From 07a22bb6333d4353431dcb0bfd5899d38def14e1 Mon Sep 17 00:00:00 2001 From: proffapt Date: Sun, 30 Jun 2024 16:45:38 +0530 Subject: [PATCH] feat(nginx): described nginx logic --- metaploy/naarad.metaploy.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/metaploy/naarad.metaploy.conf b/metaploy/naarad.metaploy.conf index cfebf1f..9c5ae61 100644 --- a/metaploy/naarad.metaploy.conf +++ b/metaploy/naarad.metaploy.conf @@ -5,21 +5,24 @@ upstream naarad { server { server_name naarad.metakgp.org; + # Unprotected routes: + ## Allows the app to be functional (which doesn't have heimdall auth) location ~ ^/([^/]+)/auth(/|$) { proxy_pass http://naarad; } - location ~ ^/([^/]+)/ws(/|$) { proxy_pass http://naarad; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } - location ~ ^/([^/]+)/json(/|$) { proxy_pass http://naarad; add_header Content-Type application/json; } + # Enables us to allow user registration only via + # our custon signup logic, which ultimately renders the + # SignUp button on the webapp useless location = /v1/account { valid_referers https://naarad-signup.metakgp.org; if ($invalid_referer) { @@ -27,10 +30,13 @@ server { } } + # Permanently move the /signup endpoint to our custom signup url location /signup { return 301 https://naarad-signup.metakgp.org; } + # All the endpoints other then described above are + # protected via heimdall location / { auth_request /auth; error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth; @@ -40,6 +46,7 @@ server { proxy_set_header Connection "upgrade"; } + # Internal authorisation endpoint via heimdall location = /auth { internal; @@ -55,6 +62,7 @@ server { proxy_pass_request_body off; } + # Handle case when auth fails in /auth sub request location @handle_auth { return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri; }