From ba322e076ff97fcb326775bea2a0f80c3387b063 Mon Sep 17 00:00:00 2001 From: Joxit Date: Mon, 8 May 2023 14:42:32 +0200 Subject: [PATCH] docs(token-auth-keycloak): update nginx configuration (#303) --- examples/token-auth-keycloak/README.md | 15 +++++++++++++++ .../token-auth-keycloak/conf/proxy/nginx.conf | 17 ++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/examples/token-auth-keycloak/README.md b/examples/token-auth-keycloak/README.md index 258b5623..9c472b88 100644 --- a/examples/token-auth-keycloak/README.md +++ b/examples/token-auth-keycloak/README.md @@ -32,8 +32,23 @@ I will highlight required configuration for Basic Access Authentication Protocol proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; + + if ($request_method = "OPTIONS") { + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "OPTIONS, GET" always; + add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always; + add_header Access-Control-Allow-Credentials true always; + add_header Content-Type "text/plain charset=UTF-8"; + add_header Content-Length 0; + return 204; + } + # By default, keycloak returns 400 instead of 401, we need to change that if ($http_authorization = "") { + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "OPTIONS, GET" always; + add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always; + add_header Access-Control-Allow-Credentials true always; add_header WWW-Authenticate 'Basic realm="Keycloak login"' always; return 401; } diff --git a/examples/token-auth-keycloak/conf/proxy/nginx.conf b/examples/token-auth-keycloak/conf/proxy/nginx.conf index e2168e78..a1874972 100644 --- a/examples/token-auth-keycloak/conf/proxy/nginx.conf +++ b/examples/token-auth-keycloak/conf/proxy/nginx.conf @@ -7,7 +7,6 @@ server { set $registry "http://registry:5000"; set $ui "http://ui"; - #charset koi8-r; #access_log /var/log/nginx/host.access.log main; @@ -44,7 +43,22 @@ server { proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; + + if ($request_method = "OPTIONS") { + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "OPTIONS, GET" always; + add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always; + add_header Access-Control-Allow-Credentials true always; + add_header Content-Type "text/plain charset=UTF-8"; + add_header Content-Length 0; + return 204; + } + if ($http_authorization = "") { + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "OPTIONS, GET" always; + add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always; + add_header Access-Control-Allow-Credentials true always; add_header WWW-Authenticate 'Basic realm="Keycloak login"' always; return 401; } @@ -52,6 +66,7 @@ server { } location /ui { + rewrite ^/ui/(.*) /$1 break; proxy_pass $ui; }