ody/frontend.conf

## frontend.conf
# This is the backend application we are protecting with OpenID Connect
upstream pe {
    zone pe 64k;
    server localhost:443;
}

# Custom log format to include the 'sub' claim in the REMOTE_USER field
log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
                    '$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

# JavaScript code for OpenID Connect
js_include conf.d/openid_connect.js;
js_set $requestid_hash hashRequestId;
auth_jwt_claim_set $jwt_audience aud; # In case aud is an array

keyval_zone zone=opaque_sessions:1M state=conf.d/opaque_sessions.json timeout=1h; # CHANGE timeout to JWT/exp validity period
keyval_zone zone=refresh_tokens:1M  state=conf.d/refresh_tokens.json  timeout=8h; # CHANGE timeout to refresh validity period

keyval $cookie_auth_token $session_jwt zone=opaque_sessions;  # Exchange cookie for JWT
keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token
keyval $request_id $new_session zone=opaque_sessions; # For initial session creation
keyval $request_id $new_refresh zone=refresh_tokens;  # "

map $refresh_token $no_refresh {
    "" 1;  # Before login
    "-" 1; # After logout
    default 0;
}

# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;

# The frontend server - reverse proxy with OpenID Connect authentication
#
server {
    include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing

    # OpenID Connect Provider (IdP) configuration
    resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
    subrequest_output_buffer_size 32k; # To fit a complete tokenset response

    set $oidc_jwt_keyfile     "https://example.okta.com/oauth2/v1/keys"; # URL when using 'auth_jwt_key_request'
    set $oidc_logout_redirect "/"; # Where to send browser after requesting /logout location
    set $oidc_authz_endpoint  "https://example.okta.com/oauth2/v1/authorize";
    set $oidc_token_endpoint  "https://example.okta.com/oauth2/v1/token";
    set $oidc_client          "0oa22mspcr8Cz10Yw5d6";
    set $oidc_client_secret   "sr00vFDoU4JTEeMQ7p0TG8CsVu5vy50vsCmX0gz1";
    set $oidc_hmac_key        "ghw8YmN*xmBHa!yPHscDoDpxLEgbRByAKKkZn!UrnHkoPsizHM"; # This should be unique for every NGINX instance/cluster

    listen 0.0.0.0:8010 ssl ipv6only=off;
    ssl_certificate /opt/puppetlabs/server/data/console-services/certs/console-cert.cert.pem;
    ssl_certificate_key /opt/puppetlabs/server/data/console-services/certs/console-cert.private_key.pem;
    ssl_crl /etc/puppetlabs/puppet/ssl/crl.pem;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_protocols TLSv1.2;
    ssl_dhparam /etc/puppetlabs/nginx/dhparam_puppetproxy.pem;
    ssl_verify_client off;
    ssl_verify_depth 1;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    location / {
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
        auth_jwt_key_request /_jwks_uri; # Enable when using URL

        # Absent/invalid OpenID Connect token will (re)start auth process (including refresh)
        error_page 401 = @oidc_auth;

        # Successfully authenticated users are proxied to the backend,
        # with 'sub' claim passed as HTTP header
        proxy_set_header username $jwt_claim_sub;
        proxy_pass https://pe; # The backend site/app
        proxy_redirect https://pe /;
        proxy_read_timeout 120;
        proxy_set_header X-SSL-Subject $ssl_client_s_dn;
        proxy_set_header X-Client-DN $ssl_client_s_dn;
        proxy_set_header X-Client-Verify $ssl_client_verify;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log /var/log/nginx/access.log main_jwt;
    }
}

# vim: syntax=nginx
	# This is the backend application we are protecting with OpenID Connect
	upstream pe {
	zone pe 64k;
	server localhost:443;
	}

	# Custom log format to include the 'sub' claim in the REMOTE_USER field
	log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
	'$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

	# JavaScript code for OpenID Connect
	js_include conf.d/openid_connect.js;
	js_set $requestid_hash hashRequestId;
	auth_jwt_claim_set $jwt_audience aud; # In case aud is an array

	keyval_zone zone=opaque_sessions:1M state=conf.d/opaque_sessions.json timeout=1h; # CHANGE timeout to JWT/exp validity period
	keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h; # CHANGE timeout to refresh validity period

	keyval $cookie_auth_token $session_jwt zone=opaque_sessions; # Exchange cookie for JWT
	keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token
	keyval $request_id $new_session zone=opaque_sessions; # For initial session creation
	keyval $request_id $new_refresh zone=refresh_tokens; # "

	map $refresh_token $no_refresh {
	"" 1; # Before login
	"-" 1; # After logout
	default 0;
	}

	# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
	proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;

	# The frontend server - reverse proxy with OpenID Connect authentication
	#
	server {
	include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing

	# OpenID Connect Provider (IdP) configuration
	resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
	subrequest_output_buffer_size 32k; # To fit a complete tokenset response

	set $oidc_jwt_keyfile "https://example.okta.com/oauth2/v1/keys"; # URL when using 'auth_jwt_key_request'
	set $oidc_logout_redirect "/"; # Where to send browser after requesting /logout location
	set $oidc_authz_endpoint "https://example.okta.com/oauth2/v1/authorize";
	set $oidc_token_endpoint "https://example.okta.com/oauth2/v1/token";
	set $oidc_client "0oa22mspcr8Cz10Yw5d6";
	set $oidc_client_secret "sr00vFDoU4JTEeMQ7p0TG8CsVu5vy50vsCmX0gz1";
	set $oidc_hmac_key "ghw8YmN*xmBHa!yPHscDoDpxLEgbRByAKKkZn!UrnHkoPsizHM"; # This should be unique for every NGINX instance/cluster

	listen 0.0.0.0:8010 ssl ipv6only=off;
	ssl_certificate /opt/puppetlabs/server/data/console-services/certs/console-cert.cert.pem;
	ssl_certificate_key /opt/puppetlabs/server/data/console-services/certs/console-cert.private_key.pem;
	ssl_crl /etc/puppetlabs/puppet/ssl/crl.pem;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
	ssl_protocols TLSv1.2;
	ssl_dhparam /etc/puppetlabs/nginx/dhparam_puppetproxy.pem;
	ssl_verify_client off;
	ssl_verify_depth 1;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;

	location / {
	# This site is protected with OpenID Connect
	auth_jwt "" token=$session_jwt;
	#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
	auth_jwt_key_request /_jwks_uri; # Enable when using URL

	# Absent/invalid OpenID Connect token will (re)start auth process (including refresh)
	error_page 401 = @oidc_auth;

	# Successfully authenticated users are proxied to the backend,
	# with 'sub' claim passed as HTTP header
	proxy_set_header username $jwt_claim_sub;
	proxy_pass https://pe; # The backend site/app
	proxy_redirect https://pe /;
	proxy_read_timeout 120;
	proxy_set_header X-SSL-Subject $ssl_client_s_dn;
	proxy_set_header X-Client-DN $ssl_client_s_dn;
	proxy_set_header X-Client-Verify $ssl_client_verify;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	access_log /var/log/nginx/access.log main_jwt;
	}
	}

	# vim: syntax=nginx