Amend CORS

docker/Dockerfile

@@ -18,13 +18,13 @@ RUN mkdir -p /runtime-config && \
 USER nginx
 
 # Copy built assets
-COPY --from=builder --chown=nginx:nginx /app/dist /usr/share/nginx/html
+COPY --chown=nginx:nginx dist /usr/share/nginx/html
 
-# Copy our custom nginx config
-COPY nginx.conf /etc/nginx/nginx.conf
+# Copy nginx config template
+COPY --chown=nginx:nginx nginx.conf.template /etc/nginx/templates/
 
 # Copy entrypoint script
-COPY docker/entrypoint.sh /entrypoint.sh
+COPY --chown=nginx:nginx docker/entrypoint.sh /entrypoint.sh
 
 # Make entrypoint executable
 USER root

docker/entrypoint.sh

@@ -4,10 +4,16 @@ set -e
 # Create runtime config file in writable location
 cat > /runtime-config/config.js <<EOF
 window.__APP_CONFIG__ = {
-  API_BASE_URL: "${API_BASE_URL}",
-  OTHER_VAR: "${OTHER_VAR}"
+  API_BASE_URL: "${API_BASE_URL}"
 };
 EOF
 
+# Generate nginx config from template (if using)
+if [ -f "/etc/nginx/templates/nginx.conf.template" ]; then
+  envsubst '${API_BASE_URL}' \
+    < /etc/nginx/templates/nginx.conf.template \
+    > /etc/nginx/nginx.conf
+fi
+
 # Start Nginx
 exec nginx -g "daemon off;"

nginx.conf.template

@@ -18,16 +18,33 @@ http {
     fastcgi_temp_path /tmp/fastcgi_temp;
     uwsgi_temp_path /tmp/uwsgi_temp;
     scgi_temp_path /tmp/scgi_temp;
+    absolute_redirect off;
+
+    map $http_origin $cors_origin {
+        default "";
+        "~*" $http_origin;
+    }
+
+    upstream backend {
+        server localhost:8080;
+    }
 
     server {
-        listen 8080;
+        listen 7070;
         server_name localhost;
         root /usr/share/nginx/html;
         index index.html;
 
         # Handle client-side routing
         location / {
+            root /usr/share/nginx/html;
+            index index.html;
             try_files $uri $uri/ /index.html;
+
+            # Security headers
+            add_header X-Content-Type-Options nosniff;
+            add_header X-Frame-Options "DENY";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
         }
 
         # Serve config.js from the writable location
@@ -37,6 +54,24 @@ http {
             access_log off;
         }
 
+        location /api/ {
+            # Proxy to Quarkus
+            proxy_pass         http://backend/;
+            proxy_http_version 1.1;
+            proxy_set_header   Host              $host;
+            proxy_set_header   X-Real-IP         $remote_addr;
+            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Proto $scheme;
+            proxy_set_header   Upgrade           $http_upgrade;
+            proxy_set_header   Connection        "upgrade";
+
+            # Relay CORS headers from the backend
+            proxy_pass_header  Access-Control-Allow-Origin;
+            proxy_pass_header  Access-Control-Allow-Methods;
+            proxy_pass_header  Access-Control-Allow-Headers;
+            proxy_pass_header  Access-Control-Allow-Credentials;
+        }
+
         # Cache static assets
         location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
             expires 1y;

src/api/index.ts

@@ -1,7 +1,13 @@
 import axios from "axios";
 import {userManager} from "../stores/auth.ts";
+import {getConfig} from "@/util/config.ts";
 
-const axiosInstance = axios.create()
+const axiosInstance = axios.create({
+  baseURL: getConfig().API_BASE_URL || '/api',
+  headers: {
+    'Content-Type': 'application/json'
+  }
+})
 
 axiosInstance.interceptors.request.use(async (config) => {
   const user = await userManager.getUser()

vite.config.ts

@@ -24,16 +24,6 @@ export default defineConfig({
       '@': path.resolve(__dirname, './src'),
     }
   },
-  server: {
-    proxy: {
-      '/api': {
-        target: 'http://dex-be:8080',
-        changeOrigin: true,
-        secure: true,
-        rewrite: (path) => path.replace(/^\/api/, '')
-      }
-    }
-  },
   build: {
     // @ts-ignore
     assetsInclude: [