nexus3.conf

server {
    listen 80;
    server_name 172.17.0.1;

    error_log  /var/log/nginx/error.log debug;
    access_log /var/log/nginx/error.log main;

    set $oidc_logout_path "/logout";
    set $oidc_redirect_after_logout_uri "/";

    location / {
        # Note: $http_host contains ip and port, but $host just contains ip only
        proxy_set_header Host $http_host;
        proxy_set_header X-Keycloak-Sec-Auth $http_x_remote_user:$http_x_remote_user_access_token;
        # proxy_set_header Authorization $http_authorization;
        # Note: make the HTTP header to be smaller
        proxy_hide_header X-Remote-User-Access-Token;

        set $oidc_disabled "false";
        # Disable OIDC when using maven client
        if ($http_user_agent ~* "^(Apache-Maven|docker)/.+$") {
            set $oidc_disabled "true";
        }
        # And disable OIDC when the header Authorization was specified
        if ($http_authorization !~* "^$") {
            set $oidc_disabled "true";
        }

        set $oidc_realm "default";
        # Note: change the client id and secret to the actual value
        set $oidc_client_id "nexus3";
        set $oidc_client_secret "af5e2fba-ccd7-4bf8-a3d8-190dd203127b";
        set $oidc_discovery "http://172.17.0.1:8086/auth/realms/$oidc_realm/.well-known/openid-configuration";
        access_by_lua_file /etc/nginx/vhost.d/oidc.lua;

        client_max_body_size 500M;
        # Disable cache of assets
        proxy_cache            off;
        proxy_read_timeout     600;
        proxy_connect_timeout  600;

        # Avoid to get address resolve error when starting
        set $target http://172.17.0.1:8903;
        proxy_pass  $target;

        sub_filter '</body>' '<script type="text/javascript">(function inject_logout() { var oidc_disabled = "$oidc_disabled"; if (oidc_disabled === "true") { return; } var dom = document.querySelectorAll("a[id^=\'nx-header-signout-\']")[0]; if (!dom) { setTimeout(inject_logout, 500); } else { dom.addEventListener("click", function (event) { event.stopPropagation(); window.location.href = "$oidc_logout_path"; }, true); }})();</script></body>';
        sub_filter_once on;

        # Just for debugging, you may not want it
        # header_filter_by_lua_block {
        #     for key, value in pairs(ngx.resp.get_headers()) do
        #         local val = type(value) == 'string' and {value} or value
        #         for k, v in ipairs(val) do
        #             for i=0, v:len(), 1024 do
        #                 ngx.log(ngx.DEBUG, 'Response Header: '..key..' -> '..v:sub(i + 1, i + 1024))
        #             end
        #         end
        #     end
        #     for key, value in pairs(ngx.req.get_headers()) do
        #         local val = type(value) == 'string' and {value} or value
        #         for k, v in ipairs(val) do
        #             for i=0, v:len(), 1024 do
        #                 ngx.log(ngx.DEBUG, 'Request Header: '..key..' -> '..v:sub(i + 1, i + 1024))
        #             end
        #         end
        #     end
        # }
    }

    # Override the logout action of Nexus
    location /service/rapture/session {
        if ($request_method ~* "^DELETE$") {
            # Redirect to the internal logout url
            return 302 $scheme://$http_host$oidc_logout_path;
        }
        # Login forbidden
        return 403;
    }
}