Merge pull request #250 from firecrawl/noaa/oauth-nginx-config

erikengervall · web-flow · commit af175f25709d · 2026-05-29T15:39:59.000+02:00
diff --git a/docker/nginx.conf b/docker/nginx.conf
@@ -6,6 +6,21 @@ http {
   server {
     listen 8080;
 
+    # OAuth discovery documents (RFC 8414 / RFC 9728) must reach the app with the
+    # URI intact. `^~` makes this prefix win over the legacy /{apiKey}/{rest} regex
+    # below, which would otherwise treat ".well-known" as an API key and rewrite the
+    # path to /oauth-protected-resource (404). This is what the 401 challenge's
+    # `resource_metadata` URL points at, so it MUST resolve.
+    location ^~ /.well-known/ {
+      proxy_buffering off;
+      proxy_read_timeout 30s;
+      proxy_send_timeout 30s;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_pass http://app;
+    }
+
     # Header-based with version: /v1|v2/{rest} (MUST COME BEFORE LEGACY)
     location ~ ^/v(?:1|2)/(.*)$ {
       proxy_buffering off;
