Protected Sites Status¶

Current state of PIN Gate protection across *.nominate.ai subdomains.

PIN: 862509 Service: cbauth on 127.0.0.1:32202

Protected Sites¶

Site	Config File	Status	Notes
nominate.ai	www.nominate.ai.conf	✅ Protected	Apex domain
www.nominate.ai	www.nominate.ai.conf	✅ Protected
docs.nominate.ai	docs.nominate.ai.conf	✅ Protected	MkDocs
ai.nominate.ai	ai.nominate.ai.conf	✅ Protected
cdn.nominate.ai	cdn.nominate.ai.conf	✅ Protected	CDN service
districts.nominate.ai	districts.nominate.ai.conf	✅ Protected
files.nominate.ai	files.nominate.ai.conf	✅ Protected	File service
intel.nominate.ai	intel.nominate.ai.conf	✅ Protected
ky04.nominate.ai	ky04.nominate.ai.conf	✅ Protected	Tenant
ky04api.nominate.ai	ky04api.nominate.ai.conf	✅ Protected	Tenant API
mi20.nominate.ai	mi20.nominate.ai.conf	✅ Protected	Tenant
mi20api.nominate.ai	mi20api.nominate.ai.conf	✅ Protected	Tenant API
models.nominate.ai	models.nominate.ai.conf	✅ Protected
project.nominate.ai	project.nominate.ai.conf	✅ Protected
ruralamfm.nominate.ai	ruralamfm.nominate.ai.conf	✅ Protected
surveys.nominate.ai	surveys.nominate.ai.conf	✅ Protected
testsite.nominate.ai	testsite.nominate.ai.conf	✅ Protected	Test tenant
testsiteapi.nominate.ai	testsiteapi.nominate.ai.conf	✅ Protected	Test tenant API
*.nominate.ai (catchall)	catchall.nominate.ai.conf	✅ Protected	Wildcard fallback

Excluded Sites¶

Site	Config File	Reason
auth.nominate.ai	auth.nominate.ai.conf	Auth service itself (would cause loop)

Tweaks & Issues Log¶

Date	Site	Issue	Resolution
2026-01-01	-	Initial rollout	All sites protected

Common Adjustments¶

Exclude a path from auth (e.g., health checks, webhooks)¶

# Add BEFORE the protected location /
location /health {
    proxy_pass http://backend;
}

location /webhook {
    proxy_pass http://backend;
}

Return JSON 401 for API endpoints¶

Replace @pin_redirect with custom handler:

location /api/ {
    auth_request /internal/auth/verify;
    error_page 401 = @api_unauthorized;
    proxy_pass http://backend;
}

location @api_unauthorized {
    default_type application/json;
    return 401 '{"error": "authentication_required"}';
}

Temporarily disable auth on a site¶

Comment out these lines in the site's config:

# auth_request /internal/auth/verify;
# error_page 401 = @pin_redirect;

Then reload: sudo nginx -t && sudo systemctl reload nginx

Quick Commands¶

# Check which sites have PIN auth
sudo grep -l "pin-gate-auth.conf" /etc/nginx/sites-enabled/*.conf

# Test a specific site
curl -s -o /dev/null -w "%{http_code}" https://SITE.nominate.ai/

# View auth service logs
sudo journalctl -u cbauth -f

# Restart auth service
sudo systemctl restart cbauth

# Reload NGINX after config changes
sudo nginx -t && sudo systemctl reload nginx