@@ -5,59 +5,64 @@ upstream naarad {
55server {
66 server_name naarad.metakgp.org;
77
8- # Unprotected routes:
9- ## Allows the app to be functional (which doesn't have heimdall auth)
10- location ~ ^/([^/]+)/auth(/|$) {
8+ # Common proxy headers
9+ proxy_set_header Host $host;
10+ proxy_set_header X-Real-IP $remote_addr;
11+ proxy_set_header X-Original-URI $request_uri;
12+
13+ # Unprotected routes
14+ ## Allows us to call the /v1/health endpoint for healthcheck
15+ location = /v1/health {
1116 proxy_pass http://naarad;
17+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1218 }
13- location ~ ^/([^/]+)/ws(/|$) {
19+ ## Allows the app to be functional
20+ ## as it doesn't have Heimdall Session Auth
21+ ### Allowing login
22+ location ~ ^/[^/]+/auth$ {
23+ proxy_pass http://naarad;
24+ }
25+ ### Allowing polling via websocket
26+ location ~ ^/[^/]+/ws$ {
1427 proxy_pass http://naarad;
1528 proxy_set_header Upgrade $http_upgrade;
1629 proxy_set_header Connection "upgrade";
1730 }
18- location ~ ^/([^/]+)/json(/|$) {
31+ ### Allowing polling via json
32+ location ~ ^/[^/]+/json$ {
1933 proxy_pass http://naarad;
2034 add_header Content-Type application/json;
2135 }
22- ## Allows us to call the /v1/health endpoint for healthcheck
23- location = /v1/health {
24- proxy_pass http://naarad;
25- proxy_set_header Host $host;
26- proxy_set_header X-Real-IP $remote_addr;
27- proxy_set_header X-Original-URI $request_uri;
28- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
29- }
30-
31- # Enables us to allow user registration only via
32- # our custon signup logic, which ultimately renders the
33- # SignUp button on the webapp useless
36+
37+ # Restricting user account registration only via
38+ # naarad-signup service (our custom registration layer)
39+ ## BACKEND
3440 location = /v1/account {
35- set $allowed O ;
41+ set $allowed YES ;
3642 valid_referers https://naarad-signup.metakgp.org;
3743 if ($invalid_referer) {
38- set $allowed A ;
44+ set $allowed N ;
3945 }
4046 if ($request_method = POST) {
41- set $allowed "${allowed}B ";
47+ set $allowed "${allowed}O ";
4248 }
43- if ($allowed = AB ) {
49+ if ($allowed = NO ) {
4450 return 403;
4551 }
4652
4753 proxy_pass http://naarad;
48- proxy_set_header Host $host;
49- proxy_set_header X-Real-IP $remote_addr;
50- proxy_set_header X-Original-URI $request_uri;
5154 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5255 }
53-
54- # Permanently move the /signup endpoint to our custom signup url
55- location /signup {
56+ ## FRONTEND
57+ ### Permanently move the /signup endpoint
58+ ### (from frontend) to our custom naarad-signup service
59+ location = /signup {
5660 return 301 https://naarad-signup.metakgp.org;
5761 }
5862
59- # All the endpoints other then described above are
60- # protected via heimdall
63+ # All the endpoints except (signup, healthcheck and
64+ # mobile application related)
65+ # described above are protected via Heimdall Session
6166 location / {
6267 auth_request /auth;
6368 error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth;
@@ -72,18 +77,14 @@ server {
7277 internal;
7378
7479 proxy_pass http://heimdall_server/validate-jwt;
75- proxy_set_header Cookie $http_cookie;
7680
7781 proxy_pass_request_body off;
78-
79- proxy_set_header Host $host;
8082 proxy_set_header Content-Length "";
81- proxy_set_header X-Real-IP $remote_addr;
82- proxy_set_header X-Original-URI $request_uri;
83+ proxy_set_header Cookie $http_cookie;
8384 }
8485
8586 # Handle case when auth fails in /auth sub request
8687 location @handle_auth {
8788 return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri;
8889 }
89- }
90+ }
0 commit comments