As mentioned in How does SCIM work?, a load balancer, reverse proxy or other gateway is required to use SCIM. This page has very basic example configs for a small selection of common proxy or load balancer solutions. It is intended as a starting point only. Consult the vendor documentation for your specific product for further details and best practices.
Nginx
The below example terminates HTTPS and proxies requests from scim.example.com:443 (external) to the KSSO API server on 10.0.0.100:5001 (internal).
server { listen 443 ssl; server_name scim.example.com; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; ssl_certificate /etc/nginx/ssl/cert.crt; ssl_certificate_key /etc/nginx/ssl/cert.key; ssl_session_timeout 1d; ssl_session_tickets off; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_stapling_verify on; location /scim { proxy_pass http://10.0.0.100:5001/scim; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } |
HAProxy
This example configuration balances requests to four separate Jira servers (Datacenter cluster).
global log /var/log/haproxy local0 log /var/log/haproxy local1 notice ca-base /etc/ssl/haproxy crt-base /etc/ssl/haproxy tune.ssl.default-dh-param 2048 defaults timeout connect 30000 timeout client 300000 timeout server 300000 frontend scim_tls bind *:443 ssl crt /etc/ssl/haproxy/cert.pem mode http default_backend scim_servers backend scim_servers mode http option tcp-check balance random server api1 jira01:5501 check server api2 jira02:5501 check server api3 jira03:5501 check server api4 jira04:5501 check |