Using Nginx as reverse proxy

As Argos has no authentication mechanism for the front-end, you need to protect some routes with HTTP authentication.

To do so on Debian, install apache2-utils then create a file containing the wanted credentials:

htpasswd -c /etc/nginx/argos.passwd argos_admin

You can then use this file to protect the front-end’s routes:

/etc/nginx/sites-available/argos.example.org

server {
    listen 80;
    listen [::]:80;
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name argos.example.org;

    ssl_certificate     /etc/letsencrypt/live/argos.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/argos.example.org/privkey.pem;

    access_log  /var/log/nginx/argos.example.org.access.log;
    error_log   /var/log/nginx/argos.example.org.error.log;

    if ($scheme != "https") {
        rewrite ^ https://$http_host$request_uri? permanent;
    }

    location ~ ^/($|domains?/|result/|task/|refresh/) {
        auth_basic "Closed site";
        auth_basic_user_file argos.passwd;
        include proxy_params;
        proxy_pass       http://127.0.0.1:8000;
    }
    location / {
        include proxy_params;
        proxy_pass       http://127.0.0.1:8000;
    }
}