summaryrefslogtreecommitdiff
path: root/etc/nginx
diff options
context:
space:
mode:
authorFlorian Dold <florian.dold@gmail.com>2018-01-29 23:55:49 +0100
committerFlorian Dold <florian.dold@gmail.com>2018-01-29 23:55:49 +0100
commitf0c746b30f4e3e99b799aca830bce4a13db330b1 (patch)
tree487eadf7d1803bb7a6f7326fc1dee65f6d165cbb /etc/nginx
parent4d0f03c4992455a71e2cde3ddc5fe1ae162ab44e (diff)
downloaddeployment-f0c746b30f4e3e99b799aca830bce4a13db330b1.tar.gz
deployment-f0c746b30f4e3e99b799aca830bce4a13db330b1.tar.bz2
deployment-f0c746b30f4e3e99b799aca830bce4a13db330b1.zip
protect test backend with apikey
Diffstat (limited to 'etc/nginx')
-rw-r--r--etc/nginx/sites-enabled/test.site17
1 files changed, 17 insertions, 0 deletions
diff --git a/etc/nginx/sites-enabled/test.site b/etc/nginx/sites-enabled/test.site
index c5e1949..78c95b9 100644
--- a/etc/nginx/sites-enabled/test.site
+++ b/etc/nginx/sites-enabled/test.site
@@ -206,6 +206,23 @@ server {
error_page 418 = @blue;
error_page 419 = @green;
recursive_error_pages on;
+
+ # This is very ugly, but necessary since NGINX
+ # can't do multiple conditions or nexted ifs
+
+ if ($request_filename !~ "^/public/?.*$") {
+ # restricted!
+ set $authresult "r";
+ }
+
+ if ($http_authorization = "ApiKey sandbox") {
+ # auth successful
+ set $authresult "${authresult}y";
+ }
+ if ($authresult = "r") {
+ # restricted but not authorized
+ return 401 "Unauthorized";
+ }
if ($http_x_taler_deployment_color ~ "blue") { return 418; }
if ($http_x_taler_deployment_color ~ "green") { return 419; }
proxy_set_header X-Forwarded-Host "backend.test.taler.net";