docs/docker/files/etc/nginx/conf.d/default.conf

server {
    listen 8083;
    server_name localhost;
    charset utf-8;

    # Proxy auth for collaboration server
    location /collaboration/ws/ {
        # Collaboration Auth request configuration
        auth_request /collaboration-auth;
        auth_request_set $authHeader $upstream_http_authorization;
        auth_request_set $canEdit $upstream_http_x_can_edit;
        auth_request_set $userId $upstream_http_x_user_id;

        # Pass specific headers from the auth response
        proxy_set_header Authorization $authHeader;
        proxy_set_header X-Can-Edit $canEdit;
        proxy_set_header X-User-Id $userId;

        # Ensure WebSocket upgrade
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        # Collaboration server
        proxy_pass http://y-provider:4444;

        # Set appropriate timeout for WebSocket
        proxy_read_timeout 86400;
        proxy_send_timeout 86400;

        # Preserve original host and additional headers
        proxy_set_header Host $host;
    }

    location /collaboration-auth {
        proxy_pass http://app-dev:8000/api/v1.0/documents/collaboration-auth/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Original-URL $request_uri;
        
        # Prevent the body from being passed
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-Method $request_method;
    }

    location  /collaboration/api/ {
        # Collaboration server
        proxy_pass http://y-provider:4444;
        proxy_set_header Host $host;
    }

    # Proxy auth for media
    location /media/ {
        # Auth request configuration
        auth_request /media-auth;
        auth_request_set $authHeader $upstream_http_authorization;
        auth_request_set $authDate $upstream_http_x_amz_date;
        auth_request_set $authContentSha256 $upstream_http_x_amz_content_sha256;

        # Pass specific headers from the auth response
        proxy_set_header Authorization $authHeader;
        proxy_set_header X-Amz-Date $authDate;
        proxy_set_header X-Amz-Content-SHA256 $authContentSha256;

        # Get resource from Minio
        proxy_pass http://minio:9000/impress-media-storage/;
        proxy_set_header Host minio:9000;

        add_header Content-Security-Policy "default-src 'none'" always;
    }

    location /media-auth {
        proxy_pass http://app-dev:8000/api/v1.0/documents/media-auth/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Original-URL $request_uri;
        
        # Prevent the body from being passed
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-Method $request_method;
    }

    location / {
        proxy_pass http://keycloak:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # Increase proxy buffer size to allow keycloak to send large
        # header responses when a user is created.
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }
}