forked from DGNum/infrastructure
fix(kanidm): Revert switch to simpleProxies
As we proxy to an https endpoint, this was not supported
This commit is contained in:
parent
9ea51137fc
commit
06653220bb
1 changed files with 41 additions and 31 deletions
|
@ -8,9 +8,8 @@
|
|||
let
|
||||
inherit (lib) escapeRegex concatStringsSep;
|
||||
|
||||
host = "sso.dgnum.eu";
|
||||
domain = "sso.dgnum.eu";
|
||||
port = 8443;
|
||||
domain = host;
|
||||
|
||||
cert = config.security.acme.certs.${domain};
|
||||
|
||||
|
@ -41,7 +40,7 @@ in
|
|||
|
||||
origin = "https://${domain}";
|
||||
|
||||
bindaddress = "127.0.0.1:8443";
|
||||
bindaddress = "127.0.0.1:${builtins.toString port}";
|
||||
ldapbindaddress = "0.0.0.0:636";
|
||||
|
||||
trust_x_forward_for = true;
|
||||
|
@ -53,40 +52,51 @@ in
|
|||
|
||||
users.users.kanidm.extraGroups = [ cert.group ];
|
||||
|
||||
dgn-web.simpleProxies.kanidm = {
|
||||
inherit host port;
|
||||
vhostConfig.locations."/".extraConfig = ''
|
||||
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
||||
return 444;
|
||||
}
|
||||
dgn-web.internalPorts.kanidm = port;
|
||||
|
||||
set $origin $http_origin;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
|
||||
set $origin 'https://${domain}';
|
||||
}
|
||||
virtualHosts.${domain} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "https://127.0.0.1:${builtins.toString port}";
|
||||
|
||||
proxy_hide_header Access-Control-Allow-Origin;
|
||||
extraConfig = ''
|
||||
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
||||
return 444;
|
||||
}
|
||||
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' "$origin" always;
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
|
||||
add_header 'Access-Control-Allow-Credentials' 'true' always;
|
||||
set $origin $http_origin;
|
||||
|
||||
add_header Access-Control-Max-Age 1728000;
|
||||
add_header Content-Type 'text/plain charset=UTF-8';
|
||||
add_header Content-Length 0;
|
||||
return 204;
|
||||
}
|
||||
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
|
||||
set $origin 'https://${domain}';
|
||||
}
|
||||
|
||||
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
|
||||
add_header Access-Control-Allow-Origin "$origin" always;
|
||||
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
|
||||
add_header Access-Control-Allow-Credentials true always;
|
||||
}
|
||||
'';
|
||||
proxy_hide_header Access-Control-Allow-Origin;
|
||||
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' "$origin" always;
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
|
||||
add_header 'Access-Control-Allow-Credentials' 'true' always;
|
||||
|
||||
add_header Access-Control-Max-Age 1728000;
|
||||
add_header Content-Type 'text/plain charset=UTF-8';
|
||||
add_header Content-Length 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
|
||||
add_header Access-Control-Allow-Origin "$origin" always;
|
||||
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
|
||||
add_header Access-Control-Allow-Credentials true always;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 636 ];
|
||||
|
|
Loading…
Reference in a new issue