railiance-platform/helm/openbao-ui-overlay/nginx.conf

worker_processes auto;
error_log /dev/stderr notice;
pid /tmp/nginx.pid;

events {
  worker_connections 1024;
}

http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  access_log /dev/stdout;
  sendfile on;
  keepalive_timeout 65;
  server_tokens off;

  upstream openbao_upstream {
    server openbao.openbao.svc.cluster.local:8200;
  }

  server {
    listen 8080;

    location /ui/platform-overlay/ {
      alias /etc/nginx/overlay/;
      add_header Cache-Control "public, max-age=300";
    }

    # Standalone KeyCape login page — bypasses Ember auth route and ?with= bounce.
    location = /ui/vault/auth {
      alias /etc/nginx/overlay/login.html;
      default_type text/html;
      add_header Cache-Control "no-store";
    }

    # Static UI bundles and API calls bypass HTML injection and stay compressed.
    location ~ ^/(v1|ui/assets|ui/engines-dist|ui/favicon\.svg) {
      proxy_pass http://openbao_upstream;
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
      proxy_pass http://openbao_upstream;
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      # Disable upstream compression only for HTML shell injection.
      proxy_set_header Accept-Encoding "";
      proxy_buffering on;

      sub_filter_types text/html;
      sub_filter_once on;
      sub_filter '</head>' '<link rel="stylesheet" href="/ui/platform-overlay/overlay.css"><script src="/ui/platform-overlay/overlay.js" defer></script></head>';
    }
  }
}