config/prod/default.nginx

# Rename to 'default' and cp to /etc/nginx/sites-available/default
# Most of this content comes from https://oauth2-proxy.github.io/oauth2-proxy/configuration/integration
# See 'tapedeck' for app specific bits.

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  root /var/www/html;
  index index.html index.htm index.nginx-debian.html;
  server_name _;
  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
  }
}

server {
  root /var/www/html;
  index index.html index.htm index.nginx-debian.html;
  server_name tapedeck.us; # managed by Certbot
  listen [::]:443 ssl; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/tapedeck.us/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/tapedeck.us/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

  location /oauth2/ {
    proxy_pass http://127.0.0.1:4180;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }

  location = /oauth2/auth {
    proxy_pass http://127.0.0.1:4180;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Uri $request_uri;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length "";
    proxy_pass_request_body off;
  }

  # this is open to public
  location / {
    proxy_pass http://127.0.0.1:8080;
    include proxy_params;
  }

  # tapedeck - secure routes
  location /s/ {
    auth_request /oauth2/auth;
    error_page 401 =403 /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user $upstream_http_x_auth_request_user;
    auth_request_set $email $upstream_http_x_auth_request_email;
    proxy_set_header X-User $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
      set $auth_cookie_name_0 $auth_cookie;
      set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
      add_header Set-Cookie $auth_cookie_name_0;
      add_header Set-Cookie $auth_cookie_name_1;
    }

    # tapedeck server
    proxy_pass http://127.0.0.1:8080;
    include proxy_params;
  }
}

server {
  if ($host = tapedeck.us) {
    return 301 https://$host$request_uri;
  } # managed by Certbot
  listen 80 ;
  listen [::]:80 ;
  server_name tapedeck.us;
  return 404; # managed by Certbot
}