Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Configuration examples for ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
Message ID: 20     Entry time: Wed Apr 2 12:47:07 2025
Author: Liam Gaffney 
Author Email: liam.gaffney@liverpool.ac.uk 
Category: Public Logbook 
Configuration Name: Nginx config for CERN SSO 
Last Revision: Wed Apr 2 12:50:17 2025 by Liam Gaffney 

For those people who are running an elog instance at CERN and need to "hide" it behind the CERN Single Sign On (SSO), I've attached a working nginx.conf file to be used with OKD/PaaS at CERN.

Ideally, you can then configure the elog similar to the below, which will still allow people to register for individual elogs and be approved by an admin user. The usernames are then the CERN SSO usernames...

;
; admin
;
Admin user       = lgaffney
Password file    = /elog-nfs-2/ids_sso.passwd
Authentication   = Webserver, File
allow password change = 0
Login expiration = 0
Self register    = 3
 

Attachment 1: nginx.conf  3 kB  Uploaded Wed Apr 2 13:48:12 2025  | Hide | Hide all 
    worker_processes  auto;

    error_log  /var/log/nginx/error.log notice;
    pid        /var/run/nginx.pid;

    events {
        worker_connections  1024;
    }

    http {
        default_type  application/octet-stream;

        log_format  main  '$remote_addr - $user ("$http_x_forwarded_user", $name, $email) [$time_local]'
                          ' "$request" $status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;
        sendfile        on;
        keepalive_timeout  65;
        client_max_body_size 100M;


        server {
            listen 8080;    
            
            # Disable buffering for an authenticating proxy
            proxy_buffering off;
            # Allow big headers (oauth2-proxy cookies) - OKD routers allow headers up to 32k
            proxy_buffer_size          32k;
            proxy_buffers              8 64k;
            proxy_busy_buffers_size    64k;
            # Do not restrict upload size (consider setting a limit here if application does not need large request bodies)
            client_max_body_size 0;

            location /oauth2/ {
                proxy_pass       http://cern-auth-proxy:4180;    # TODO: must match the Release name used to deploy the cern-auth-proxy service
                proxy_set_header Host                    $host;
                proxy_set_header X-Scheme                $scheme;
                proxy_set_header X-Auth-Request-Redirect $request_uri;
                proxy_pass_request_headers on;
            }

            location / {
                auth_request /oauth2/auth;
                error_page 401 = /oauth2/start;

                # Capture the authentication headers set by cern-auth-proxy during the authentication subrequest
                # (headers available iff oauth2-proxy runs with --set-xauthrequest flag)
                auth_request_set $user               $upstream_http_x_auth_request_user;
                auth_request_set $email              $upstream_http_x_auth_request_email;
                auth_request_set $groups             $upstream_http_x_auth_request_groups;
                auth_request_set $preferredUsername  $upstream_http_x_auth_request_preferred_username;
                auth_request_set $name               $upstream_http_x_auth_request_name;

                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                #auth_request_set $token $upstream_http_x_auth_request_access_token;
                #proxy_set_header X-Access-Token $token;
                #auth_request_set $auth_cookie $upstream_http_set_cookie;
                #proxy_set_header Set-Cookie $auth_cookie;

                # TODO: define here the custom headers to pass to your application
                #proxy_set_header Authorization '';
                proxy_set_header X-Forwarded-User  $user;
                proxy_set_header X-Remote-User     $user;
                proxy_set_header X-Forward-Proto   $scheme;
                proxy_set_header X-Forwarded-Email $email;
                proxy_set_header X-Forwarded-Name  $name;
                proxy_set_header Host      $host;
                proxy_set_header Content-Length $http_content_length;
                proxy_set_header Content-Type $http_content_type;
                proxy_set_header Content-Disposition $http_content_disposition;
                proxy_pass_request_headers on;
                proxy_pass_request_body on;
                
                # TODO: configure here the service and port of the application being proxied
                proxy_pass http://isolde-elog-app:8080/;

                # TODO: configure proxy timeout as needed. This must be consistent with the nginx route's timeout annotation.
                proxy_read_timeout 90;
                proxy_connect_timeout 90;
                proxy_send_timeout 90;

                # Max file size - 1 GB
                proxy_max_temp_file_size 1024m;
ELOG V3.1.5-3fb85fa6