45 lines
1.4 KiB
Nginx Configuration File
45 lines
1.4 KiB
Nginx Configuration File
server {
|
|
listen 80;
|
|
server_name _;
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# SPA: route everything that isn't a real file back to index.html so
|
|
# TanStack Router handles deep links.
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
|
|
# API → Rust backend. The compose network name `backend` resolves to the
|
|
# smgw-pki-automator service.
|
|
location /api/ {
|
|
proxy_pass http://backend:8443/api/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# mTLS terminating proxy in front of nginx is expected to set this
|
|
# header. In dev (DEV_AUTH=1) the backend accepts a body field instead.
|
|
proxy_set_header X-Forwarded-Cert-Subject $http_x_forwarded_cert_subject;
|
|
|
|
proxy_buffering off;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
|
|
# PKI callback path (TR-03129-4). Kept separate so it can be moved behind
|
|
# a different listener that requires a Sub-CA client certificate.
|
|
location /pki/ {
|
|
proxy_pass http://backend:8443/pki/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
|
|
# Long-cache hashed assets.
|
|
location ~* \.(js|css|woff2?|svg|png|webp|avif)$ {
|
|
expires 7d;
|
|
access_log off;
|
|
try_files $uri =404;
|
|
}
|
|
}
|