From 16090a0a91f6bd8b0dfc52191ebd62a7158e840e Mon Sep 17 00:00:00 2001 From: proffapt Date: Tue, 2 Jul 2024 23:46:48 +0530 Subject: [PATCH 1/9] reformat nginx config --- metaploy/naarad.metaploy.conf | 67 ++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/metaploy/naarad.metaploy.conf b/metaploy/naarad.metaploy.conf index 85d1fe1..f937997 100644 --- a/metaploy/naarad.metaploy.conf +++ b/metaploy/naarad.metaploy.conf @@ -5,59 +5,64 @@ upstream naarad { server { server_name naarad.metakgp.org; - # Unprotected routes: - ## Allows the app to be functional (which doesn't have heimdall auth) - location ~ ^/([^/]+)/auth(/|$) { + # Common proxy headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Original-URI $request_uri; + + # Unprotected routes + ## Allows us to call the /v1/health endpoint for healthcheck + location = /v1/health { proxy_pass http://naarad; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + ## Allows the app to be functional + ## as it doesn't have Heimdall Session Auth + ### Allowing login + location ~ ^/[^/]+/auth$ { + proxy_pass http://naarad; + } + ### Allowing polling via websocket location ~ ^/([^/]+)/ws(/|$) { proxy_pass http://naarad; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } + ### Allowing polling via json location ~ ^/([^/]+)/json(/|$) { proxy_pass http://naarad; add_header Content-Type application/json; } - ## Allows us to call the /v1/health endpoint for healthcheck - location = /v1/health { - proxy_pass http://naarad; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - - # Enables us to allow user registration only via - # our custon signup logic, which ultimately renders the - # SignUp button on the webapp useless + + # Restricting user account registration only via + # naarad-signup service (our custom registration layer) + ## BACKEND location = /v1/account { - set $allowed O; + set $allowed YES; valid_referers https://naarad-signup.metakgp.org; if ($invalid_referer) { - set $allowed A; + set $allowed N; } if ($request_method = POST) { - set $allowed "${allowed}B"; + set $allowed "${allowed}O"; } - if ($allowed = AB) { + if ($allowed = NO) { return 403; } proxy_pass http://naarad; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - - # Permanently move the /signup endpoint to our custom signup url - location /signup { + ## FRONTEND + ### Permanently move the /signup endpoint + ### (from frontend) to our custom naarad-signup service + location = /signup { return 301 https://naarad-signup.metakgp.org; } - # All the endpoints other then described above are - # protected via heimdall + # All the endpoints except (signup, healthcheck and + # mobile application related) + # described above are protected via Heimdall Session location / { auth_request /auth; error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth; @@ -72,18 +77,14 @@ server { internal; proxy_pass http://heimdall_server/validate-jwt; - proxy_set_header Cookie $http_cookie; proxy_pass_request_body off; - - proxy_set_header Host $host; proxy_set_header Content-Length ""; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Original-URI $request_uri; + proxy_set_header Cookie $http_cookie; } # Handle case when auth fails in /auth sub request location @handle_auth { return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri; } -} +} \ No newline at end of file From e3a6c6976cbfdc2302f23d2b00a160f3cc51911f Mon Sep 17 00:00:00 2001 From: proffapt Date: Wed, 3 Jul 2024 00:24:20 +0530 Subject: [PATCH 2/9] feat: restrict login to campus network --- metaploy/naarad.metaploy.conf | 38 ++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/metaploy/naarad.metaploy.conf b/metaploy/naarad.metaploy.conf index 3bed28c..0a08753 100644 --- a/metaploy/naarad.metaploy.conf +++ b/metaploy/naarad.metaploy.conf @@ -18,10 +18,6 @@ server { } ## Allows the app to be functional ## as it doesn't have Heimdall Session Auth - ### Allowing login - location ~ ^/[^/]+/auth$ { - proxy_pass http://naarad; - } ### Allowing polling via websocket location ~ ^/[^/]+/ws$ { proxy_pass http://naarad; @@ -33,7 +29,7 @@ server { proxy_pass http://naarad; add_header Content-Type application/json; } - + # Restricting