Amend CORS

2025-07-15 16:15:10 +02:00
parent edeffa7012
commit 9148bb3463
5 changed files with 55 additions and 18 deletions
--- a/nginx.conf.template
+++ b/nginx.conf.template
@@ -0,0 +1,86 @@
+# Main nginx configuration
+worker_processes auto;
+error_log /dev/stderr warn;
+pid /tmp/nginx.pid;  # Use writable location for PID
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+    sendfile on;
+    keepalive_timeout 65;
+    access_log /dev/stdout;
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path /tmp/proxy_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+    absolute_redirect off;
+
+    map $http_origin $cors_origin {
+        default "";
+        "~*" $http_origin;
+    }
+
+    upstream backend {
+        server localhost:8080;
+    }
+
+    server {
+        listen 7070;
+        server_name localhost;
+        root /usr/share/nginx/html;
+        index index.html;
+
+        # Handle client-side routing
+        location / {
+            root /usr/share/nginx/html;
+            index index.html;
+            try_files $uri $uri/ /index.html;
+
+            # Security headers
+            add_header X-Content-Type-Options nosniff;
+            add_header X-Frame-Options "DENY";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+        }
+
+        # Serve config.js from the writable location
+        location = /config.js {
+            alias /runtime-config/config.js;
+            add_header Cache-Control "no-store, no-cache, must-revalidate";
+            access_log off;
+        }
+
+        location /api/ {
+            # Proxy to Quarkus
+            proxy_pass         http://backend/;
+            proxy_http_version 1.1;
+            proxy_set_header   Host              $host;
+            proxy_set_header   X-Real-IP         $remote_addr;
+            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Proto $scheme;
+            proxy_set_header   Upgrade           $http_upgrade;
+            proxy_set_header   Connection        "upgrade";
+
+            # Relay CORS headers from the backend
+            proxy_pass_header  Access-Control-Allow-Origin;
+            proxy_pass_header  Access-Control-Allow-Methods;
+            proxy_pass_header  Access-Control-Allow-Headers;
+            proxy_pass_header  Access-Control-Allow-Credentials;
+        }
+
+        # Cache static assets
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+
+        # Security headers
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    }
+}