worker_processes auto;
error_log /dev/stderr notice;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
sendfile on;
keepalive_timeout 65;
server_tokens off;
upstream openbao_upstream {
server openbao.openbao.svc.cluster.local:8200;
}
server {
listen 8080;
location /ui/platform-overlay/ {
alias /etc/nginx/overlay/;
add_header Cache-Control "public, max-age=300";
}
# Standalone KeyCape login page — bypasses Ember auth route and ?with= bounce.
location = /ui/vault/auth {
alias /etc/nginx/overlay/login.html;
default_type text/html;
add_header Cache-Control "no-store";
}
# OIDC callback handler — exchanges code without Ember popup/postMessage flow.
location ~ ^/ui/vault/auth/.+/oidc/callback/?$ {
alias /etc/nginx/overlay/callback.html;
default_type text/html;
add_header Cache-Control "no-store";
}
# Static UI bundles and API calls bypass HTML injection and stay compressed.
location ~ ^/(v1|ui/assets|ui/engines-dist|ui/favicon\.svg) {
proxy_pass http://openbao_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://openbao_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Disable upstream compression only for HTML shell injection.
proxy_set_header Accept-Encoding "";
proxy_buffering on;
sub_filter_types text/html;
sub_filter_once on;
sub_filter '' '';
}
}
}