user account registration only via # naarad-signup service (our custom registration layer) ## BACKEND @@ -60,12 +56,34 @@ server { return 301 https://naarad-signup.metakgp.org; } + # Protecting User Login via Campus Network + ## /login: frontend route + ## /v1/account: account sign in route + ## //auth: topic specific auth route + location ~ ^/(v1/account/token|login|[^/]+/auth)$ { + auth_request /campus-auth; + error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth; + + proxy_pass http://naarad; + } + + # Internal authorisation endpoint via Campus Network + location = /campus-auth { + internal; + proxy_pass http://heimdall_server/; + } + + # Handle case when auth fails in /campus-auth sub request + location @handle_campus_auth { + return 403; + } + # All the endpoints except (signup, healthcheck and # mobile application related) # described above are protected via Heimdall Session location / { - auth_request /auth; - error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth; + auth_request /kgpian-auth; + error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_kgpian_auth; proxy_pass http://naarad; proxy_set_header Upgrade $http_upgrade; @@ -73,7 +91,7 @@ server { } # Internal authorisation endpoint via heimdall - location = /auth { + location = /kgpian-auth { internal; proxy_pass http://heimdall_server/validate-jwt; @@ -83,8 +101,8 @@ server { proxy_set_header Cookie $http_cookie; } - # Handle case when auth fails in /auth sub request - location @handle_auth { + # Handle case when auth fails in /kgpian-auth sub request + location @handle_kgpian_auth { return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri; } } \ No newline at end of file From 29928c6b827391fed43133cbf8fb7d6ed4ae6581 Mon Sep 17 00:00:00 2001 From: proffapt Date: Wed, 3 Jul 2024 00:47:13 +0530 Subject: [PATCH 3/9] fix: restrict only post request for /v1/account/token --- metaploy/naarad.metaploy.conf | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/metaploy/naarad.metaploy.conf b/metaploy/naarad.metaploy.conf index 0a08753..e08a10f 100644 --- a/metaploy/naarad.metaploy.conf +++ b/metaploy/naarad.metaploy.conf @@ -16,7 +16,7 @@ server { proxy_pass http://naarad; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - ## Allows the app to be functional + ## Allows the app to be functional ## as it doesn't have Heimdall Session Auth ### Allowing polling via websocket location ~ ^/[^/]+/ws$ { @@ -58,14 +58,26 @@ server { # Protecting User Login via Campus Network ## /login: frontend route - ## /v1/account: account sign in route ## //auth: topic specific auth route - location ~ ^/(v1/account/token|login|[^/]+/auth)$ { + location ~ ^/(login|[^/]+/auth)$ { auth_request /campus-auth; error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth; proxy_pass http://naarad; } + ## /v1/account/token: account sign in route + location = /v1/account/token { + set $allowed YES; + if ($request_method = POST) { + set $allowed NO; + } + if ($allowed = NO) { + return 403; + } + + proxy_pass http://naarad; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } # Internal authorisation endpoint via Campus Network location = /campus-auth { @@ -78,8 +90,8 @@ server { return 403; } - # All the endpoints except (signup, healthcheck and - # mobile application related) + # All the endpoints except (signup, healthcheck and + # mobile application related) # described above are protected via Heimdall Session location / { auth_request /kgpian-auth; From f3fe644da97d9dfb98848250961a1e444db0bfb6 Mon Sep 17 00:00:00 2001 From: proffapt Date: Wed, 3 Jul 2024 01:07:44 +0530 Subject: [PATCH 4/9] fix: prev commit was a mistake; i need sleep --- metaploy/naarad.metaploy.conf | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/metaploy/naarad.metaploy.conf b/metaploy/naarad.metaploy.conf index e08a10f..97ca1b9 100644 --- a/metaploy/naarad.metaploy.conf +++ b/metaploy/naarad.metaploy.conf @@ -59,25 +59,13 @@ server { # Protecting User Login via Campus Network ## /login: frontend route ## //auth: topic specific auth route - location ~ ^/(login|[^/]+/auth)$ { + ## /v1/account/token: account sign in route + location ~ ^/(v1/account/token|login|[^/]+/auth)$ { auth_request /campus-auth; error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth; proxy_pass http://naarad; } - ## /v1/account/token: account sign in route - location = /v1/account/token { - set $allowed YES; - if ($request_method = POST) { - set $allowed NO; - } - if ($allowed = NO) { - return 403; - } - - proxy_pass http://naarad; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } # Internal authorisation endpoint via Campus Network location = /campus-auth { From fe47fbee1438c197f37152cc8bd0c67b8b2bcb77 Mon Sep 17 00:00:00 2001 From: Arpit Bhardwaj Date: Wed, 3 Jul 2024 14:07:37 +0530 Subject: [PATCH 5/9] docs(guide): user log-out process for webapp --- SUBSCRIPTION_INSTRUCTION.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/SUBSCRIPTION_INSTRUCTION.md b/SUBSCRIPTION_INSTRUCTION.md index 60c07cc..1aeb5a9 100644 --- a/SUBSCRIPTION_INSTRUCTION.md +++ b/SUBSCRIPTION_INSTRUCTION.md @@ -4,7 +4,7 @@ Narada (Sanskrit: नारद, IAST: Nārada), or Narada Muni, is a sage-divini ## User Registration -1. Visit [Naarad Signup](https://naarad.metakgp.org/signup) page +1. Visit [Naarad Signup](https://naarad-signup.metakgp.org/) page 2. You will be prompted to enter your institute email 3. Once email is entered, you will receive a verification OTP on the provided email 4. Enter the OTP in the available field and click the `Verify` button @@ -123,3 +123,30 @@ If the [automatic](#automatic) method doesn't work, then you can do it manually
+ +## Enforced Campus Login + +Since, CDC period (for internships) starts during the summer vacation and majority of the students are not on campus, [login](#user-login) is open from any network. One day after the **CDC travel** window is over, following changes are implemented: +- User database is deleted +- __User Signup & Login__ are restricted only from campus network +- Once logged in, from campus network, the app is functional on all networks + +> [!Warning] +> Make sure you are connected to campus network, before following ahead in the documentation. + +Users have to initiate the registration process again and receive new credentials. This time, just visit [https://naarad.metakgp.org/signup](https://naarad-signup.metakgp.org). You will receive the new credentials on your institute email within a few seconds. + +It's now time to re-login with your new credentials, in-order to do that first remove the previous sessions from your webapp and app. + +### Webapp + +1. Click on the account icon on top right corner +2. Logout the current user +3. Visit [Naarad Login](https://naarad.metakgp.org/login) + +
+ +
+ +### Mobile + From 1fce68469700a10cae4821134b9b66e082f16a5d Mon Sep 17 00:00:00 2001 From: Arpit Bhardwaj Date: Wed, 3 Jul 2024 17:37:19 +0530 Subject: [PATCH 6/9] docs(guide): account removal guide for mobile --- SUBSCRIPTION_INSTRUCTION.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/SUBSCRIPTION_INSTRUCTION.md b/SUBSCRIPTION_INSTRUCTION.md index 1aeb5a9..0c5e318 100644 --- a/SUBSCRIPTION_INSTRUCTION.md +++ b/SUBSCRIPTION_INSTRUCTION.md @@ -126,10 +126,10 @@ If the [automatic](#automatic) method doesn't work, then you can do it manually ## Enforced Campus Login -Since, CDC period (for internships) starts during the summer vacation and majority of the students are not on campus, [login](#user-login) is open from any network. One day after the **CDC travel** window is over, following changes are implemented: +Since, CDC period (for internships) starts during the summer vacation and majority of the students are not on campus during that time, [login](#user-login) is open from any network. One day after the **CDC travel window** is over, following changes are implemented: - User database is deleted -- __User Signup & Login__ are restricted only from campus network -- Once logged in, from campus network, the app is functional on all networks +- __User Signup & Login__ are restricted only to campus network +- Once logged in, via campus network, the app is functional on all networks > [!Warning] > Make sure you are connected to campus network, before following ahead in the documentation. @@ -150,3 +150,18 @@ It's now time to re-login with your new