rtyler
/
ngx_borderpatrol
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ngx_borderpatrol/src/config/nginx.conf.sample

151 lines
4.4 KiB
Plaintext
Raw Blame History

pid /tmp/nginx.pid;
daemon off;
http {
lua_package_path "../../build/usr/share/borderpatrol/?.lua;../../build/usr/share/lua/5.1/?.lua;;";
lua_package_cpath "../../build/usr/lib/lua/5.1/?.so;;";
limit_req_zone $binary_remote_addr zone=auth_zone:100m rate=100r/m;
error_log logs/error.log debug;
access_log logs/access.log;
# used to store and retrieve keys from memcached
upstream session_store {
server localhost:11211;
keepalive 32;
}
# this is an app server protected by border patrol. If it returns a 401
# when an attempt is made to access a protected resource, borderpatrol redirects
# to the account service login
upstream b {
server localhost:9082;
}
# this is an app server protected by border patrol. If it returns a 401
# when an attempt is made to access a protected resource, borderpatrol redirects
# to the account service login
upstream c {
server localhost:9083;
}
# this is the account service. displays the login screen and also calls the auth service
# to get a master token and a service token
upstream account {
server localhost:9084;
}
# Nginx Lua has no SSL support for cosockets. This is unfortunate.
# This proxies all requests to use the native NGINX request, though
# it's a little hacky and sort of dirty.
upstream token_server {
server localhost:9081;
}
# Service mappings, map service urls to service names
init_by_lua 'service_mappings = {b="smb", c="flexd"}';
server {
listen 4443 default_server ssl;
root html;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_session_cache shared:SSL:16m;
ssl_session_timeout 10m;
ssl_certificate ../ssl/server.crt;
ssl_certificate_key ../ssl/server.key;
# GET /session?id=foo -> memcache get
# POST /session?id=foo -> memcache add, value is request body
# PUT /session?id=foo -> memcache set, value is request body
location = /session {
internal;
set $memc_key $arg_id;
set $memc_exptime $arg_exptime;
memc_pass session_store;
}
# DELETE /session_delete?id=foo -> memcache delete
location = /session_delete {
internal;
set $memc_key $arg_id;
memc_pass session_store;
}
location = /auth {
internal;
content_by_lua_file '../../build/usr/share/borderpatrol/validate.lua';
}
location = /serviceauth {
internal;
content_by_lua_file '../../build/usr/share/borderpatrol/service_token.lua';
}
location = /authtoken {
internal;
rewrite ^/(.*) /api/auth/public/v1/account_token.json break;
proxy_pass http://token_server;
proxy_set_header Host $host;
}
location = /mastertoken {
internal;
rewrite ^/(.*) /api/auth/service/v1/account_token.json break;
proxy_pass http://token_server;
proxy_set_header Host $host;
}
location = / {
limit_req zone=auth_zone burst=25;
content_by_lua_file '../../build/usr/share/borderpatrol/authorize.lua';
}
location = /logout {
content_by_lua_file '../../build/usr/share/borderpatrol/logout.lua';
}
location ~ /(b|c)* {
set $original_uri $uri;
rewrite ^/(.*) / break;
set $auth_token $http_auth_token;
access_by_lua_file '../../build/usr/share/borderpatrol/access.lua';
proxy_set_header auth-token $auth_token;
proxy_pass http://$1;
proxy_intercept_errors on;
error_page 401 = @redirect;
}
location @redirect {
content_by_lua_file '../../build/usr/share/borderpatrol/redirect.lua';
}
location = /health {
content_by_lua_file '../../build/usr/share/borderpatrol/health_check.lua';
}
location /robots.txt {
alias ../../build/usr/share/borderpatrol/robots.txt;
}
location / {
set $auth_token $http_auth_token;
access_by_lua_file '../../build/usr/share/borderpatrol/access.lua';
proxy_set_header auth-token $auth_token;
# http://hostname/upstream_name/uri -> http://upstream_name/uri
rewrite ^/([^/]+)/?(.*)$ /$2 break;
proxy_pass http://$1;
proxy_redirect off;
proxy_set_header Host $host;
}
}
}
events {
worker_connections 40;
}
# vim: ft=conf
Reference in New Issue View Git Blame Copy Permalink