For compliance reasons, you might want to split traffic coming to an Central server into a public zone for enumerators connecting over the Internet and a private zone for project managers logged in via a VPN.
One benefit of this split structure is that whatever auth constraints you put on access to the private zone (e.g., VPN login with SSO and MFA) are thus applied to Central without needing to turn on Central's SSO support.
An easy way to implement this change is in Central's nginx container. If, for example, you wanted a public zone that only allows form download and submission upload from the public Internet while having a private zone allows everything, but only from your VPN, you would modify odk.conf.template as shown below.
location /- {
...
}
# public zone
location ~ ^/v\d/(test|key)/.+/projects/\d+/(submission|formList|forms) {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://service:8383;
proxy_redirect off;
# buffer requests, but not responses, so streaming out works.
proxy_request_buffering on;
proxy_buffering off;
proxy_read_timeout 2m;
}
# private zone
location ~ ^/v\d {
...
allow 1.2.3.4; # your server's public IP
allow 5.6.7.0/17; # your VPN's public IPs
deny all;
}