server { listen 8443 ssl; server_name _; root /opt/opengnsys/ogcore/api/public/; index index.html index.php; ssl_certificate /opt/opengnsys/ogcore/etc/certificates/ogcore.crt; ssl_certificate_key /opt/opengnsys/ogcore/etc/certificates/ogcore.key; location /opengnsys/rest/ous// { rewrite ^/opengnsys/rest/ous//([0-9]+)/images /opengnsys/rest/ous/$1/images; rewrite ^/opengnsys/rest/ous//([0-9]+)/labs /opengnsys/rest/ous/$1/labs; } # Bloque principal para archivos location / { try_files $uri $uri/ /index.php?$args; } # Manejo de PHP location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/var/run/php/php8.3-fpm-ogcore.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $request_uri; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name; } # Bloque para errores PHP location ~ \.php$ { return 404; } error_log /var/log/nginx/ogcore-error.log; access_log /var/log/nginx/ogcore-access.log; } server { listen 8444 ssl; server_name _; root /opt/opengnsys/ogcore/api/public/; index index.html index.php; # Certificados del servidor ssl_certificate /opt/opengnsys/ogcore/etc/certificates/ogcore.crt; ssl_certificate_key /opt/opengnsys/ogcore/etc/certificates/ogcore.key; # CA para validar cliente (opcional) ssl_client_certificate /opt/opengnsys/ogcore/etc/certificates/ca.crt; ssl_verify_client optional; # ================================ # 1. RUTA ABIERTA: /auth/login # ================================ location = /auth/login { try_files $uri $uri/ /index.php?$args; } # ============================================ # 2. RUTA ABIERTA: / (documentación Swagger) # ============================================ location = / { try_files $uri $uri/ /index.php?$args; } # ================================================== # 3. VALIDACIÓN DE ACCESO: Certificado o Bearer token # ================================================== location = /check-auth { internal; proxy_pass http://127.0.0.1:5001/validate; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header SSL_CLIENT_VERIFY $ssl_client_verify; proxy_set_header Authorization $http_authorization; } # ============================================ # 4. TODAS LAS DEMÁS RUTAS → AUTENTICACIÓN # ============================================ location / { # Permitir preflight sin autenticación if ($request_method = OPTIONS ) { add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always; add_header 'Access-Control-Max-Age' 3600; return 204; } # Para el resto de métodos, aplicar autenticación auth_request /check-auth; # Añadir headers CORS en respuestas reales también add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always; try_files $uri $uri/ /index.php?$args; } location ^~ /bundles/apiplatform/ { try_files $uri $uri/ =404; } # ============================================ # 5. PHP HANDLER # ============================================ location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/var/run/php/php8.3-fpm-ogcore.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $request_uri; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name; # Pasa info TLS y token a PHP fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; fastcgi_param Authorization $http_authorization; } error_log /var/log/nginx/ogcore-error.log; access_log /var/log/nginx/ogcore-access.log; }