Add extra headers

ncsa · Sep 12, 2024 · 7bf852d · 7bf852d
1 parent f062f8c
commit 7bf852d
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 7 deletions.
diff --git a/CILogon/nginx.conf.template b/CILogon/nginx.conf.template
@@ -7,7 +7,7 @@ events {
 }
 
 http {
-    resolver ${DNS_RESOLVER};
+    resolver 8.8.8.8;
 
     lua_package_path '~/lua/?.lua;;';
     lua_shared_dict discovery 1m;
@@ -28,6 +28,7 @@ http {
     server {
         listen 80;
         server_name ${PROXY_FQDN};
+        # server_name localhost;
 
         #ssl_certificate /etc/letsencrypt/live/${PROXY_FQDN}/fullchain.pem;
         #ssl_certificate_key /etc/letsencrypt/live/${PROXY_FQDN}/privkey.pem;
@@ -37,8 +38,8 @@ http {
                 local opts = {
                     redirect_uri = "http://${PROXY_FQDN}/redirect_uri",
                     discovery = "https://cilogon.org/.well-known/openid-configuration",
-                    client_id = "${CLIENT_ID}",
-                    client_secret = "${CLIENT_SECRET}",
+                    client_id = "cilogon:/client_id/9c02e8c0e767934c8e0bb60807dfa39",
+                    client_secret = "HqTb451EId3AX9vnqVWap2WqWdqqBqlE0mTKGQ0CyJ7oVIB71UBkdfrXAMklm9vRwoGaAwx-UFJvr6DUbV7-eQ",
                     ssl_verify = "no",
                     scope = "openid email profile org.cilogon.userinfo",
                     redirect_uri_scheme = "http",
@@ -63,16 +64,51 @@ http {
 
             proxy_set_header Host ${TARGET_FQDN};
             proxy_set_header Authorization "Bearer ${PAT}";  # Your PAT
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Original-URI $request_uri;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_set_header Connection Keep-Alive;
             proxy_pass https://${TARGET_FQDN};
+
+            proxy_set_header Accept-Encoding "";
+            proxy_set_header Accept-Language $http_accept_language;
+            proxy_set_header Cookie $http_cookie;
+            proxy_set_header User-Agent $http_user_agent;
+
+            proxy_set_header Origin "https://wiki.ncsa.illinois.edu";
+            proxy_set_header Referer "https://wiki.ncsa.illinois.edu/plugins/personalaccesstokens/usertokens.action";
+
+            proxy_set_header X-Atlassian-Token no-check;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            # proxy_set_header Connection "Upgrade";
+
+            proxy_hide_header Content-Security-Policy;
+
+            add_header Content-Security-Policy "default-src 'self' https://wiki.ncsa.illinois.edu 'unsafe-inline' 'unsafe-eval' data:; img-src 'self' https://wiki.ncsa.illinois.edu data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://wiki.ncsa.illinois.edu; style-src 'self' 'unsafe-inline' https://wiki.ncsa.illinois.edu; connect-src 'self' https://wiki.ncsa.illinois.edu https://wiki.ncsa.illinois.edu/synchrony; frame-src 'self' https://wiki.ncsa.illinois.edu;" always;
+
+            add_header Access-Control-Allow-Origin * always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Origin, Authorization, X-Requested-With, Content-Type, Accept" always;
+
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options SAMEORIGIN always;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
         }
 
+
         location /redirect_uri {
             access_by_lua_block {
                 local opts = {
                     redirect_uri = "http://${PROXY_FQDN}/redirect_uri",
                     discovery = "https://cilogon.org/.well-known/openid-configuration",
-                    client_id = "${CLIENT_ID}",
-                    client_secret = "${CLIENT_SECRET}",
+                    client_id = "cilogon:/client_id/9c02e8c0e767934c8e0bb60807dfa39",
+                    client_secret = "HqTb451EId3AX9vnqVWap2WqWdqqBqlE0mTKGQ0CyJ7oVIB71UBkdfrXAMklm9vRwoGaAwx-UFJvr6DUbV7-eQ",
                     ssl_verify = "no",
                     scope = "openid email profile org.cilogon.userinfo",
                     redirect_uri_scheme = "http",
@@ -91,9 +127,49 @@ http {
                     ngx.say(err)
                     ngx.exit(ngx.HTTP_FORBIDDEN)
                 end
-                ngx.redirect("/", 302)
+
+                ngx.log(ngx.ERR, "Authentication successful, session created")
             }
+
+            proxy_set_header Host ${TARGET_FQDN};
+            proxy_set_header Authorization "Bearer ${PAT}";  # Your PAT
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Original-URI $request_uri;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_set_header Connection Keep-Alive;
+            proxy_pass https://${TARGET_FQDN};
+
+            proxy_set_header Accept-Encoding "";
+            proxy_set_header Accept-Language $http_accept_language;
+            proxy_set_header Cookie $http_cookie;
+            proxy_set_header User-Agent $http_user_agent;
+
+            proxy_set_header Origin "https://wiki.ncsa.illinois.edu";
+            proxy_set_header Referer "https://wiki.ncsa.illinois.edu/plugins/personalaccesstokens/usertokens.action";
+
+            proxy_set_header X-Atlassian-Token no-check;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            # proxy_set_header Connection "Upgrade";
+
+            proxy_hide_header Content-Security-Policy;
+
+            add_header Content-Security-Policy "default-src 'self' https://wiki.ncsa.illinois.edu 'unsafe-inline' 'unsafe-eval' data:; img-src 'self' https://wiki.ncsa.illinois.edu data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://wiki.ncsa.illinois.edu; style-src 'self' 'unsafe-inline' https://wiki.ncsa.illinois.edu; connect-src 'self' https://wiki.ncsa.illinois.edu https://wiki.ncsa.illinois.edu/synchrony; frame-src 'self' https://wiki.ncsa.illinois.edu;" always;
+
+            add_header Access-Control-Allow-Origin * always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Origin, Authorization, X-Requested-With, Content-Type, Accept" always;
+
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options SAMEORIGIN always;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
         }
+
 
     }
 }
diff --git a/Dockerfile b/Dockerfile
@@ -14,4 +14,4 @@ RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-openidc
 # Copy custom nginx.conf
 COPY ./CILogon/nginx.conf.template /usr/local/openresty/nginx/conf/
 
-CMD ["/bin/sh", "-c", "envsubst < /usr/local/openresty/nginx/conf/nginx.conf.template > /usr/local/openresty/nginx/conf/nginx.conf && openresty -g 'daemon off;'"]
+CMD ["/bin/sh", "-c", "envsubst '${CLIENT_ID} ${CLIENT_SECRET} ${PAT} ${PROXY_FQDN} ${TARGET_FQDN} '< /usr/local/openresty/nginx/conf/nginx.conf.template > /usr/local/openresty/nginx/conf/nginx.conf && openresty -g 'daemon off;'"]