# Parallel-run nginx wiring for the Go tracker (dereth-tracker-go, 127.0.0.1:8770). # # Deploying needs root (the agent cannot sudo). Apply on the host: # # 1) Add the upstream to the http{} block of /etc/nginx/nginx.conf, next to the # existing `tracker` and `grafana` upstreams (around line 55): # # upstream tracker_go { server 127.0.0.1:8770; } # # 2) Insert the `location /go/` block below into the server{} block of # /etc/nginx/sites-enabled/overlord (anywhere in server{}; nginx matches the # longer /go/ prefix before /, so order doesn't matter). Mirror it into the # repo copy nginx/overlord.conf too — but note the live file has DRIFTED from # the repo copy, so reconcile by hand rather than cp-overwriting. # # 3) sudo nginx -t && sudo nginx -s reload # # After reload: # https://overlord.snakedesert.se/go/health -> 200 (public) # https://overlord.snakedesert.se/go/api-version -> 200 (logged-in) / 401 (no cookie) # https://overlord.snakedesert.se/go/live -> matches /live (same login cookie) # # The Go service is auth-gated identically to Python (session cookie + internal # trust), and X-Forwarded-For below is REQUIRED — without it the Go service would # treat all internet traffic as internal-trust and skip auth (security invariant). location /go/ { proxy_pass http://tracker_go/; # trailing slash strips the /go/ prefix proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # REQUIRED — security invariant proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_cache_bypass $http_upgrade; # Go will serve long-lived browser WebSockets in a later phase; match the # /websocket/ and / blocks so idle sockets aren't cut at nginx's default 60s. proxy_read_timeout 1d; proxy_send_timeout 1d; }