--- apiVersion: v1 kind: ConfigMap metadata: name: atst-nginx namespace: atat data: nginx-config: |- server { listen 8342; server_name aws.atat.code.mil; return 301 https://$host$request_uri; } server { listen 8343; server_name auth-aws.atat.code.mil; return 301 https://$host$request_uri; } server { server_name aws.atat.code.mil; # access_log /var/log/nginx/access.log json; listen 8442; location /login-redirect { return 301 https://auth-aws.atat.code.mil$request_uri; } location /login-dev { try_files $uri @appbasicauth; } location / { try_files $uri @app; } location @app { include uwsgi_params; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_param HTTP_X_REQUEST_ID $request_id; } location @appbasicauth { include uwsgi_params; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; auth_basic "Developer Access"; auth_basic_user_file /etc/nginx/.htpasswd; uwsgi_param HTTP_X_REQUEST_ID $request_id; } } server { # access_log /var/log/nginx/access.log json; server_name auth-aws.atat.code.mil; listen 8443; listen [::]:8443 ipv6only=on; # Request and validate client certificate ssl_verify_client on; ssl_verify_depth 10; ssl_client_certificate /etc/ssl/client-ca-bundle.pem; # Guard against HTTPS -> HTTP downgrade add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; location / { return 301 https://aws.atat.code.mil$request_uri; } location /login-redirect { try_files $uri @app; } location @app { include uwsgi_params; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy; uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn; uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy; uwsgi_param HTTP_X_REQUEST_ID $request_id; } }