/
proxy.conf
136 lines (116 loc) · 4.5 KB
/
proxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
worker_processes 1;
user nobody;
events {
worker_connections 1024;
multi_accept off;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# allow CORS requests from selected hosts
map $http_origin $cors_origin_header {
default "";
"https://formbuilder.o3.openmrs.org" "$http_origin";
}
map $http_origin $cors_cred {
default "false";
"https://formbuilder.o3.openmrs.org" "true";
}
map $request_uri $csp_header {
default "default-src 'self' 'unsafe-inline'; base-uri 'self'; font-src 'self'; img-src 'self' data:; frame-ancestors 'self';";
"~^/openmrs/(?:admin|dictionary|module|patientDashboard.form)/" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; frame-ancestors 'self';";
"~^/openmrs/owa" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self';";
}
upstream frontend {
# always assume the frontend will be available
server frontend max_fails=0;
}
upstream backend {
server backend:8080 max_fails=0;
}
server {
listen 80;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy $csp_header;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cookie_flags JSESSIONID secure samesite=strict;
proxy_http_version 1.1;
gzip on;
gzip_vary on;
# 1 KiB
gzip_min_length 1024;
gzip_proxied any;
gzip_http_version 1.0;
gzip_types font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml
application/atom+xml
application/geo+json
application/importmap+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/fhir+json
application/fhir+xml
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml;
# all redirects are relative to the gateway
absolute_redirect off;
location = /openmrs/spa {
return 301 /openmrs/spa/;
}
location /openmrs/spa/ {
proxy_pass http://frontend/;
proxy_redirect http://$host/ /openmrs/spa/;
}
location /openmrs {
location /openmrs/ws/rest/v1 {
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy $csp_header;
add_header "Access-Control-Allow-Origin" $cors_origin_header always;
add_header "Access-Control-Allow-Credentials" $cors_cred;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header "Access-Control-Expose-Headers" "Authorization" always;
if ($request_method = 'OPTIONS') {
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy $csp_header;
add_header "Access-Control-Allow-Origin" $cors_origin_header always;
add_header "Access-Control-Allow-Credentials" $cors_cred;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header "Access-Control-Expose-Headers" "Authorization" always;
# Tell client that this pre-flight info is valid for 20 days
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain;charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
proxy_pass http://backend/openmrs/ws/rest/v1;
}
proxy_pass http://backend;
}
location = / {
return 301 /openmrs/spa/;
}
}
}