coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8c1e64d5e0a0bf5e8ffb957dca3e367ad45aa6a0
railiance-platform/helm/openbao-ui-overlay/nginx.conf
tegwick 50799938db fix(openbao-ui): handle OIDC callback without Ember popup flow 
OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
2026-06-19 21:18:34 +02:00

69 lines
2.1 KiB
Nginx Configuration File
Raw Blame History

worker_processes auto;
error_log /dev/stderr notice;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
sendfile on;
keepalive_timeout 65;
server_tokens off;
upstream openbao_upstream {
server openbao.openbao.svc.cluster.local:8200;
}
server {
listen 8080;
location /ui/platform-overlay/ {
alias /etc/nginx/overlay/;
add_header Cache-Control "public, max-age=300";
}
# Standalone KeyCape login page — bypasses Ember auth route and ?with= bounce.
location = /ui/vault/auth {
alias /etc/nginx/overlay/login.html;
default_type text/html;
add_header Cache-Control "no-store";
}
# OIDC callback handler — exchanges code without Ember popup/postMessage flow.
location ~ ^/ui/vault/auth/.+/oidc/callback/?$ {
alias /etc/nginx/overlay/callback.html;
default_type text/html;
add_header Cache-Control "no-store";
}
# Static UI bundles and API calls bypass HTML injection and stay compressed.
location ~ ^/(v1|ui/assets|ui/engines-dist|ui/favicon\.svg) {
proxy_pass http://openbao_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://openbao_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Disable upstream compression only for HTML shell injection.
proxy_set_header Accept-Encoding "";
proxy_buffering on;
sub_filter_types text/html;
sub_filter_once on;
sub_filter '</head>' '<link rel="stylesheet" href="/ui/platform-overlay/overlay.css"><script src="/ui/platform-overlay/overlay.js" defer></script></head>';
}
}
}
Reference in New Issue View Git Blame Copy Permalink