Skip to content

Commit bce5c22

Browse files
route443route443
authored
Change default keyval state file location. (#90)
Previously, the keyval state file was configured to be stored in the "conf.d" directory. By default, the NGINX process does not have write access to this directory, necessitating users to either specify a different path or alter the directory permissions. The default path for the state file has been changed to "/var/lib/nginx/state". This new location is more suitable for most Linux users and aligns with security best practices, as only the NGINX user has read and write permissions by default.
1 parent 39334b6 commit bce5c22

File tree

2 files changed

+6
-6
lines changed

2 files changed

+6
-6
lines changed

README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -136,9 +136,9 @@ Manual configuration involves reviewing the following files so that they match y
136136
The key-value store is used to maintain persistent storage for ID tokens and refresh tokens. The default configuration should be reviewed so that it suits the environment. This is part of the advanced configuration in **openid_connect_configuration.conf**.
137137

138138
```nginx
139-
keyval_zone zone=oidc_id_tokens:1M state=conf.d/oidc_id_tokens.json timeout=1h;
140-
keyval_zone zone=oidc_access_tokens:1M state=conf.d/oidc_access_tokens.json timeout=1h;
141-
keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h;
139+
keyval_zone zone=oidc_id_tokens:1M state=/var/lib/nginx/state/oidc_id_tokens.json timeout=1h;
140+
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
141+
keyval_zone zone=refresh_tokens:1M state=/var/lib/nginx/state/refresh_tokens.json timeout=8h;
142142
keyval_zone zone=oidc_pkce:128K timeout=90s;
143143
```
144144

openid_connect_configuration.conf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -87,9 +87,9 @@ map $http_x_forwarded_proto $proto {
8787
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
8888

8989
# Change timeout values to at least the validity period of each token type
90-
keyval_zone zone=oidc_id_tokens:1M state=conf.d/oidc_id_tokens.json timeout=1h;
91-
keyval_zone zone=oidc_access_tokens:1M state=conf.d/oidc_access_tokens.json timeout=1h;
92-
keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h;
90+
keyval_zone zone=oidc_id_tokens:1M state=/var/lib/nginx/state/oidc_id_tokens.json timeout=1h;
91+
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
92+
keyval_zone zone=refresh_tokens:1M state=/var/lib/nginx/state/refresh_tokens.json timeout=8h;
9393
keyval_zone zone=oidc_pkce:128K timeout=90s; # Temporary storage for PKCE code verifier.
9494

9595
keyval $cookie_auth_token $session_jwt zone=oidc_id_tokens; # Exchange cookie for JWT

0 commit comments

Comments
 (0)