worker_processes 2; error_log /var/logs/nginx/mydomain.error.log; pid /var/run/nginx.pid; include /usr/share/nginx/modules/*.conf; # See /usr/share/doc/nginx/README.dynamic. events { worker_connections 1024; ## Default: 1024 use epoll; # http://nginx.org/en/docs/events.html multi_accept on; # http://nginx.org/en/docs/ngx_core_module.html#multi_accept } # Core Modules Docs: # http://nginx.org/en/docs/http/ngx_http_core_module.html http { include '/usr/local/openresty/nginx/conf/mime.types'; default_type application/octet-stream; keepalive_timeout 65; keepalive_requests 100000; tcp_nopush on; tcp_nodelay on; # lua_ settings # lua_package_path '/usr/local/openresty/lualib/?.lua;;/usr/local/share/lua/5.4/?.lua;;'; lua_shared_dict discovery 1m; # cache for discovery metadata documents lua_shared_dict jwks 1m; # cache for JWKs # lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; variables_hash_max_size 2048; server_names_hash_bucket_size 128; server_tokens off; resolver 8.8.8.8 valid=30s ipv6=off; resolver_timeout 11s; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # No idea what this is doing # https://stackoverflow.com/a/5877989/1867984 # upstream upstream_server { # # server 10.100.4.200:1010 max_fails=3 fail_timeout=30s; # server 127.0.0.1: # } # Nginx `listener` block server { listen [::]:80 default_server; listen 80; # listen 443 ssl; access_log /var/logs/nginx/mydomain.access.log; # Domain to protect server_name 127.0.0.1 localhost; # mydomain.com; proxy_intercept_errors off; # ssl_certificate /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/mydomain.co.uk/privkey.pem; gzip on; gzip_types text/css application/javascript application/json image/svg+xml; gzip_comp_level 9; etag on; # https://github.com/bungle/lua-resty-session/issues/15 set $session_check_ssi off; lua_code_cache off; set $session_secret Eeko7aeb6iu5Wohch9Loo1aitha0ahd1; set $session_storage cookie; server_tokens off; # Hides server version num # [PROTECTED] Reverse Proxy for `orthanc` admin # location /pacs-admin/ { access_by_lua_block { local opts = { redirect_uri = "http://127.0.0.1/pacs-admin/admin", discovery = "http://127.0.0.1/auth/realms/ohif/.well-known/openid-configuration", token_endpoint_auth_method = "client_secret_basic", client_id = "pacs", client_secret = "66279641-eba6-47f5-9fdb-70c4ac74d548", client_jwt_assertion_expires_in = 60 * 60, ssl_verify = "no", scope = "openid email profile", refresh_session_interval = 900, redirect_uri_scheme = "http", redirect_after_logout_uri = "/", session_contents = {id_token=true} } -- call authenticate for OpenID Connect user authentication local res, err = require("resty.openidc").authenticate(opts) if err or not res then ngx.print(err) ngx.status = 200 ngx.say(err and err or "no access_token provided") ngx.exit(ngx.HTTP_FORBIDDEN) end -- Or set cookie? -- ngx.req.set_header("Authorization", "Bearer " .. res.access_token) ngx.req.set_header("X-USER", res.id_token.sub) } proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; expires 0; add_header Cache-Control private; proxy_pass http://orthanc:8042/; } # [PROTECTED] Reverse Proxy for `orthanc` APIs (including DICOMWeb) # location /pacs/ { access_by_lua_block { local opts = { discovery = "http://127.0.0.1/auth/realms/ohif/.well-known/openid-configuration", } -- call bearer_jwt_verify for OAuth 2.0 JWT validation local res, err = require("resty.openidc").bearer_jwt_verify(opts) if err or not res then ngx.status = 403 ngx.say(err and err or "no access_token provided") ngx.exit(ngx.HTTP_FORBIDDEN) end } proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; expires 0; add_header Cache-Control private; proxy_pass http://orthanc:8042/; # By default, this endpoint is protected by CORS (cross-origin-resource-sharing) # You can add headers to allow other domains to request this resource. # See the "Updating CORS Settings" example below } # Keycloak # location /auth/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_pass http://keycloak:8080/auth/; } # Do not cache sw.js, required for offline-first updates. location /sw.js { add_header Cache-Control "no-cache"; proxy_cache_bypass $http_pragma; proxy_cache_revalidate on; expires off; access_log off; } # Single Page App # Try files, fallback to index.html # location / { alias /var/www/html/; index index.html; try_files $uri $uri/ /index.html; add_header Cache-Control "no-store, no-cache, must-revalidate"; add_header 'Cross-Origin-Opener-Policy' 'same-origin' always; add_header 'Cross-Origin-Embedder-Policy' 'require-corp' always; } # EXAMPLE: Reverse Proxy, no auth # [UNPROTECTED] reverse proxy for `orthanc` # # location /pacs/ { # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $remote_addr; # proxy_set_header Host $host; # # proxy_pass http://orthanc:8042/; # # # OR # # rewrite ^/pacs(.*) /$1 break; # # proxy_pass http://orthanc:8042; # } # EXAMPLE: Modifying headers to allow requests from other domains # IE. Updating CORS settings # # location / { # if ($request_method = 'OPTIONS') { # add_header 'Access-Control-Allow-Origin' '*'; # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; # # # # Custom headers and headers various browsers *should* be OK with but aren't # # # add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; # # # # Tell client that this pre-flight info is valid for 20 days # # # add_header 'Access-Control-Allow-Headers' 'Authorization'; # add_header 'Access-Control-Allow-Credentials' true; # add_header 'Access-Control-Max-Age' 1728000; # add_header 'Content-Length' 0; # return 204; # } # if ($request_method = 'POST') { # add_header 'Access-Control-Allow-Origin' '*'; # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; # add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; # add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; # } # if ($request_method = 'GET') { # add_header 'Access-Control-Allow-Origin' '*'; # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; # add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; # add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; # add_header 'Access-Control-Allow-Headers' 'Authorization'; # add_header 'Access-Control-Allow-Credentials' true; # } # # # proxy_http_version 1.1; # # # proxy_set_header Host $host; # # proxy_set_header X-Real-IP $remote_addr; # # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # # proxy_set_header X-Forwarded-Proto $scheme; # # proxy_pass http://orthanc:8042; # } # EXAMPLE: Redirect server error pages to the static page /40x.html # # error_page 404 /404.html; # location = /40x.html { # } # EXAMPLE: Redirect server error pages to the static page /50x.html # # error_page 500 502 503 504 /50x.html; # location = /50x.html { # } } }