credentials, in-order to do that first r ### Mobile +1. Press the _three-dots_ on top-right corner +2. Choose `Settings` option from the context-menu +3. Select `Manage Users` in the _General_ section below +4. Press on the user corresponding to your institute email (auto-generated username, which you received on your email) +5. A dialogue will appear, select `Delete User` there +6. Now go back to the home screen, select the `kgp-mftp` topic and press the _three-dots_ there on top-right corner +7. Choose `Unsubscribe` option from the context-menu +8. A dialogue will appear, select `Delete Permanently` there +9. Now that the user has been removed properly, follow the [Subscribing to MFTP](#subscribing-to-mftp) section once again while being connected on campus network + +| ![](https://github.com/metakgp/naarad/assets/86282911/34a7e162-68b0-454e-98a5-b61bac62e898) | ![](https://github.com/metakgp/naarad/assets/86282911/4beb8bf5-bc28-4164-a4a4-f05f04644fe9) | +| ---------------------------------- | -------------------------------- | +| ![](https://github.com/metakgp/naarad/assets/86282911/6606ee7e-030f-48ec-b886-fe143bcbcbb7) | ![](https://github.com/metakgp/naarad/assets/86282911/3ed6ec9a-b57d-441c-8933-3365ebeba287) | +| ![](https://github.com/metakgp/naarad/assets/86282911/0829d4d6-fc88-4d24-8dbb-75810e800c40) | ![](https://github.com/metakgp/naarad/assets/86282911/cfb77e27-0e93-4897-9480-1530eaa67e38) | +| ![](https://github.com/metakgp/naarad/assets/86282911/8f366eb4-0cfb-4ee5-a272-8c0efe362d59) | ![](https://github.com/metakgp/naarad/assets/86282911/461f550d-9148-43a1-bc24-c29f1b47b271) | From 34b399221b555b3c0a82dbd8daf2d278c4e00d08 Mon Sep 17 00:00:00 2001 From: proffapt Date: Wed, 3 Jul 2024 22:31:19 +0530 Subject: [PATCH 7/9] feat: restrict signup to campus network --- SUBSCRIPTION_INSTRUCTION.md | 24 +++++++++--------- backend/metaploy/naarad-api.metaploy.conf | 30 ++++++++++++++++++++--- 2 files changed, 38 insertions(+), 16 deletions(-) diff --git a/SUBSCRIPTION_INSTRUCTION.md b/SUBSCRIPTION_INSTRUCTION.md index 0c5e318..5ec990b 100644 --- a/SUBSCRIPTION_INSTRUCTION.md +++ b/SUBSCRIPTION_INSTRUCTION.md @@ -124,12 +124,12 @@ If the [automatic](#automatic) method doesn't work, then you can do it manually -## Enforced Campus Login +## Enforced Campus Signup and Login -Since, CDC period (for internships) starts during the summer vacation and majority of the students are not on campus during that time, [login](#user-login) is open from any network. One day after the **CDC travel window** is over, following changes are implemented: +Since, CDC period (for internships) starts during the summer vacations and majority of the students are not on campus during that time, [singup](#user-registration) and [login](#user-login) are open from any network. One day after the **CDC travel window** is over, following changes are implemented: - User database is deleted -- __User Signup & Login__ are restricted only to campus network -- Once logged in, via campus network, the app is functional on all networks +- __User Signup & Login__ are restricted, to be possible only via campus network +- Once signed up and logged in, via campus network, the app is functional on all networks > [!Warning] > Make sure you are connected to campus network, before following ahead in the documentation. @@ -150,15 +150,15 @@ It's now time to re-login with your new credentials, in-order to do that first r ### Mobile -1. Press the _three-dots_ on top-right corner -2. Choose `Settings` option from the context-menu -3. Select `Manage Users` in the _General_ section below +1. Press the _three-dots_ on the top-right corner +2. Choose the `Settings` option from the context-menu +3. Select the `Manage Users` property in the _General_ section below 4. Press on the user corresponding to your institute email (auto-generated username, which you received on your email) -5. A dialogue will appear, select `Delete User` there -6. Now go back to the home screen, select the `kgp-mftp` topic and press the _three-dots_ there on top-right corner -7. Choose `Unsubscribe` option from the context-menu -8. A dialogue will appear, select `Delete