oidc-gateway-demo/nginx/nginx.conf

# nginx配置文件
# 用于OAuth2/OIDC系统的反向代理

# 工作进程数
worker_processes auto;

# PID文件路径
pid /tmp/nginx.pid;

# 错误日志
error_log /tmp/nginx_error.log;

# 事件模块配置
events {
    worker_connections 1024;
}

# HTTP模块配置
http {
    map $http_origin $cors_origin {
        default "";
        "https://a.local.com" "https://a.local.com";
        "https://b.local.com" "https://b.local.com";
    }
    # MIME类型
    include /opt/homebrew/etc/nginx/mime.types;
    default_type application/octet-stream;

    # 日志格式
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    # 在http块添加main_cookie日志格式
    log_format main_cookie '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for" '
                          'cookie:"$http_cookie"';

    # 访问日志
    access_log /tmp/nginx_access.log main;

    # 基本设置
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    # Gzip压缩
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json;

    # 前端应用服务器 (a.local.com) - HTTPS
    server {
        listen 443 ssl;
        server_name b.local.com;

        # SSL配置
        ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt;
        ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # 静态文件目录
        root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtmlb;

        # 首页和静态文件
        location / {
            try_files $uri $uri/ /index.html;
            
            # 添加CORS头
            add_header Access-Control-Allow-Origin $cors_origin;
            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
        }

        # 防止前端server拦截OIDC登录页，/login直接返回404
        location = /login {
            return 404;
        }

        # 处理OPTIONS预检请求
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }

        # /api 路径转发到网关
        location /api/ {
            rewrite ^/api/(.*)$ /b/$1 break;
            proxy_pass http://localhost:8080;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # 处理CORS
            add_header Access-Control-Allow-Origin $cors_origin always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
            
            # 处理OPTIONS请求
            if ($request_method = 'OPTIONS') {
                add_header Access-Control-Allow-Origin $cors_origin always;
                add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                add_header Access-Control-Max-Age 1728000;
                add_header Content-Type "text/plain; charset=utf-8";
                add_header Content-Length 0;
                return 204;
            }
        }

        # /oidc-logout 路径转发到 OIDC 服务
        location /oidc-logout {
            proxy_pass http://localhost:9000/oidc-logout;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Cookie $http_cookie;

            # 记录cookie内容到专用日志
            access_log /tmp/nginx_oidc_logout.log main_cookie;

            # 处理CORS
            add_header Access-Control-Allow-Origin $cors_origin always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";

            # 处理OPTIONS请求
            if ($request_method = 'OPTIONS') {
                add_header Access-Control-Allow-Origin $cors_origin always;
                add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                add_header Access-Control-Max-Age 1728000;
                add_header Content-Type "text/plain; charset=utf-8";
                add_header Content-Length 0;
                return 204;
            }
        }

        # 错误页面
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
    }

       server {
        listen 443 ssl;
        server_name a.local.com;

        # SSL配置
        ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt;
        ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # 静态文件目录
        root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtml;

        # 首页和静态文件
        location / {
            try_files $uri $uri/ /index.html;
            
            # 添加CORS头
            add_header Access-Control-Allow-Origin $cors_origin;
            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
        }

        # 防止前端server拦截OIDC登录页，/login直接返回404
        location = /login {
            return 404;
        }

        # 处理OPTIONS预检请求
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }

        # /api 路径转发到网关
        location /api/ {
            rewrite ^/api/(.*)$ /a/$1 break;
            proxy_pass http://localhost:8080;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # 处理CORS
            add_header Access-Control-Allow-Origin $cors_origin always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
            
            # 处理OPTIONS请求
            if ($request_method = 'OPTIONS') {
                add_header Access-Control-Allow-Origin $cors_origin always;
                add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                add_header Access-Control-Max-Age 1728000;
                add_header Content-Type "text/plain; charset=utf-8";
                add_header Content-Length 0;
                return 204;
            }
        }

        # /oidc-logout 路径转发到 OIDC 服务
        location /oidc-logout {
            proxy_pass http://localhost:9000/oidc-logout;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Cookie $http_cookie;

            # 记录cookie内容到专用日志
            access_log /tmp/nginx_oidc_logout.log main_cookie;

            # 处理CORS
            add_header Access-Control-Allow-Origin $cors_origin always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";

            # 处理OPTIONS请求
            if ($request_method = 'OPTIONS') {
                add_header Access-Control-Allow-Origin $cors_origin always;
                add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                add_header Access-Control-Max-Age 1728000;
                add_header Content-Type "text/plain; charset=utf-8";
                add_header Content-Length 0;
                return 204;
            }
        }

        # 错误页面
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
    }

    # OIDC服务器代理 (oidc.local.com) - HTTPS
    server {
        listen 443 ssl;
        server_name oidc.local.com;

        # SSL配置
        ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt;
        ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # 代理到OIDC服务器
        location / {
            proxy_pass http://localhost:9000/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Ssl on;
            proxy_set_header Cookie $http_cookie;
            add_header Access-Control-Allow-Origin $cors_origin always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
            if ($request_method = 'OPTIONS') {
                add_header Access-Control-Allow-Origin $cors_origin always;
                add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                add_header Access-Control-Max-Age 1728000;
                add_header Content-Type "text/plain; charset=utf-8";
                add_header Content-Length 0;
                return 204;
            }
        }

        # 错误页面
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
    }

    # HTTP重定向到HTTPS
    server {
        listen 80;
        server_name a.local.com oidc.local.com;
        return 301 https://$server_name$request_uri;
    }

    # 默认服务器块（防止未匹配的请求）
    server {
        listen 80 default_server;
        server_name _;
        return 444;
    }
}