add support for protected sites

https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
https://gock.net/blog/2020/nginx-subrequest-authentication-server/
https://github.com/andygock/auth-server

src/nginxconfig.ejs

@@ -159,6 +159,23 @@ server {
         try_files /$1 @wellknown-upstream;
     }
 
+<% if (authwall.enabled) { %>
+    proxy_set_header X-App-ID "<%= authwall.id %>";
+
+    location = /auth {
+        internal;
+        proxy_pass http://127.0.0.1:3001;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+    }
+
+    location ~ ^/(login|logout)$ {
+        proxy_pass http://127.0.0.1:3001;
+    }
+
+    error_page 401 403 /login;
+<% } %>
+
     location / {
         # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers)
         proxy_buffer_size       128k;
@@ -217,6 +234,12 @@ server {
             index  index.html index.htm;
         }
 <% } else if ( endpoint === 'app' ) { %>
+    <% if (authwall.enabled) { %>
+        auth_request /auth;
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        add_header Set-Cookie $auth_cookie;
+    <% } %>
+
         proxy_pass http://127.0.0.1:<%= port %>;
 <% } else if ( endpoint === 'redirect' ) { %>
         # redirect everything to the app. this is temporary because there is no way