Add OpenID authentication via Keycloak and integrate auth.lua into nginx setup

nginx.conf

@@ -5,6 +5,11 @@ events {
 }
 
 http {
+  lua_package_path "/etc/nginx/lua/?.lua;;";
+  lua_shared_dict discovery 1m;
+  lua_shared_dict jwks 1m;
+  lua_shared_dict sessions 10m;
+
   include       mime.types;
   default_type  application/octet-stream;
   sendfile        on;
@@ -15,10 +20,11 @@ http {
 
     # Automatically redirect URLs missing trailing slash (but not files like .js, .css, etc.)
     #if ($request_uri ~ ^([^.\?\#]*[^/])$) {
-     # return 301 $request_uri/;
-   # }
+    #  return 301 $request_uri/;
+    # }
 
-    location / {
+    # Public route: /auth selection page, no login required
+    location /auth {
       proxy_pass http://main-website:3000;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
@@ -26,10 +32,23 @@ http {
       proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    # Protected root route (main site)
+    location / {
+      access_by_lua_file /etc/nginx/auth.lua;
+
+      proxy_pass http://main-website:3000;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Protected demo route
     location /lawfirm/demo1/ {
-      proxy_pass http://ld1:3000/;
+      access_by_lua_file /etc/nginx/auth.lua;
 
       rewrite ^/lawfirm/demo1(/.*)$ $1 break;
+      proxy_pass http://ld1:3000;
 
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;