18bb793b2d
* feat: nginx + robots.txt * feat: minimal /health/ endpoint * ci: startupProbe for datatracker pod * ci: probe auth pod; set timeoutSeconds * feat: add CSP and other headers to nginx * fix: typo in nginx.conf * feat: split auth/dt nginx confs * test: test health endpoint * ci: auth service on port 80 We'll remove http-old (8080) in the future. * ci: rename auth container/nginx cfg
35 lines
1.4 KiB
Plaintext
35 lines
1.4 KiB
Plaintext
server {
|
|
listen 8080 default_server;
|
|
server_name _;
|
|
|
|
# Note that regex location matches take priority over non-regex "prefix" matches. Use regexes so that
|
|
# our deny all rule does not squelch the other locations.
|
|
location ~ ^/health/nginx$ {
|
|
return 200;
|
|
}
|
|
|
|
location ~ ^/robots.txt$ {
|
|
add_header Content-Type text/plain;
|
|
return 200 "User-agent: *\nDisallow: /\n";
|
|
}
|
|
|
|
location ~ ^/accounts/create.* {
|
|
return 302 https://datatracker.ietf.org/accounts/create;
|
|
}
|
|
|
|
# n.b. (?!...) is a negative lookahead group
|
|
location ~ ^(/(?!(api/openid/|accounts/login/|accounts/logout/|accounts/reset/|person/.*/photo|group/groupmenu.json)).*) {
|
|
deny all;
|
|
}
|
|
|
|
location / {
|
|
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com gather.town *.gather.town";
|
|
proxy_set_header Host $${keepempty}host;
|
|
proxy_set_header Connection close;
|
|
proxy_set_header X-Request-Start "t=${msec}";
|
|
proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Real-IP $${keepempty}remote_addr;
|
|
proxy_pass http://localhost:8000;
|
|
}
|
|
}
|