nginx.conf.template

upstream app_a {
    server app_1:80;
}

server {
    listen   3002;
    root     /opt/nginx/html;
    resolver 127.0.0.11 valid=1s ipv6=off;

    error_log  /var/log/nginx/error.log info;
    access_log  /var/log/nginx/access.log;

    error_log /dev/stderr info;
    access_log /dev/stdout;
    
    access_by_lua '
        local function dump(o)
            if type(o) == \'table\' then
                local s = \'{ \'
                for k,v in pairs(o) do
                    if type(k) ~= \'number\' then k = \'"\'..k..\'"\' end
                    s = s .. \'[\'..k..\'] = \' .. dump(v) .. \',\'
                end
                return s .. \'} \'
            else
                return tostring(o)
            end
        end

        local opts = {
            redirect_uri = "/redirect_uri",
            accept_none_alg = false,
            renew_access_token_on_expiry = true,
            discovery = { -- Overwriting auto-discovery [parameters](http://localhost:3333/realms/master/.well-known/openid-configuration)
                issuer = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}",
                authorization_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth",
                id_token_signing_alg_values_supported = { "RS256", "RS384", "RS512" },
                token_signing_alg_values_expected = { "RS256", "RS384", "RS512" },
                token_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token",
                jwks_uri = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs",
                userinfo_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo",
                revocation_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/revoke",
                end_session_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout",
                introspection_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token/introspect",
            },
            token_endpoint_auth_method = "client_secret_basic", -- Recommended over [client_secret_post](https://stackoverflow.com/a/55040462/4958081)
            client_id = "${KEYCLOAK_CLIENT}",
            client_secret = "${KEYCLOAK_SECRET}",
            logout_path = "/logout",
            redirect_after_logout_uri = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout?redirect_uri=${KEYCLOAK_LOGOUT_REDIRECT_URI}",
            redirect_after_logout_with_id_token_hint = false,
            scope = "openid",
            session_contents = {id_token=true}
        }
        
        local res, err = require("resty.openidc").authenticate(opts)
        if err then
            ngx.status = 403
            ngx.log(ngx.NOTICE, dump(err))
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
    ';

    # Disabling cache so the browser won't cache the website
    expires           0;
    add_header        Cache-Control private;

    location / {
        proxy_pass http://app_a;
        proxy_set_header X-Forwarded-For \\$remote_addr; 
    }    
    
    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        root /usr/share/nginx/html;
    }
}