Skip to content

Commit

Permalink
reformat nginx config
Browse files Browse the repository at this point in the history
  • Loading branch information
@proffapt
proffapt committed Jul 2, 2024
1 parent f216b15 commit f958d14
Showing 1 changed file with 36 additions and 35 deletions.
71 changes: 36 additions & 35 deletions metaploy/naarad.metaploy.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,59 +5,64 @@ upstream naarad {
server {
server_name naarad.metakgp.org;

# Unprotected routes:
## Allows the app to be functional (which doesn't have heimdall auth)
location ~ ^/([^/]+)/auth(/|$) {
# Common proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;

# Unprotected routes
## Allows us to call the /v1/health endpoint for healthcheck
location = /v1/health {
proxy_pass http://naarad;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/([^/]+)/ws(/|$) {
## Allows the app to be functional
## as it doesn't have Heimdall Session Auth
### Allowing login
location ~ ^/[^/]+/auth$ {
proxy_pass http://naarad;
}
### Allowing polling via websocket
location ~ ^/[^/]+/ws$ {
proxy_pass http://naarad;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/([^/]+)/json(/|$) {
### Allowing polling via json
location ~ ^/[^/]+/json$ {
proxy_pass http://naarad;
add_header Content-Type application/json;
}
## Allows us to call the /v1/health endpoint for healthcheck
location = /v1/health {
proxy_pass http://naarad;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

# Enables us to allow user registration only via
# our custon signup logic, which ultimately renders the
# SignUp button on the webapp useless

# Restricting user account registration only via
# naarad-signup service (our custom registration layer)
## BACKEND
location = /v1/account {
set $allowed O;
set $allowed YES;
valid_referers https://naarad-signup.metakgp.org;
if ($invalid_referer) {
set $allowed A;
set $allowed N;
}
if ($request_method = POST) {
set $allowed "${allowed}B";
set $allowed "${allowed}O";
}
if ($allowed = AB) {
if ($allowed = NO) {
return 403;
}

proxy_pass http://naarad;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

# Permanently move the /signup endpoint to our custom signup url
location /signup {
## FRONTEND
### Permanently move the /signup endpoint
### (from frontend) to our custom naarad-signup service
location = /signup {
return 301 https://naarad-signup.metakgp.org;
}

# All the endpoints other then described above are
# protected via heimdall
# All the endpoints except (signup, healthcheck and
# mobile application related)
# described above are protected via Heimdall Session
location / {
auth_request /auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth;
Expand All @@ -72,18 +77,14 @@ server {
internal;

proxy_pass http://heimdall_server/validate-jwt;
proxy_set_header Cookie $http_cookie;

proxy_pass_request_body off;

proxy_set_header Host $host;
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Cookie $http_cookie;
}

# Handle case when auth fails in /auth sub request
location @handle_auth {
return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri;
}
}
}

0 comments on commit f958d14

Please sign in to comment.