Versions Compared

Old Version 5

changes.mady.by.user Mirko Ploch

Saved on

compared with

New Version 6

changes.mady.by.user Mirko Ploch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Configure the upstream (backend) servers.
    upstream directive

    Code Block
    upstream backend_app_server {
    zone mfabackend_app_sandboxserver 64k;

    # Server Private IP Address
    server 10.1.2.3:443;

    # DNS
    #resolver 8.8.8.8;
    #server app-proxy.example.com:443;
}

    Add the /oidc_logout location. Place this in the server section before the / location.

    groovy
    Code Block
    language
  • If applicable, configure SSL.
    http://nginx.org/en/docs/http/ngx_http_ssl_module.html 
     Code Block
    server {
    ...

    location#####################
= /oidc_logout {  # SSL     Configuration #
https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html    #####################
    proxy_ssl_server_name on  app-proxy.example.com;
# For SNI to thelisten IdP      443 ssl;

#    $oidc_endsession_endpoint?ssl_certificate  // Defined in openid_connect_configuration.conf ssl/example.com.crt;
    ssl_certificate_key ssl/example.com.key;
    ssl_protocols     #   id_token_hint=$arg_token&  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers      #   post_logout_redirect_uri=https://app-proxy.example.com:433/_logout // The URL value must be URL encoded.HIGH:!aNULL:!MD5;

    ...
}
  • Add the /oidc_logout location. Place this in the server block before the / location. 
     Code Block
    languagegroovy
    server {
    ...

    location = /oidc_logout {
        # https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html
        proxy_ssl_server_name on; # For SNI to the IdP
        # $oidc_endsession_endpoint?  // Defined in openid_connect_configuration.conf
        #   id_token_hint=$arg_token&
        #   post_logout_redirect_uri=https://app-proxy.example.com:433/_logout // The URL value must be URL encoded.
        proxy_pass $oidc_endsession_endpoint?id_token_hint=$arg_token&post_logout_redirect_uri=https%3a%2f%2fapp-proxy.example.com%3a433%2f_logout;
    }

    location / {
        ...
    }
}
  • Configure the reverse proxy to the backend application server.
     Code Block
    languagegroovy
    server {
    ...
    
    location / {
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;

        #auth_jwt_key_file $oidc_jwt_keyfile;  # Enable when using filename
        auth_jwt_key_request /_jwks_uri;       # Enable when using URL

        # Successfully authenticated users are proxied to the backend,
        # with 'sub' claim passed as HTTP header
        proxy_set_header username $jwt_claim_sub;
        proxy_pass https://backend_app_server; # The backend site/app

        proxy_set_header Host app-proxy.example.com;
        proxy_cookie_domain app-proxy.example.com $host;
    }
}
This is a complete example of the updated frontend.conf file.
 Expand
 Code Block
# This is the backend application we are protecting with OpenID Connect
upstream backend_app_server {
    zone backend_app_server 64k;

    # Private Azure IP
    server 10.1.2.3:443;

    # DNS
    #resolver 8.8.8.8;
    #server app-proxy.example.com:443;
}

# Custom log format to include the 'sub' claim in the REMOTE_USER field
log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
                    '$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

# The frontend server - reverse proxy with OpenID Connect authentication
#
server {
    include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
    error_log /var/log/nginx/error.log debug;  # Reduce severity level as required

    #####################
    # SSL Configuration #
    #####################
    server_name  app-proxy.example.com;
    listen       443 ssl;

    ssl_certificate     ssl/surepassid.com_2022-05-14.crt;
    ssl_certificate_key ssl/surepassid.com_2022-05-14.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location = /oidc_logout {
        # https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html
        proxy_ssl_server_name on; # For SNI to the IdP
        proxy_pass $oidc_endsession_endpoint?id_token_hint=$arg_token&post_logout_redirect_uri=https%3a%2f%2fapp-proxy.example.com%3a433%2f_logout;
    }

    location / {
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;

        #auth_jwt_key_file $oidc_jwt_keyfile;  # Enable when using filename
        auth_jwt_key_request /_jwks_uri;       # Enable when using URL

        # Successfully authenticated users are proxied to the backend,
        # with 'sub' claim passed as HTTP header
        proxy_set_header username $jwt_claim_sub;
        proxy_pass 
...
https://backend_app_server; # The backend site/app

   
...
     proxy_set_header 
...
Host app-proxy.example.com;
        proxy_cookie_domain app-proxy.example.
...
com $host;
    }
}

# vim: syntax=nginx