Proxy/gateway examples

Owned by Jon Espen Ingvaldsen (Unlicensed)
Last updated: Mar 20, 2020 by Audun Røe (Unlicensed)
1 min read

As mentioned in Network and Security considerations, a load balancer, reverse proxy or other gateway is required to use SCIM. This page has very basic example configs for a small selection of common proxy or load balancer solutions. It is intended as a starting point only. Consult the vendor documentation for your specific product for further details and best practices.

Nginx

The below example terminates HTTPS and proxies requests from scim.example.com:443 (external) to the KSSO API server on 10.0.0.100:5001 (internal).

server {     listen       443 ssl;     server_name  scim.example.com;       access_log /var/log/nginx/access.log main;     error_log  /var/log/nginx/error.log;       ssl_certificate     /etc/nginx/ssl/cert.crt;     ssl_certificate_key /etc/nginx/ssl/cert.key;       ssl_session_timeout 1d;     ssl_session_tickets off;     ssl_prefer_server_ciphers on;     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';     ssl_stapling_verify on;       location /scim {       proxy_pass http://10.0.0.100:5001/scim;       proxy_set_header Host $host;       proxy_set_header X-Real-IP $remote_addr;       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;       proxy_set_header X-Forwarded-Proto https;     } }

HAProxy

This example configuration balances requests to four separate Jira servers (Datacenter cluster).

global   log /var/log/haproxy    local0   log /var/log/haproxy    local1 notice     ca-base /etc/ssl/haproxy   crt-base /etc/ssl/haproxy     tune.ssl.default-dh-param 2048     defaults   timeout connect 30000   timeout client  300000   timeout server  300000   frontend scim_tls   bind *:443 ssl crt /etc/ssl/haproxy/cert.pem   mode http     default_backend scim_servers     backend scim_servers   mode http     option tcp-check     balance random   server api1 jira01:5501 check    server api2 jira02:5501 check    server api3 jira03:5501 check    server api4 jira04:5501 check