Created
December 10, 2020 22:12
-
-
Save ody/ac4684dd23e63a0b151a112d10740418 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is the backend application we are protecting with OpenID Connect | |
upstream pe { | |
zone pe 64k; | |
server localhost:443; | |
} | |
# Custom log format to include the 'sub' claim in the REMOTE_USER field | |
log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status ' | |
'$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; | |
# JavaScript code for OpenID Connect | |
js_include conf.d/openid_connect.js; | |
js_set $requestid_hash hashRequestId; | |
auth_jwt_claim_set $jwt_audience aud; # In case aud is an array | |
keyval_zone zone=opaque_sessions:1M state=conf.d/opaque_sessions.json timeout=1h; # CHANGE timeout to JWT/exp validity period | |
keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h; # CHANGE timeout to refresh validity period | |
keyval $cookie_auth_token $session_jwt zone=opaque_sessions; # Exchange cookie for JWT | |
keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token | |
keyval $request_id $new_session zone=opaque_sessions; # For initial session creation | |
keyval $request_id $new_refresh zone=refresh_tokens; # " | |
map $refresh_token $no_refresh { | |
"" 1; # Before login | |
"-" 1; # After logout | |
default 0; | |
} | |
# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user | |
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m; | |
# The frontend server - reverse proxy with OpenID Connect authentication | |
# | |
server { | |
include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing | |
# OpenID Connect Provider (IdP) configuration | |
resolver 8.8.8.8; # For DNS lookup of IdP endpoints; | |
subrequest_output_buffer_size 32k; # To fit a complete tokenset response | |
set $oidc_jwt_keyfile "https://example.okta.com/oauth2/v1/keys"; # URL when using 'auth_jwt_key_request' | |
set $oidc_logout_redirect "/"; # Where to send browser after requesting /logout location | |
set $oidc_authz_endpoint "https://example.okta.com/oauth2/v1/authorize"; | |
set $oidc_token_endpoint "https://example.okta.com/oauth2/v1/token"; | |
set $oidc_client "0oa22mspcr8Cz10Yw5d6"; | |
set $oidc_client_secret "sr00vFDoU4JTEeMQ7p0TG8CsVu5vy50vsCmX0gz1"; | |
set $oidc_hmac_key "ghw8YmN*xmBHa!yPHscDoDpxLEgbRByAKKkZn!UrnHkoPsizHM"; # This should be unique for every NGINX instance/cluster | |
listen 0.0.0.0:8010 ssl ipv6only=off; | |
ssl_certificate /opt/puppetlabs/server/data/console-services/certs/console-cert.cert.pem; | |
ssl_certificate_key /opt/puppetlabs/server/data/console-services/certs/console-cert.private_key.pem; | |
ssl_crl /etc/puppetlabs/puppet/ssl/crl.pem; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; | |
ssl_protocols TLSv1.2; | |
ssl_dhparam /etc/puppetlabs/nginx/dhparam_puppetproxy.pem; | |
ssl_verify_client off; | |
ssl_verify_depth 1; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
location / { | |
# This site is protected with OpenID Connect | |
auth_jwt "" token=$session_jwt; | |
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename | |
auth_jwt_key_request /_jwks_uri; # Enable when using URL | |
# Absent/invalid OpenID Connect token will (re)start auth process (including refresh) | |
error_page 401 = @oidc_auth; | |
# Successfully authenticated users are proxied to the backend, | |
# with 'sub' claim passed as HTTP header | |
proxy_set_header username $jwt_claim_sub; | |
proxy_pass https://pe; # The backend site/app | |
proxy_redirect https://pe /; | |
proxy_read_timeout 120; | |
proxy_set_header X-SSL-Subject $ssl_client_s_dn; | |
proxy_set_header X-Client-DN $ssl_client_s_dn; | |
proxy_set_header X-Client-Verify $ssl_client_verify; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
access_log /var/log/nginx/access.log main_jwt; | |
} | |
} | |
# vim: syntax=nginx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment