feat(nginx): described nginx logic

metaploy/naarad.metaploy.conf

@@ -5,32 +5,38 @@ upstream naarad {
 server {
     server_name naarad.metakgp.org;
 
+    # Unprotected routes:
+    ## Allows the app to be functional (which doesn't have heimdall auth)
     location ~ ^/([^/]+)/auth(/|$) {
         proxy_pass http://naarad;
     }
-
     location ~ ^/([^/]+)/ws(/|$) {
         proxy_pass http://naarad;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
     }
-
     location ~ ^/([^/]+)/json(/|$) {
         proxy_pass http://naarad;
         add_header Content-Type application/json;
     }
 
+    # Enables us to allow user registration only via 
+    # our custon signup logic, which ultimately renders the 
+    # SignUp button on the webapp useless
     location = /v1/account {
         valid_referers https://naarad-signup.metakgp.org;
         if ($invalid_referer) {
             return 401;
         }
     }
 
+    # Permanently move the /signup endpoint to our custom signup url
     location /signup {
         return 301 https://naarad-signup.metakgp.org;
     }
 
+    # All the endpoints other then described above are 
+    # protected via heimdall
     location / {
         auth_request /auth;
         error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth;
@@ -40,6 +46,7 @@ server {
         proxy_set_header Connection "upgrade";
     }
 
+    # Internal authorisation endpoint via heimdall
     location = /auth {
         internal;
 
@@ -55,6 +62,7 @@ server {
         proxy_pass_request_body off;
     }
 
+    # Handle case when auth fails in /auth sub request
     location @handle_auth {
         return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri;
     }