worker_processes auto; error_log /var/logs/nginx/error.log debug; pid /var/run/nginx.pid; events { worker_connections 1024; use epoll; multi_accept on; } http { include '/etc/nginx/mime.types'; default_type application/octet-stream; keepalive_timeout 65; keepalive_requests 100000; tcp_nopush on; tcp_nodelay on; proxy_buffers 16 16k; proxy_buffer_size 32k; proxy_busy_buffers_size 64k; proxy_max_temp_file_size 128k; gzip on; gzip_disable "msie6"; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; server { listen 80; server_name YOUR_DOMAIN; client_max_body_size 0; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } server { listen 443 ssl; server_name YOUR_DOMAIN; ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem; root /var/www/html; gzip on; gzip_types text/css application/javascript application/json image/svg+xml; gzip_comp_level 9; etag on; location /sw.js { add_header Cache-Control "no-cache"; proxy_cache_bypass $http_pragma; proxy_cache_revalidate on; expires off; access_log off; } location /oauth2 { expires -1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; proxy_pass http://localhost:4180$uri$is_args$args; } location /oauth2/callback { proxy_pass http://localhost:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /oauth2/sign_out { expires -1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Auth-Request-Redirect /oauth2/sign_in; proxy_pass http://localhost:4180; } location /pacs/ { auth_request /oauth2/auth; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; expires 0; add_header Cache-Control private; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept' always; if ($request_method = OPTIONS) { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; } rewrite ^/pacs/(.*) /dcm4chee-arc/aets/DCM4CHEE/rs/$1 break; proxy_pass http://arc:8080; } location /pacs-admin { return 301 /pacs-admin/; } # Redirect /pacs-admin to /dcm4chee-arc/ui2/ location = /pacs-admin { return 301 $scheme://$host/dcm4chee-arc/ui2/; } # Handle /pacs-admin/ requests location /pacs-admin/ { return 301 $scheme://$host/dcm4chee-arc/ui2/; } # Proxy pass for /dcm4chee-arc/ui2/ location /dcm4chee-arc/ui2/ { error_page 401 = /oauth2/sign_in?rd=$scheme://$host$request_uri; auth_request /oauth2/auth?allowed_groups=pacsadmin; auth_request_set $user $upstream_http_x_auth_request_user; auth_request_set $token $upstream_http_x_auth_request_access_token; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_set_header X-User $user; proxy_set_header X-Access-Token $token; add_header Set-Cookie $auth_cookie; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; expires 0; add_header Cache-Control private; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept' always; if ($request_method = OPTIONS) { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; } proxy_pass http://arc:8080; } # Proxy pass for other /dcm4chee-arc/ requests location /dcm4chee-arc/ { proxy_pass http://arc:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /pacs { return 301 /pacs/; } location /ohif-viewer/ { expires -1; error_page 401 = /oauth2/sign_in?rd=$scheme://$host$request_uri; auth_request /oauth2/auth; auth_request_set $user $upstream_http_x_auth_request_user; auth_request_set $token $upstream_http_x_auth_request_access_token; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_set_header X-User $user; proxy_set_header X-Access-Token $token; add_header Set-Cookie $auth_cookie; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Proto $scheme; index index.html; try_files $uri $uri/ /index.html; } location /ohif-viewer { return 301 /ohif-viewer/; } location = / { return 301 /ohif-viewer/; } location / { add_header Cache-Control "no-store, no-cache, must-revalidate"; add_header 'Cross-Origin-Opener-Policy' 'same-origin' always; add_header 'Cross-Origin-Embedder-Policy' 'require-corp' always; } location /keycloak/ { proxy_pass http://keycloak:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /keycloak { return 301 /keycloak/; } } }