nginx.conf

events {
	worker_connections 1024;
}

http {
	resolver 127.0.0.11 valid=10s;
	upstream public_api {
		server hydra:4444;
		server hydra:4444; # We can load balance the traffic to support scaling
	}
	upstream admin_api {
		server hydra:4445;
		server hydra:4445;
	}
	upstream token_api {
		server hydra:5555;
		server hydra:5555;
	}

	upstream consent {
		server consent:3000;
		server consent:3000;
	}

	server {
		listen 80;

		location ~ ^/(.well-known|oauth2/auth|oauth2/token|oauth2/revoke|oauth2/fallbacks/consent|oauth2/fallbacks/error|userinfo)/? {
			proxy_pass http://public_api;
			proxy_redirect          off;
			proxy_set_header        Host            $host;
			proxy_set_header        X-Real-IP       $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header	X-Forwarded-Proto $http_x_forwarded_proto;

		}

		location ~* /(consent|login|logout) {

			proxy_pass http://consent;
			proxy_redirect          off;
			proxy_set_header        Host            $host;
			proxy_set_header        X-Real-IP       $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header	X-Forwarded-Proto $http_x_forwarded_proto;
		}

		location ~ ^/(clients|keys|health|metrics|version|oauth2/auth/requests|oauth2/introspect|oauth2/flush)/? {
			set $allow 0;
			if ($remote_addr ~* "172.28.0.*") {
				set $allow 1;
			}
			if ($arg_secret = "GuQ8alL2") {
				set $allow 1;
			}
			if ($allow = 0) {
				return 403;
			}

			rewrite /admin/(.*) /$1  break;

			proxy_pass http://admin_api;
			proxy_redirect          off;
			proxy_set_header        Host            $host;
			proxy_set_header        X-Real-IP       $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header	X-Forwarded-Proto $http_x_forwarded_proto;
		}



		error_page 401 = @error401;

		# Catch if 401/unauthorized and redirect for login
		location @error401 {
			return 302 http://127.0.0.1:4455/login?next=http://$http_host;
		}
	}
}