adamf/web_server
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

Gate searxng, notes, and hasura behind admin auth via nginx auth_request
Some checks failed
Deploy with Docker Compose / deploy (push) Has been cancelled
Details

Browse Source 
Add ValidateAdmin endpoint that checks JWT admin claim for use as an
nginx auth_request subrequest. Widen cookie path from backend endpoint
to "/" so the access_token is sent on all paths. Extend access token
lifetime from 24h to 7 days. Disable hasura service by default via
Docker profile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Adam French
2026-04-12 21:33:41 +01:00
parent ee97ec9b23
commit d344497393
7 changed files with 92 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
nginx/nginx.conf.template
View File

@@ -207,6 +207,8 @@ http {
}
location /hasura/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$HASURA_HOST:$HASURA_PORT/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -222,6 +224,8 @@ http {
}
location /notes/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$QUARTZ_HOST:$QUARTZ_PORT/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@@ -233,11 +237,25 @@ http {
}
location = /internal/auth/admin-validate {
internal;
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/auth/validate-admin;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
}
location @auth_denied {
return 302 /;
}
location /searxng {
return 301 /searxng/;
}
location /searxng/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$SEARXNG_HOST:$SEARXNG_PORT/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

36
nginx/nginx_dev.conf.template
View File

@@ -134,6 +134,8 @@ http {
}
location /hasura/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$HASURA_HOST:$HASURA_PORT/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -149,6 +151,8 @@ http {
}
location /notes/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$QUARTZ_HOST:$QUARTZ_PORT/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@@ -160,11 +164,25 @@ http {
}
location = /internal/auth/admin-validate {
internal;
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/auth/validate-admin;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
}
location @auth_denied {
return 302 /;
}
location /searxng {
return 301 /searxng/;
}
location /searxng/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$SEARXNG_HOST:$SEARXNG_PORT/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -272,6 +290,8 @@ http {
}
location /hasura/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$HASURA_HOST:$HASURA_PORT/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -287,6 +307,8 @@ http {
}
location /notes/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$QUARTZ_HOST:$QUARTZ_PORT/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@@ -298,11 +320,25 @@ http {
}
location = /internal/auth/admin-validate {
internal;
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/auth/validate-admin;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
}
location @auth_denied {
return 302 /;
}
location /searxng {
return 301 /searxng/;
}
location /searxng/ {
auth_request /internal/auth/admin-validate;
error_page 401 403 = @auth_denied;
proxy_pass http://$SEARXNG_HOST:$SEARXNG_PORT/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;