http-keyval #

nginx-keyval is a key-value store dynamic module for nginx. It was developed inspired by the commercial version of nginx's ngx_http_keyval_module.

Source: upstream source

Directives

keyval #

syntax: keyval 3 args;  ·  context: http

Define a variable from key-value pairs

keyval_zone #

syntax: keyval_zone 1+ args;  ·  context: http

Define a shared memory zone

keyval_zone_redis #

syntax: keyval_zone_redis 1+ args;  ·  context: http

Define a Redis zone

Example

# OpenID Connect configuration
#
# Each map block allows multiple values so that multiple IdPs can be supported,
# the $host variable is used as the default input parameter but can be changed.
#
map $host $oidc_authz_endpoint {
    default https://accounts.google.com/o/oauth2/v2/auth;
}

map $host $oidc_authz_extra_args {
    # Extra arguments to include in the request to the IdP's authorization
    # endpoint.
    # Some IdPs provide extended capabilities controlled by extra arguments,
    # for example Keycloak can select an IdP to delegate to via the
    # "kc_idp_hint" argument.
    # Arguments must be expressed as query string parameters and URL-encoded
    # if required.
    default "";
    #www.example.com "kc_idp_hint=another_provider"
}

map $host $oidc_token_endpoint {
    default https://oauth2.googleapis.com/token;
}

map $host $oidc_jwt_keyfile {
    default https://www.googleapis.com/oauth2/v3/certs;
}

map $host $oidc_client {
    default "CLIENT_ID";
}

map $host $oidc_pkce_enable {
    default 0;
}

map $host $oidc_client_secret {
    default "CLIENT_SECRET";
}

map $host $oidc_scopes {
    default "openid+email";
}

map $host $oidc_logout_redirect {
    # Where to send browser after requesting /logout location. This can be
    # replaced with a custom logout page, or complete URL.
    default "/_logout"; # Built-in, simple logout page
}

map $host $oidc_hmac_key {
    # This should be unique for every NGINX instance/cluster
    default dtrqidtoA9HdV3Odq2wxIhYy;
}

map $host $zone_sync_leeway {
    # Specifies the maximum timeout for synchronizing ID tokens between cluster
    # nodes when you use shared memory zone content sync. This option is only
    # recommended for scenarios where cluster nodes can randomly process
    # requests from user agents and there may be a situation where node "A"
    # successfully received a token, and node "B" receives the next request in
    # less than zone_sync_interval.
    default 0; # Time in milliseconds, e.g. (zone_sync_interval * 2 * 1000)
}

map $proto $oidc_cookie_flags {
    http  "Path=/; SameSite=lax;"; # For HTTP/plaintext testing
    https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation
}

map $http_x_forwarded_port $redirect_base {
    ""      $proto://$host:$server_port;
    default $proto://$host:$http_x_forwarded_port;
}

map $http_x_forwarded_proto $proto {
    ""
…

↑ back to index