worker_processes auto; error_log /var/log/nginx/error.log debug; pid /tmp/nginx.pid; events { worker_connections 1024; } http { map $ssl_client_s_dn $ssl_client_s_dn_cn { default ""; ~(^|,)CN=(?[^,]+) $CN; } map "$request_method:$uri:$ssl_client_s_dn_cn" $helper_error_message { default 'SUCCESS'; "~*(GET|DELETE):.*:(?!(superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}'; } map "$request_method:$uri:$ssl_client_s_dn_cn" $invoker_error_message { default 'SUCCESS'; "~*(PUT|DELETE):.*:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; } map "$request_method:$uri:$ssl_client_s_dn_cn" $provider_error_message { default 'SUCCESS'; "~*(PUT|DELETE|PATCH):.*:(?!(AMF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}'; } map "$request_method:$uri:$ssl_client_s_dn_cn" $publish_error_message { default 'SUCCESS'; "~*.*:.*:(?!(APF|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; } map "$request_method:$uri:$ssl_client_s_dn_cn" $acl_error_message { default 'SUCCESS'; "~*.*:.*:(?!(AEF|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}'; } map "$request_method:$uri:$ssl_client_s_dn_cn" $discover_error_message { default 'SUCCESS'; "~*.*:.*:(?!(INV|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; } map "$request_method:$uri:$ssl_client_s_dn_cn" $security_error_message { default 'SUCCESS'; "~*DELETE:.*:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; "~*PUT:.*:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; "~*GET:.*:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; "~*POST:.*/update:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; "~*POST:.*/delete:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; "~*POST:.*/token:(?!(INV|superadmin))(.*)" '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}'; } map "$request_method:$uri:$ssl_client_s_dn_cn" $events_error_message { default 'SUCCESS'; "~*.*:.*:ccf" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; } server { listen 8080; location /test { add_header Content-Type 'application/json'; return 200 '{ "message": "Endpoint for testing purpouse" }'; } } server { listen 443 ssl; # server_name capifcore; # server_name openshift.evolved-5g.eu; ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_client_certificate /etc/nginx/certs/ca.crt; ssl_verify_client optional; ssl_verify_depth 2; location / { proxy_pass $scheme://$http_host/api-invoker-management/v1/ui/; } location /api-invoker-management { if ( $invoker_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $invoker_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-invoker-management:8080; } location /api-provider-management { if ( $provider_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $provider_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-provider-management:8080; } location /service-apis { if ($ssl_client_verify != SUCCESS) { return 403; } if ( $discover_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $discover_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://service-apis:8080; } location /published-apis { if ($ssl_client_verify != SUCCESS) { return 403; } if ( $publish_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $publish_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://published-apis:8080; } location /api-invocation-logs { if ($ssl_client_verify != SUCCESS) { return 403; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-invocation-logs:8080; } location /logs { if ($ssl_client_verify != SUCCESS) { return 403; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://logs:8080; } location /capif-security { if ($ssl_client_verify != SUCCESS) { return 403; } if ( $security_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $security_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://capif-security:8080; } location /capif-events { if ($ssl_client_verify != SUCCESS) { return 403; } if ( $events_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $events_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://capif-events:8080; } location /access-control-policy { if ( $acl_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $acl_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://access-control-policy:8080; } location /helper { if ( $helper_error_message != SUCCESS ) { add_header Content-Type 'application/problem+json'; return 401 $helper_error_message; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://helper:8080; } } } daemon off;