nginxinc
diff --git a/‎labs/lab8/cafe.example.com.conf
Lines changed: 70 additions & 0 deletions b/‎labs/lab8/cafe.example.com.conf
Lines changed: 70 additions & 0 deletions
diff --git a/‎labs/lab8/media/App_Registration.png
119 KB b/‎labs/lab8/media/App_Registration.png
119 KB
diff --git a/‎labs/lab8/media/Authentication_add_platform.png
238 KB b/‎labs/lab8/media/Authentication_add_platform.png
238 KB
diff --git a/‎labs/lab8/media/Fill_Secret_details.png
156 KB b/‎labs/lab8/media/Fill_Secret_details.png
156 KB
diff --git a/‎labs/lab8/media/New_Secret_Creation.png
130 KB b/‎labs/lab8/media/New_Secret_Creation.png
130 KB
diff --git a/‎labs/lab8/media/Post_App_Registration.png
189 KB b/‎labs/lab8/media/Post_App_Registration.png
189 KB
diff --git a/‎labs/lab8/media/Post_Secret_Creation.png
130 KB b/‎labs/lab8/media/Post_Secret_Creation.png
130 KB
diff --git a/‎labs/lab8/media/cafe-icon.png
134 KB b/‎labs/lab8/media/cafe-icon.png
134 KB
diff --git a/‎labs/lab8/media/curl_output.png
69 KB b/‎labs/lab8/media/curl_output.png
69 KB
diff --git a/‎labs/lab8/media/endpoints.png
241 KB b/‎labs/lab8/media/endpoints.png
241 KB
@@ -0,0 +1,70 @@
+# Nginx 4 Azure - Cafe Nginx with Entra ID / OIDC
+# Chris Akker, Shouvik Dutta, Adam Currier - Mar 2024
+#
+server {
+    
+    # Include AzureAD Auth configuration files
+    include /etc/nginx/conf.d/oidc/openid_connect.server_conf; # Authorization code flow and Relying Party processing
+
+    listen 443 ssl; # Listening on port 443 with "ssl" parameter for terminating TLS on all IP addresses on this machine
+
+    server_name cafe.example.com;   # Set hostname to match in request
+    status_zone cafe.example.com;   # Metrics zone name
+
+    ssl_certificate /etc/nginx/cert/n4a-cert.cert;
+    ssl_certificate_key /etc/nginx/cert/n4a-cert.key;
+
+    access_log  /var/log/nginx/cafe.example.com.log main;
+    error_log   /var/log/nginx/cafe.example.com_error.log info;
+
+    location / {
+        #
+        # return 200 "You have reached cafe.example.com, location /\n";
+         
+        proxy_pass http://cafe_nginx;          # Proxy AND load balance to a list of servers
+        add_header X-Proxy-Pass cafe_nginx;    # Custom Header
+
+        # proxy_pass http://windowsvm;           # Proxy AND load balance to a list of servers
+        # add_header X-Proxy-Pass windowsvm;     # Custom Header
+
+        #proxy_pass http://aks1_ingress;        # Proxy AND load balance to AKS1 Nginx Ingress
+        #add_header X-Proxy-Pass aks1_ingress;  # Custom Header
+
+        # proxy_pass http://aks2_ingress;        # Proxy AND load balance to AKS2 Nginx Ingress
+        # add_header X-Proxy-Pass aks1_ingress;  # Custom Header
+
+        # proxy_pass http://$upstream;           # Use Split Clients config
+        # add_header X-Proxy-Pass $upstream;     # Custom Header
+
+    }
+
+    # starting path regex
+    # This location is protected with OpenID Connect and Azure Entra ID
+    #
+    location ~ ^/(beer|wine)$ {
+
+        auth_jwt "" token=$session_jwt;
+        error_page 401 = @do_oidc_flow;
+
+        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
+        auth_jwt_key_request /_jwks_uri; # Enable when using URL
+
+        # Successfully authenticated users are proxied to the backend,
+        # with 'sub' claim passed as HTTP header
+        proxy_set_header username $jwt_claim_sub;
+
+        # Bearer token is used to authorize NGINX to access protected backend
+        #proxy_set_header Authorization "Bearer $access_token";
+
+        # Intercept and redirect "401 Unauthorized" proxied responses to nginx
+        # for processing with the error_page directive. Necessary if Access Token
+        # can expire before ID Token.
+        #proxy_intercept_errors on;
+
+        proxy_pass http://cafe_nginx;               # The backend site/app
+        add_header X-Proxy-Pass cafe_nginx_oidc;    # Custom Header
+
+        access_log /var/log/nginx/access.log main_jwt;
+    
+    }
+}