From 0e09c53e0088ea61ee620edca96bce82fb38b9a7 Mon Sep 17 00:00:00 2001
From: zino <marlon.maschkiwitz@4players.io>
Date: Tue, 5 Dec 2023 14:10:17 +0100
Subject: [PATCH] modified

---
 volumes/conf.d/code.zinomedia.de.conf | 44 ++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/volumes/conf.d/code.zinomedia.de.conf b/volumes/conf.d/code.zinomedia.de.conf
index f51d0db..2dd0dc9 100644
--- a/volumes/conf.d/code.zinomedia.de.conf
+++ b/volumes/conf.d/code.zinomedia.de.conf
@@ -18,19 +18,61 @@ server {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;
 
+    # Vouch
+    # send all requests to the `/validate` endpoint for authorization
+    auth_request /validate;
+
+    location = /validate {
+        # forward the /validate request to Vouch Proxy
+        resolver 127.0.0.11;
+        set $upstream "http://vouch:9090/validate";
+        proxy_pass $upstream;
+        #proxy_pass http://127.0.0.1:9090/validate;
+
+        # be sure to pass the original host header
+        proxy_set_header Host $http_host;
+
+        # Vouch Proxy only acts on the request headers
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+
+        # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
+        auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+
+        # these return values are used by the @error401 call
+        auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+        auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+        auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+    }
+
+    # if validate returns `401 not authorized` then forward the request to the error401block
+    error_page 401 = @error401;
+
+    location @error401 {
+        resolver 127.0.0.11;
+        set $upstream "https://vouch:9090/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err";
+        return 302 $upstream;
+
+        # redirect to Vouch Proxy for login
+        #return 302 https://vouch.yourdomain.com:9090/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+    }
+
+
     location / {
         resolver 127.0.0.11;
         set $upstream "code-server:8443";
 
         proxy_pass http://$upstream;
         proxy_http_version 1.1;
-        proxy_set_header Host $host;
+        #proxy_set_header Host $host;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Accept-Encoding gzip;
         proxy_set_header Connection upgrade;
         proxy_headers_hash_max_size 512;
         proxy_headers_hash_bucket_size 128;
         proxy_read_timeout 3600;
+        # be sure to pass the original host header
+        proxy_set_header Host $http_host;
     }
 }