nginx-cac/default.conf.TMPL at master · sofwerx/nginx-cac · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
error_log stderr info;

server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;

  server_name ${HOSTNAME}.${DNS_DOMAIN};

  ssl_certificate     ${SSL_CERT_PATH}/cert.pem;
  ssl_certificate_key ${SSL_CERT_PATH}/privkey.pem;
  ssl_protocols       TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;

  ssl_verify_client optional;
  ssl_verify_depth 4; # Allow intermediate CAs
  ssl_client_certificate /etc/nginx/DoDRoots.crt;

  proxy_set_header X-Forwarded-Proto https;

  add_header Strict-Transport-Security max-age=15768000;

  # Inform the proxyed app who the user who that SSL-terminated
  add_header X-Subject-DN $ssl_client_s_dn;
  add_header X-Client-Verified $ssl_client_verify;

  ### vvv for WordPress vvv
  root /www/WordPress;
  index index.php index.html index.htm;

 location ~ \.php$ {
    try_files $uri /index.php =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }
  ### ^^^ for WordPress ^^^

  # Require CAC or SWX internal IP address
  location / {
    try_files $uri $uri/ /index.php?$query_string;  # WP

    set $usertype "";

    if ($ssl_client_verify = "SUCCESS") {
      set $usertype "cac";
    }
#    if ($query_string = "TESTING") {
#      set $usertype "test";
#    }


    # data network internal IP (change to data network external IP if server moves to AWS)
    if ($remote_addr ~ "192\.168\.1\.[0-9]+") {
      set $usertype "local-admin";
    }

    # staff network external IP
    if ($remote_addr = "172.109.143.98") {
      set $usertype "local-staff";
    }

    if ($usertype = "") {
      rewrite /.* /noaccess.html break;
    }

    autoindex on;
  }

  ## Sample configuration to require CAC authentication for /protected path
  # root /www/static;
  #
  # location /protected {
  #
  #   set $usertype "";
  #
  #   if ($ssl_client_verify = "SUCCESS") {
  #     set $usertype "cac";
  #     }
  #     if ($query_string = "TESTING") {
  #       set $usertype "test";
  #     }
  #     if ($remote_addr = "172.109.143.98") {
  #       set $usertype "local-staff";
  #     }
  #     if ($remote_addr ~ "192\.168\.1\.[0-9]+") {
  #       set $usertype "local-admin";
  #     }
  #
  #     if ($usertype = "") {
  #       rewrite ^/protected.* /noaccess.html break;
  #     }
  #
  #     autoindex on;
  # }
  #
  # location / {
  #   autoindex on;
  # }
}