SawatoMosswartsEnjoyersClub/MosswartOverlord
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
MosswartOverlord/go-services/nginx/go-location.conf
Erik 426fe025d3 chore(go-services): ready-to-apply nginx /go/ snippet (user must sudo) 
The agent cannot sudo (password required), so nginx deploy is a user step.
go-services/nginx/go-location.conf holds the `location /go/` block + the
`upstream tracker_go` line with apply instructions. Not required for the
parallel run (the Go service is parity-verified on loopback); this is for
browser-reachable /go/ access. Live overlord.conf has drifted from the repo
copy — reconcile by hand, don't cp-overwrite.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 09:51:25 +02:00

41 lines
2.1 KiB
Text
Raw Blame History

# Parallel-run nginx wiring for the Go tracker (dereth-tracker-go, 127.0.0.1:8770).
#
# Deploying needs root (the agent cannot sudo). Apply on the host:
#
# 1) Add the upstream to the http{} block of /etc/nginx/nginx.conf, next to the
# existing `tracker` and `grafana` upstreams (around line 55):
#
# upstream tracker_go { server 127.0.0.1:8770; }
#
# 2) Insert the `location /go/` block below into the server{} block of
# /etc/nginx/sites-enabled/overlord (anywhere in server{}; nginx matches the
# longer /go/ prefix before /, so order doesn't matter). Mirror it into the
# repo copy nginx/overlord.conf too — but note the live file has DRIFTED from
# the repo copy, so reconcile by hand rather than cp-overwriting.
#
# 3) sudo nginx -t && sudo nginx -s reload
#
# After reload:
# https://overlord.snakedesert.se/go/health -> 200 (public)
# https://overlord.snakedesert.se/go/api-version -> 200 (logged-in) / 401 (no cookie)
# https://overlord.snakedesert.se/go/live -> matches /live (same login cookie)
#
# The Go service is auth-gated identically to Python (session cookie + internal
# trust), and X-Forwarded-For below is REQUIRED — without it the Go service would
# treat all internet traffic as internal-trust and skip auth (security invariant).
location /go/ {
proxy_pass http://tracker_go/; # trailing slash strips the /go/ prefix
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # REQUIRED — security invariant
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
# Go will serve long-lived browser WebSockets in a later phase; match the
# /websocket/ and / blocks so idle sockets aren't cut at nginx's default 60s.
proxy_read_timeout 1d;
proxy_send_timeout 1d;
}
Reference in a new issue View git blame Copy permalink