Permanently` there -9. Now that the user has been removed properly, follow the [Subscribing to MFTP](#subscribing-to-mftp) section once again while being connected on campus network +5. A dialogue will appear there, select the `Delete User` button +6. Now go back to the home screen, select the `kgp-mftp` topic and press the _three-dots_ there on the top-right corner +7. Choose the `Unsubscribe` option from the context-menu +8. A dialogue will appear the, select the `Delete Permanently`buttonthere +9. Now that the user has been removed properly, follow the [Subscribing to MFTP](#subscribing-to-mftp) section once again while being connected to the campus network | ![](https://github.com/metakgp/naarad/assets/86282911/34a7e162-68b0-454e-98a5-b61bac62e898) | ![](https://github.com/metakgp/naarad/assets/86282911/4beb8bf5-bc28-4164-a4a4-f05f04644fe9) | | ---------------------------------- | -------------------------------- | diff --git a/backend/metaploy/naarad-api.metaploy.conf b/backend/metaploy/naarad-api.metaploy.conf index 7883bed..20c2394 100644 --- a/backend/metaploy/naarad-api.metaploy.conf +++ b/backend/metaploy/naarad-api.metaploy.conf @@ -5,12 +5,34 @@ upstream naarad_api { server { server_name naarad-api.metakgp.org; + # Common proxy headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Unprotected routes + ## Allows us to call the /health endpoint for healthcheck + location = /health { + proxy_pass http://naarad_api; + } + + # Protecting User Signup via Campus Network location / { + auth_request /campus-auth; + error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth; + proxy_pass http://naarad_api; + } + + # Internal authorisation endpoint via Campus Network + location = /campus-auth { + internal; + proxy_pass http://heimdall_server/; + } - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # Handle case when auth fails in /campus-auth sub request + location @handle_campus_auth { + return 403; } } \ No newline at end of file From d7052f9f6fe3981d565bbdf7d9dc9d2dc5cbbb86 Mon Sep 17 00:00:00 2001 From: proffapt Date: Thu, 4 Jul 2024 00:52:59 +0530 Subject: [PATCH 8/9] feat: map logs to standard output to support docker logs --- server.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server.yml b/server.yml index 339fccd..a809573 100644 --- a/server.yml +++ b/server.yml @@ -375,5 +375,5 @@ visitor-attachment-daily-bandwidth-limit: "50M" # log-level: debug log-format: json -log-file: /var/log/ntfy.log +log-file: /dev/stdout # log-level-overrides: From ffff2e9f56db38a375ce2658b24e0cceef6ff003 Mon Sep 17 00:00:00 2001 From: proffapt Date: Thu, 18 Jul 2024 18:42:13 +0530 Subject: [PATCH 9/9] feat: added variations for [un]restricting login on campus network --- metaploy/variations/restricted.metaploy.conf | 108 ++++++++++++++++++ .../variations/unrestricted.metaploy.conf | 90 +++++++++++++++ 2 files changed, 198 insertions(+) create mode 100644 metaploy/variations/restricted.metaploy.conf create mode 100644 metaploy/variations/unrestricted.metaploy.conf diff --git a/metaploy/variations/restricted.metaploy.conf b/metaploy/variations/restricted.metaploy.conf new file mode 100644 index 0000000..ae43b62 --- /dev/null +++ b/metaploy/variations/restricted.metaploy.conf @@ -0,0 +1,108 @@ +upstream naarad { + server naarad:8000; +} + +server { + server_name naarad.metakgp.org; + + # Common proxy headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Unprotected routes + ## Allows us to call the /v1/health endpoint for healthcheck + location = /v1/health { + proxy_pass http://naarad; + } + ## Allows the app to be functional + ## as it doesn't have Heimdall Session Auth + ### Allowing polling via websocket + location ~ ^/[^/]+/ws$ { + proxy_pass http://naarad; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + ### Allowing polling via json + location ~ ^/[^/]+/json$ { + proxy_pass http://naarad; + add_header Content-Type application/json; + } + + # Restricting user account registration only via + # naarad-signup service (our custom registration layer) + ## BACKEND + location = /v1/account { + set $allowed YES; + valid_referers https://naarad-signup.metakgp.org; + if ($invalid_referer) { + set $allowed N; + } + if ($request_method = POST) { + set $allowed "${allowed}O"; + } + if ($allowed = NO) { + return 403; + } + + proxy_pass http://naarad; + } + ## FRONTEND + ### Permanently move the /signup endpoint + ### (from frontend) to our custom naarad-signup service + location = /signup { + return 301 https://naarad-signup.metakgp.org; + } + + # Protecting User Login via Campus Network + ## /login: frontend route + ## //auth: topic specific auth route + ## /v1/account/token: account sign in route + location ~ ^/(v1/account/token|login|[^/]+/auth)$ { + auth_request /campus-auth; + error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth; + + proxy_pass http://naarad; + } + + # Internal authorisation endpoint via Campus Network + location = /campus-auth { + internal; + proxy_pass http://heimdall_server/; + } + + # Handle case when auth fails in /campus-auth sub request + location @handle_campus_auth { + return 403; + } + + # All the endpoints except (signup, healthcheck and + # mobile application related) + # described above are protected via Heimdall Session + location / { + auth_request /kgpian-auth; + error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_kgpian_auth; + + proxy_pass http://naarad; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + # Internal authorisation endpoint via heimdall + location = /kgpian-auth { + internal; + + proxy_pass http://heimdall_server/validate-jwt; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header Cookie $http_cookie; + proxy_set_header X-Real-IP $remote_addr; # For heimdall to see, real user + } + + # Handle case when auth fails in /kgpian-auth sub request + location @handle_kgpian_auth { + return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri; + } +} \ No newline at end of file diff --git a/metaploy/variations/unrestricted.metaploy.conf b/metaploy/variations/unrestricted.metaploy.conf new file mode 100644 index 0000000..cde81fa --- /dev/null +++ b/metaploy/variations/unrestricted.metaploy.conf @@ -0,0 +1,90 @@ +upstream naarad { + server naarad:8000; +} + +server { + server_name naarad.metakgp.org; + + # Common proxy headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Unprotected routes + ## Allows us to call the /v1/health endpoint for healthcheck + location = /v1/health { + proxy_pass http://naarad; + } + ## Allows the app to be functional + ## as it doesn't have Heimdall Session Auth + ### Allowing login + location ~ ^/[^/]+/auth$ { + proxy_pass http://naarad; + } + ### Allowing polling via websocket + location ~ ^/[^/]+/ws$ { + proxy_pass http://naarad; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + ### Allowing polling via json + location ~ ^/[^/]+/json$ { + proxy_pass http://naarad; + add_header Content-Type application/json; + } + + # Restricting user account registration only via + # naarad-signup service (our custom registration layer) + ## BACKEND + location = /v1/account { + set $allowed YES; + valid_referers https://naarad-signup.metakgp.org; + if ($invalid_referer) { + set $allowed N; + } + if ($request_method = POST) { + set $allowed "${allowed}O"; + } + if ($allowed = NO) { + return 403; + } + + proxy_pass http://naarad; + } + ## FRONTEND + ### Permanently move the /signup endpoint + ### (from frontend) to our custom naarad-signup service + location = /signup { + return 301 https://naarad-signup.metakgp.org; + } + + # All the endpoints except (signup, healthcheck and + # mobile application related) + # described above are protected via Heimdall Session + location / { + auth_request /auth; + error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth; + + proxy_pass http://naarad; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + # Internal authorisation endpoint via heimdall + location = /auth { + internal; + + proxy_pass http://heimdall_server/validate-jwt; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header Cookie $http_cookie; + proxy_set_header X-Real-IP $remote_addr; # For heimdall to see, real user + } + + # Handle case when auth fails in /auth sub request + location @handle_auth { + return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri; + } +} \ No newline at end of file