/
proxy.conf
143 lines (123 loc) · 5.15 KB
/
proxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
worker_processes 1;
user nobody;
events {
worker_connections 1024;
multi_accept off;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# allow CORS requests from selected hosts
map $http_origin $cors_origin_header {
default "";
"https://formbuilder.o3.openmrs.org" "$http_origin";
}
map $http_origin $cors_cred {
default "false";
"https://formbuilder.o3.openmrs.org" "true";
}
map $request_uri $csp_header {
default "default-src 'self' 'unsafe-inline' https://fonts.gstatic.com/ https://spa-modules.nyc3.digitaloceanspaces.com/ https://spa-modules.nyc3.cdn.digitaloceanspaces.com/ https://cdn.jsdelivr.net/; base-uri 'self'; font-src 'self' https://fonts.gstatic.com/; img-src 'self' data:; frame-ancestors 'self';";
"~^/openmrs/(?:admin|dictionary|module|patientDashboard.form)/" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; frame-ancestors 'self';";
"~^/openmrs/owa" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self';";
}
# this is the overall server
server {
listen 80;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy $csp_header;
proxy_cookie_flags JSESSIONID secure samesite=strict;
proxy_http_version 1.1;
absolute_redirect off;
gzip on;
gzip_vary on;
gzip_comp_level 4;
# 1 KiB
gzip_min_length 1024;
gzip_proxied any;
gzip_http_version 1.0;
gzip_types font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml
application/atom+xml
application/geo+json
application/importmap+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/fhir+json
application/fhir+xml
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml;
# anything in /openmrs/spa is actually served from the DO cloud
location /openmrs/spa {
# redirect to home
location = /openmrs/spa {
return 301 /openmrs/spa/home;
}
location = /openmrs/spa/ {
return 301 /openmrs/spa/home;
}
# any file requested (beside importmap) is served from esm-app-shell
location ~* /openmrs/spa/(.*\.(?!html?)[^.]+)$ {
expires -1d;
proxy_pass https://spa-modules.nyc3.digitaloceanspaces.com/@openmrs/esm-app-shell/latest/dist/$1;
}
# anything that does not have an extension is routed to the single page
location /openmrs/spa/ {
expires -1d;
rewrite ^(.*)$ /@openmrs/esm-app-shell/latest/dist/index.html break;
proxy_pass https://spa-modules.nyc3.digitaloceanspaces.com;
}
}
# anything to /openmrs but not /openmrs/spa is served from the backend
location /openmrs {
# here we allow CORS for the selected hosts but *only* to the REST API
location /openmrs/ws/rest/v1 {
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy $csp_header;
add_header "Access-Control-Allow-Origin" $cors_origin_header always;
add_header "Access-Control-Allow-Credentials" $cors_cred;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header "Access-Control-Expose-Headers" "Authorization" always;
if ($request_method = 'OPTIONS') {
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy $csp_header;
add_header "Access-Control-Allow-Origin" $cors_origin_header always;
add_header "Access-Control-Allow-Credentials" $cors_cred;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header "Access-Control-Expose-Headers" "Authorization" always;
# Tell client that this pre-flight info is valid for 20 days
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain;charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
proxy_pass http://backend:8080/openmrs/ws/rest/v1;
}
proxy_pass http://backend:8080;
}
# in case you end-up at /, we send you to the frontend
location = / {
return 301 openmrs/spa;
}
}
}