nginx.conf

worker_processes auto;
pid /tmp/nginx.pid;

events {
    worker_connections 768;
}

http {
    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /dev/stdout;
    error_log /dev/stderr;

    client_body_temp_path /tmp/client_body;
    proxy_temp_path /tmp/proxy;
    fastcgi_temp_path /tmp/fastcgi;
    uwsgi_temp_path /tmp/uwsgi;
    scgi_temp_path /tmp/scgi;

    server {
        listen 7860;
        server_name localhost;

        # Custom sign-in page
        location = /signin {
            root /var/www/html/theme;
            try_files /sign_in.html =404;
        }

        # GitHub OAuth2 Proxy
        location /oauth2/github/ {
            proxy_pass http://127.0.0.1:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header X-Auth-Request-Redirect $request_uri;
        }

        # Google OAuth2 Proxy
        location /oauth2/google/ {
            proxy_pass http://127.0.0.1:4181;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header X-Auth-Request-Redirect $request_uri;
        }

        # Auth Check (Try GitHub first, fallback to Google)
        location = /oauth2/auth {
            internal;
            proxy_pass http://127.0.0.1:4180/oauth2/github/auth;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header Content-Length "";
            proxy_pass_request_body off;
            
            # If GitHub auth fails (401), try Google
            proxy_intercept_errors on;
            error_page 401 = @try_google;
        }

        location @try_google {
            internal;
            rewrite ^ /oauth2/google/auth break;
            proxy_pass http://127.0.0.1:4181;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header Content-Length "";
            proxy_pass_request_body off;
        }

        # Main application (ttyd) protected by auth_request
        location / {
            auth_request /oauth2/auth;
            error_page 401 = /signin;

            proxy_pass http://127.0.0.1:7681;
            
            # WebSocket support configuration
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            
            # Standard proxy headers
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}