-
Notifications
You must be signed in to change notification settings - Fork 2
/
nginx-jira-proxy.conf
114 lines (100 loc) · 3.8 KB
/
nginx-jira-proxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Example nginx config used to serve self hosted Jira instance via reverse proxy with CORS enabled.
# (Check lines between 'CORS start' and 'CORS end' for Cross-Origin Resource Sharing specific setup)
# Replace upstream address and jira.your-company.nl/time.your-company.nl domains with the appropriate values.
upstream jira {
# upstream address of Jira
server 127.0.0.1:8080;
}
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
# CORS start
map $http_origin $allow_origin {
hostnames;
default "";
https://time.your-company.nl "$http_origin";
# TODO: check if jira itself also needs CORS headers.
https://jira.your-company.nl "$http_origin";
}
map $http_origin $proxy_user_agent {
default "$http_user_agent";
https://time.your-company.nl "";
}
map $allow_origin $cors_allow_credentials {
default "true";
"" "";
}
map $allow_origin $cookie_attributes {
default "; SameSite=None";
"" "";
}
map $request_method $cors_method {
default "allowed";
"OPTIONS" "preflight";
}
map $cors_method $cors_max_age {
default "";
"preflight" 900;
}
map $cors_method $cors_allow_methods {
default "";
"preflight" "OPTIONS, GET, POST, PUT, DELETE, PATCH, HEAD";
}
map $cors_method $cors_allow_headers {
default "";
"preflight" "DNT,Keep-Alive,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Atlassian-Token";
}
map $cors_method $cors_expose_headers {
default "";
"preflight" "*";
}
# CORS end
server {
server_name jira.your-company.nl;
server_tokens off;
client_max_body_size 50M;
location / {
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
# CORS start
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials $cors_allow_credentials always;
add_header Access-Control-Allow-Methods $cors_allow_methods always;
add_header Access-Control-Allow-Headers $cors_allow_headers always;
add_header Access-Control-Expose-Headers $cors_expose_headers always;
add_header Access-Control-Max-Age $cors_max_age always;
add_header Vary Origin always;
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials $cors_allow_credentials always;
add_header Access-Control-Allow-Methods $cors_allow_methods always;
add_header Access-Control-Allow-Headers $cors_allow_headers always;
add_header Access-Control-Expose-Headers $cors_expose_headers always;
add_header Access-Control-Max-Age $cors_max_age always;
add_header Vary Origin always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# Hack because used nginx version doesn't have proxy_cookie_flags
# https://serverfault.com/a/1010499
# TODO: check if this can be removed, now 'SSTt/simple-time' is hosted at same domain as Jira.
proxy_cookie_path / "/; SameSite=None";
# Don't send User-Agent header to Jira when making request from 'SSTt/simple-time'
# Prevents 'XSRF check failed' error (in a hackish work around)
proxy_set_header User-Agent $proxy_user_agent;
# CORS end
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://jira;
}
}