datatracker/k8s/nginx-auth.conf

server {
    listen 8080 default_server;
    server_name _;

    # Replace default "main" formatter with the ietfjson formatter from nginx-logging.conf
    access_log  /var/log/nginx/access.log  ietfjson;

    # Note that regex location matches take priority over non-regex "prefix" matches. Use regexes so that
    # our deny all rule does not squelch the other locations. 
    location ~ ^/health/nginx$ {
        access_log off;
        return 200;
    }

    location ~ ^/robots.txt$ {
        add_header Content-Type text/plain;
        return 200 "User-agent: *\nDisallow: /\n";
    }

    location ~ ^/accounts/create.* {
        return 302 https://datatracker.ietf.org/accounts/create;
    }

    # n.b. (?!...) is a negative lookahead group
    location ~ ^(/(?!(api/openid/|accounts/login/|accounts/logout/|accounts/reset/|person/.*/photo|group/groupmenu.json)).*) {
        return 302 https://datatracker.ietf.org$${keepempty}request_uri;
    }

    location / {
        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com gather.town *.gather.town";
        proxy_set_header Host $${keepempty}host;
        proxy_set_header Connection close;
        proxy_set_header X-Request-Start "t=$${keepempty}msec";
        proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for;
        proxy_hide_header X-Datatracker-Is-Authenticated; # hide this from the outside world
        proxy_pass http://localhost:8000;
        # Set timeouts longer than Cloudflare proxy limits
        proxy_connect_timeout 60;  # nginx default (Cf = 15)
        proxy_read_timeout 120;  # nginx default = 60 (Cf = 100) 
        proxy_send_timeout 60;  # nginx default = 60 (Cf = 30)
    }
}