worker_processes auto; error_log /dev/stderr notice; pid /tmp/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; access_log /dev/stdout; sendfile on; keepalive_timeout 65; server_tokens off; upstream openbao_upstream { server openbao.openbao.svc.cluster.local:8200; } server { listen 8080; location /ui/platform-overlay/ { alias /etc/nginx/overlay/; add_header Cache-Control "public, max-age=300"; } # Standalone KeyCape login page — bypasses Ember auth route and ?with= bounce. location = /ui/vault/auth { alias /etc/nginx/overlay/login.html; default_type text/html; add_header Cache-Control "no-store"; } # OIDC callback handler — exchanges code without Ember popup/postMessage flow. location ~ ^/ui/vault/auth/.+/oidc/callback/?$ { alias /etc/nginx/overlay/callback.html; default_type text/html; add_header Cache-Control "no-store"; } # Static UI bundles and API calls bypass HTML injection and stay compressed. location ~ ^/(v1|ui/assets|ui/engines-dist|ui/favicon\.svg) { proxy_pass http://openbao_upstream; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { proxy_pass http://openbao_upstream; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Disable upstream compression only for HTML shell injection. proxy_set_header Accept-Encoding ""; proxy_buffering on; sub_filter_types text/html; sub_filter_once on; sub_filter '' ''; } } }