worker_processes auto; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; # Logging format log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'repo="$github_repo" user="$authentik_user"'; access_log /var/log/nginx/access.log main; # Basic settings sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; client_max_body_size 100M; # Allow large file uploads via file manager # Temp directories (writable in container) client_body_temp_path /tmp/client_temp; proxy_temp_path /tmp/proxy_temp; fastcgi_temp_path /tmp/fastcgi_temp; uwsgi_temp_path /tmp/uwsgi_temp; scgi_temp_path /tmp/scgi_temp; # Upstream Knative service (will be resolved by Knative networking) upstream devcontainer_serverless { server ${DEVCONTAINER_SERVICE_URL}; } # Map to extract GitHub repo from URL path map $request_uri $github_repo { ~^/github/([^/]+/[^/]+)(/.*)?$ https://github.com/$1; default ""; } # Extract Authentik user info from headers (set by Authentik forward auth) map $http_x_authentik_username $authentik_user { default $http_x_authentik_username; } server { listen 8080; server_name _; # Health check endpoint location /health { access_log off; return 200 "OK\n"; add_header Content-Type text/plain; } # GitHub repo routing location ~ ^/github/([^/]+/[^/]+)(/.*)?$ { # Validate the repo format if ($github_repo = "") { return 400 "Invalid GitHub repository format. Use: /github/owner/repo\n"; } # Log the routing decision access_log /var/log/nginx/routing.log main; # Set headers for the devcontainer proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Custom headers for dynamic repo routing proxy_set_header X-GitHub-Repo $github_repo; proxy_set_header X-Authentik-User $authentik_user; proxy_set_header X-Request-Path $request_uri; # Preserve Authentik auth headers proxy_set_header X-Authentik-Username $http_x_authentik_username; proxy_set_header X-Authentik-Email $http_x_authentik_email; proxy_set_header X-Authentik-Name $http_x_authentik_name; proxy_set_header X-Authentik-Groups $http_x_authentik_groups; # Proxy settings for long-running connections (VNC) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_read_timeout 86400; # 24 hours proxy_send_timeout 86400; proxy_connect_timeout 30; # Buffer settings for file uploads proxy_buffering off; proxy_request_buffering off; # Forward to the devcontainer proxy_pass http://devcontainer_serverless$2; } # Root path - show available repositories or redirect to auth location = / { return 200 "DevContainer Serverless\nUsage: /github/{owner}/{repo}\nExample: /github/microsoft/vscode\n"; add_header Content-Type text/plain; } # Anything else location / { return 404 "Not found. Use /github/{owner}/{repo} to access repositories.\n"; add_header Content-Type text/plain; } } # WebSocket upgrade handling map $http_upgrade $connection_upgrade { default upgrade; '' close; } }