opengnsys
/
ogcore
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ogcore/etc/nginx/sites-available/ogcore.conf

127 lines
4.3 KiB
Plaintext
Raw Blame History

server {
listen 8443 ssl;
server_name _;
root /opt/opengnsys/ogcore/api/public/;
index index.html index.php;
ssl_certificate /opt/opengnsys/ogcore/etc/certificates/ogcore.crt;
ssl_certificate_key /opt/opengnsys/ogcore/etc/certificates/ogcore.key;
location /opengnsys/rest/ous// {
rewrite ^/opengnsys/rest/ous//([0-9]+)/images /opengnsys/rest/ous/$1/images;
rewrite ^/opengnsys/rest/ous//([0-9]+)/labs /opengnsys/rest/ous/$1/labs;
}
# Bloque principal para archivos
location / {
try_files $uri $uri/ /index.php?$args;
}
# Manejo de PHP
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php8.3-fpm-ogcore.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $request_uri;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
}
# Bloque para errores PHP
location ~ \.php$ {
return 404;
}
error_log /var/log/nginx/ogcore-error.log;
access_log /var/log/nginx/ogcore-access.log;
}
server {
listen 8444 ssl;
server_name _;
root /opt/opengnsys/ogcore/api/public/;
index index.html index.php;
# Certificados del servidor
ssl_certificate /opt/opengnsys/ogcore/etc/certificates/ogcore.crt;
ssl_certificate_key /opt/opengnsys/ogcore/etc/certificates/ogcore.key;
# CA para validar cliente (opcional)
ssl_client_certificate /opt/opengnsys/ogcore/etc/certificates/ca.crt;
ssl_verify_client optional;
# ================================
# 1. RUTA ABIERTA: /auth/login
# ================================
location = /auth/login {
try_files $uri $uri/ /index.php?$args;
}
# ============================================
# 2. RUTA ABIERTA: / (documentación Swagger)
# ============================================
location = / {
try_files $uri $uri/ /index.php?$args;
}
# ==================================================
# 3. VALIDACIÓN DE ACCESO: Certificado o Bearer token
# ==================================================
location = /check-auth {
internal;
proxy_pass http://127.0.0.1:5001/validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header SSL_CLIENT_VERIFY $ssl_client_verify;
proxy_set_header Authorization $http_authorization;
}
# ============================================
# 4. TODAS LAS DEMÁS RUTAS → AUTENTICACIÓN
# ============================================
location / {
# Permitir preflight sin autenticación
if ($request_method = OPTIONS ) {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always;
add_header 'Access-Control-Max-Age' 3600;
return 204;
}
# Para el resto de métodos, aplicar autenticación
auth_request /check-auth;
# Añadir headers CORS en respuestas reales también
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always;
try_files $uri $uri/ /index.php?$args;
}
location ^~ /bundles/apiplatform/ {
try_files $uri $uri/ =404;
}
# ============================================
# 5. PHP HANDLER
# ============================================
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php8.3-fpm-ogcore.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $request_uri;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
# Pasa info TLS y token a PHP
fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
fastcgi_param Authorization $http_authorization;
}
error_log /var/log/nginx/ogcore-error.log;
access_log /var/log/nginx/ogcore-access.log;
}
Reference in New Issue View Git Blame Copy Permalink