MANDATORY: nginx /ws proxy
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
location /ws {
proxy_pass http://<gateway-name>:18789/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_buffering off;
}
MANDATORY: no hardcoded Docker IPs
# WRONG — breaks on container restart:
proxy_pass http://172.24.50.255:18789/;
# RIGHT — Docker DNS resolves dynamically:
proxy_pass http://pemos-gateway:18789/;
# Verify clean:
grep "172\.2[0-9]\." /etc/nginx/conf.d/default.conf
# → must return empty
# ARB-537 FOF check: stale IPs = the breach
# The breach that cannot be ignored
MANDATORY: oauth2-proxy /ws bypass
# For AKS silos behind oauth2-proxy:
args:
- --skip-auth-regex=^/ws$
- --skip-auth-regex=^/ws/
# Patch command:
kubectl patch deploy oauth2-proxy -n <ns> \
--type=json -p='[
{"op":"add","path":"/spec/template/spec/containers/0/args/-",
"value":"--skip-auth-regex=^/ws$"}
]'
TEST: batch probe all silos
curl -sv --max-time 4 \
-H "Upgrade: websocket" \
-H "Connection: Upgrade" \
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \
-H "Sec-WebSocket-Version: 13" \
http://<silo>/ws 2>&1 \
| grep -E "HTTP|101|400|502|504"
# 101 → SOLID ✅
# 200 → H2 ALIVE (RFC 8441) ⚠️
# 302 → AUTH BLOCKED ❌
# 400 → BACKEND REJECTS ❌
# 502 → GATEWAY DOWN ❌