dify-keycloak-poc/nginx.conf at main · abogushov/dify-keycloak-poc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# =========================
# nginx.conf
# =========================
user  nginx;
worker_processes  auto;

events {
    worker_connections  1024;
}

http {
    # ---- 基本設定（必要に応じて調整）----
    include       mime.types;
    default_type  application/octet-stream;
    sendfile      on;
    keepalive_timeout  65;
    server_tokens off;

    # （Docker で名前解決する場合は有効化）
    # resolver 127.0.0.11 ipv6=off valid=10s;

    # ---- 共通ヘッダ ----
    map $http_x_request_id $req_id {
        default $http_x_request_id;
        ""      $request_id;
    }

    # ---- アップストリーム（任意。直接 proxy_pass でもOK）----
    upstream ui_upstream {
        server nginx:80;
        keepalive 16;
    }
    upstream api_upstream {
        server apisix:9080;
        keepalive 16;
    }
    upstream oauth2_proxy_upstream {
        server oauth2-proxy:4180;
        keepalive 16;
    }

    proxy_buffer_size       16k;
    proxy_buffers           8 16k;
    proxy_busy_buffers_size 64k;

    # ヘッダハッシュ溢れの保険（環境に応じて）
    proxy_headers_hash_max_size 1024;
    proxy_headers_hash_bucket_size 128;

    # ============================================================
    # UIサーバ: contoso-ui.aaa.com
    # ============================================================
    server {
        listen 80;
        server_name contoso-ui.aaa.com;

        # ヘルスチェック
        location = /healthz {
            add_header Content-Type text/plain;
            return 200 'ok';
        }

        # /dify へのリクエストも /dify/ へリダイレクト
        location = /dify {
            return 301 /dify/;
        }

        # oauth2-proxy 公開エンドポイント（認証なし）
        location /oauth2/ {
            proxy_pass http://oauth2_proxy_upstream;
            proxy_http_version 1.1;
            proxy_set_header Host                $host;
            proxy_set_header X-Real-IP           $remote_addr;
            proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto   $scheme;
            proxy_set_header X-Request-ID        $req_id;
            proxy_hide_header X-Powered-By;
        }

        # auth_request 用 internal エンドポイント
        location = /oauth2/auth {
            internal;
            proxy_pass http://oauth2_proxy_upstream/oauth2/auth;
            proxy_http_version 1.1;
            proxy_set_header Host                $host;
            proxy_set_header X-Real-IP           $remote_addr;
            proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto   $scheme;
            proxy_set_header X-Request-ID        $req_id;
        }

        # Dify UI（認証付き）
        location /dify/ {
            auth_request /oauth2/auth;
            auth_request_set $auth_user  $upstream_http_x_auth_request_user;
            auth_request_set $auth_email $upstream_http_x_auth_request_email;
            error_page 401 = @oauth2_signin;
            proxy_pass http://ui_upstream/;
            proxy_http_version 1.1;
            proxy_set_header Host                $host;
            proxy_set_header X-Real-IP           $remote_addr;
            proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto   $scheme;
            proxy_set_header X-Request-ID        $req_id;
            proxy_set_header X-Auth-Request-User  $auth_user;
            proxy_set_header X-Auth-Request-Email $auth_email;
        }

        # その他のUI用途（必要に応じて拡張）
        location / {
            return 404;
        }

        # 401 時のリダイレクト先
        location @oauth2_signin {
            return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
        }
    }

    # ============================================================
    # APIサーバ: contoso-api.aaa.com
    # ============================================================
    server {
        listen 80;
        server_name contoso-api.aaa.com;

        # ヘルスチェック
        location = /healthz {
            add_header Content-Type text/plain;
            return 200 'ok';
        }

        # Dify API（API Key認証のみ、OIDCなし）
        location /dify/v1/ {
            proxy_pass http://api_upstream/dify/v1/;
            proxy_http_version 1.1;
            proxy_set_header Host                $host;
            proxy_set_header X-Real-IP           $remote_addr;
            proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto   $scheme;
            proxy_set_header X-Request-ID        $req_id;
            # 認証はAPISIX側でDify API Keyのみ許可
        }

        # その他のAPI用途（必要に応じて拡張）
        location / {
            return 404;
        }
    }
}