...
Configure the upstream (backend) servers.
upstream directiveCode Block upstream backend_app_server { zone mfabackend_app_sandboxserver 64k; # Server Private IP Address server 10.1.2.3:443; # DNS #resolver 8.8.8.8; #server app-proxy.example.com:443; }
Add the
/oidc_logout
location. Place this in the server section before the/
location.Code Block language groovyIf applicable, configure SSL.
http://nginx.org/en/docs/http/ngx_http_ssl_module.htmlCode Block server { ... location##################### = /oidc_logout { # SSL Configuration # https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html ##################### proxy_ssl_server_name on app-proxy.example.com; # For SNI to thelisten IdP 443 ssl; # $oidc_endsession_endpoint?ssl_certificate // Defined in openid_connect_configuration.conf ssl/example.com.crt; ssl_certificate_key ssl/example.com.key; ssl_protocols # id_token_hint=$arg_token& TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers # post_logout_redirect_uri=https://app-proxy.example.com:433/_logout // The URL value must be URL encoded.HIGH:!aNULL:!MD5; ... }
Add the
/oidc_logout
location. Place this in theserver
block before the/
location.Code Block language groovy server { ... location = /oidc_logout { # https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html proxy_ssl_server_name on; # For SNI to the IdP # $oidc_endsession_endpoint? // Defined in openid_connect_configuration.conf # id_token_hint=$arg_token& # post_logout_redirect_uri=https://app-proxy.example.com:433/_logout // The URL value must be URL encoded. proxy_pass $oidc_endsession_endpoint?id_token_hint=$arg_token&post_logout_redirect_uri=https%3a%2f%2fapp-proxy.example.com%3a433%2f_logout; } location / { ... } }
Configure the reverse proxy to the backend application server.
Code Block language groovy server { ... location / { # This site is protected with OpenID Connect auth_jwt "" token=$session_jwt; error_page 401 = @do_oidc_flow; #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename auth_jwt_key_request /_jwks_uri; # Enable when using URL # Successfully authenticated users are proxied to the backend, # with 'sub' claim passed as HTTP header proxy_set_header username $jwt_claim_sub; proxy_pass https://backend_app_server; # The backend site/app proxy_set_header Host app-proxy.example.com; proxy_cookie_domain app-proxy.example.com $host; } }
This is a complete example of the updated frontend.conf
file.
Expand | ||
---|---|---|
|
...
|
...
|
...
|
...
|