    ssl_certificate /etc/ssl/nginx/default.crt;  # self-signed for example only
    ssl_certificate_key /etc/ssl/nginx/default.key;

    location / {
        status_zone /;
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;

        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
        auth_jwt_key_request /_jwks_uri; # Enable when using URL

        # Successfully authenticated users are proxied to the backend,
        # with 'sub' claim passed as HTTP header
        proxy_set_header username $jwt_claim_sub;

        # Bearer token is uses to authorize NGINX to access protected backend
        #proxy_set_header Authorization "Bearer $access_token";

        # Intercept and redirect "401 Unauthorized" proxied responses to nginx
        # for processing with the error_page directive. Necessary if Access Token
        # can expire before ID Token.
        #proxy_intercept_errors on;

        proxy_http_version 1.1;
	    proxy_set_header "Connection" "";
	    proxy_set_header "Host" "cafe.example.com";
        proxy_pass https://cluster1-https; # The backend site/app

        access_log /var/log/nginx/access.log main_jwt;
    }
}
	# This is the backend application we are protecting with OpenID Connect
	upstream cluster1-https {
	zone cluster1-https 256k;
	least_time last_byte;
	keepalive 16;
	#servers managed by NKL Controller
	state /var/lib/nginx/state/cluster1-https.state;
	}

	# Custom log format to include the 'sub' claim in the REMOTE_USER field
	log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
	'$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

	# The frontend server - reverse proxy with OpenID Connect authentication
	#
	server {
	include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
	error_log /var/log/nginx/error.log debug; # Reduce severity level as required

	listen [::]:443 ssl ipv6only=on;
	listen 443 ssl;
	server_name example.work.gd;
	ssl_certificate /etc/ssl/nginx/default.crt; # self-signed for example only
	ssl_certificate_key /etc/ssl/nginx/default.key;

	location / {
	status_zone /;
	# This site is protected with OpenID Connect
	auth_jwt "" token=$session_jwt;
	error_page 401 = @do_oidc_flow;

	#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
	auth_jwt_key_request /_jwks_uri; # Enable when using URL

	# Successfully authenticated users are proxied to the backend,
	# with 'sub' claim passed as HTTP header
	proxy_set_header username $jwt_claim_sub;

	# Bearer token is uses to authorize NGINX to access protected backend
	#proxy_set_header Authorization "Bearer $access_token";

	# Intercept and redirect "401 Unauthorized" proxied responses to nginx
	# for processing with the error_page directive. Necessary if Access Token
	# can expire before ID Token.
	#proxy_intercept_errors on;

	proxy_http_version 1.1;
	proxy_set_header "Connection" "";
	proxy_set_header "Host" "cafe.example.com";
	proxy_pass https://cluster1-https; # The backend site/app

	access_log /var/log/nginx/access.log main_jwt;
	}
	}