From 57afab28d393e8ca6c0ca3a9719c7ebfbf00ef06 Mon Sep 17 00:00:00 2001
From: Greg Logan <gregorydlogan@gmail.com>
Date: Tue, 12 Aug 2025 14:41:33 -0600
Subject: [PATCH 1/2] Refuse to allow modifications to the demo media.  This
 specific event is used by the editor demo instances and the demo PRs.  This
 doesn't prevent technically advanced users from deleting things via direct
 calls or other more complex paths, but this prevents the most basic things at
 least.

---
 .../roles/nginx/templates/nginx.conf          | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/ansible-demo-machines/roles/nginx/templates/nginx.conf b/ansible-demo-machines/roles/nginx/templates/nginx.conf
index b125e67..334f846 100644
--- a/ansible-demo-machines/roles/nginx/templates/nginx.conf
+++ b/ansible-demo-machines/roles/nginx/templates/nginx.conf
@@ -153,6 +153,32 @@ http {
         # Accept large ingests
         client_max_body_size 0;
 
+        # Proxy configuration for Opencast
+        location ~* (?=ID-dual-stream-demo) {
+            limit_except GET {
+              allow {{ inventory_hostname }};
+              deny all;
+            }
+
+            proxy_set_header        Host $host;
+            proxy_set_header        X-Real-IP $remote_addr;
+            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header        X-Forwarded-Proto $scheme;
+
+            proxy_pass              http://127.0.0.1:8080;
+
+            # Make sure to redirect location headers to HTTPS
+            proxy_redirect          http://$host https://$host;
+
+            proxy_cookie_path / "/; HTTPOnly; Secure";
+
+            # Do not buffer responses
+            proxy_buffering         off;
+
+            # Do not buffer requests
+            proxy_request_buffering off;
+        }
+
         # Proxy configuration for Opencast
         location / {
 

From 8d03b78ab76e78a307c7c068a135fda7ebff4d2c Mon Sep 17 00:00:00 2001
From: Greg Logan <gregorydlogan@gmail.com>
Date: Tue, 12 Aug 2025 14:42:01 -0600
Subject: [PATCH 2/2] Marking the relevant demo media as read only so that
 users (hopefully?) clue in that their requests to delete it will fail.

---
 ansible-demo-machines/roles/opencast/templates/media.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible-demo-machines/roles/opencast/templates/media.yml b/ansible-demo-machines/roles/opencast/templates/media.yml
index 66bb266..eae8946 100644
--- a/ansible-demo-machines/roles/opencast/templates/media.yml
+++ b/ansible-demo-machines/roles/opencast/templates/media.yml
@@ -149,7 +149,7 @@ media:
     - mediaUri: https://radosgw.public.os.wwu.de/opencast-test-media/dualstream-presentation.mp4
     - flavor: captions/source+en
     - mediaUri: https://radosgw.public.os.wwu.de/opencast-test-media/dualstream.vtt
-    - title: Dual-Stream Demo
+    - title: Dual-Stream Demo (READ ONLY)
     - creator: Lars Kiesow
     - identifier: ID-dual-stream-demo
     - license: CC-BY-SA