resolver 127.0.0.11 valid=10s ipv6=off; server { listen 8080; listen [::]:8080; server_name _; root /usr/share/nginx/html/browser; # --- Proxy defaults --- proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_read_timeout 120s; # --- API reverse proxy (eliminates CORS for same-origin requests) --- # Platform API (direct /api/ prefix for clients using environment.apiBaseUrl) location /api/ { proxy_pass http://platform.stella-ops.local/api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Platform service (preserves /platform/ prefix for envsettings, admin) location /platform/ { proxy_pass http://platform.stella-ops.local/platform/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } # Authority general proxy (preserves /authority/ prefix for audit endpoints) location /authority/ { proxy_pass http://authority.stella-ops.local/authority/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } # Authority console endpoints (branding, admin — preserves /console/ prefix) location /console/ { proxy_pass http://authority.stella-ops.local/console/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Authority OpenIddict endpoints (HTTPS — /connect/authorize, /connect/token, etc.) location /connect/ { set $authority_connect https://authority.stella-ops.local; proxy_pass $authority_connect; proxy_ssl_verify off; proxy_ssl_server_name on; proxy_set_header Host authority.stella-ops.local; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; } # OIDC discovery endpoint location = /.well-known/openid-configuration { set $authority_oidc https://authority.stella-ops.local; proxy_pass $authority_oidc/.well-known/openid-configuration; proxy_ssl_verify off; proxy_ssl_server_name on; proxy_set_header Host authority.stella-ops.local; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; } # JWKS endpoint location = /jwks { set $authority_jwks https://authority.stella-ops.local; proxy_pass $authority_jwks/jwks; proxy_ssl_verify off; proxy_ssl_server_name on; proxy_set_header Host authority.stella-ops.local; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; } # Scanner service (strips /scanner/ prefix) location /scanner/ { set $scanner_upstream http://scanner.stella-ops.local; rewrite ^/scanner/(.*)$ /$1 break; proxy_pass $scanner_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Policy gateway (strips /policy/ prefix, regex avoids colliding with # Angular /policy/exceptions, /policy/packs SPA routes) location ~ ^/policy/(api|v[0-9]+)/ { set $policy_upstream http://policy-gateway.stella-ops.local; rewrite ^/policy/(.*)$ /$1 break; proxy_pass $policy_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Concelier — VEX feed aggregator (strips /concelier/ prefix) location /concelier/ { set $concelier_upstream http://concelier.stella-ops.local; rewrite ^/concelier/(.*)$ /$1 break; proxy_pass $concelier_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Attestor service (strips /attestor/ prefix) location /attestor/ { set $attestor_upstream http://attestor.stella-ops.local; rewrite ^/attestor/(.*)$ /$1 break; proxy_pass $attestor_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Notify service (strips /notify/ prefix) location /notify/ { set $notify_upstream http://notify.stella-ops.local; rewrite ^/notify/(.*)$ /$1 break; proxy_pass $notify_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Scheduler service (strips /scheduler/ prefix) location /scheduler/ { set $scheduler_upstream http://scheduler.stella-ops.local; rewrite ^/scheduler/(.*)$ /$1 break; proxy_pass $scheduler_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Signals service (strips /signals/ prefix) location /signals/ { set $signals_upstream http://signals.stella-ops.local; rewrite ^/signals/(.*)$ /$1 break; proxy_pass $signals_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Excititor service (key: excitor, strips /excitor/ prefix) location /excitor/ { set $excitor_upstream http://excititor.stella-ops.local; rewrite ^/excitor/(.*)$ /$1 break; proxy_pass $excitor_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Findings Ledger service (key: ledger, strips /ledger/ prefix) location /ledger/ { set $ledger_upstream http://findings.stella-ops.local; rewrite ^/ledger/(.*)$ /$1 break; proxy_pass $ledger_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # VEX Hub service (key: vex, strips /vex/ prefix) location /vex/ { set $vex_upstream http://vexhub.stella-ops.local; rewrite ^/vex/(.*)$ /$1 break; proxy_pass $vex_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Environment settings (direct access alias) # sub_filter rewrites absolute Docker-internal URLs to relative paths so the # browser routes all API calls through this nginx reverse proxy (CORS fix). location = /envsettings.json { proxy_pass http://platform.stella-ops.local/envsettings.json; proxy_set_header Host $host; proxy_set_header Accept-Encoding ""; sub_filter_types application/json; sub_filter_once off; sub_filter '"http://router.stella-ops.local"' '""'; sub_filter '"http://platform.stella-ops.local"' '"/platform"'; sub_filter '"http://authority.stella-ops.local"' '"/authority"'; sub_filter '"http://scanner.stella-ops.local"' '"/scanner"'; sub_filter '"http://policy-gateway.stella-ops.local"' '"/policy"'; sub_filter '"http://concelier.stella-ops.local"' '"/concelier"'; sub_filter '"http://attestor.stella-ops.local"' '"/attestor"'; sub_filter '"http://notify.stella-ops.local"' '"/notify"'; sub_filter '"http://scheduler.stella-ops.local"' '"/scheduler"'; sub_filter '"http://signals.stella-ops.local"' '"/signals"'; sub_filter '"http://excititor.stella-ops.local"' '"/excitor"'; sub_filter '"http://findings.stella-ops.local"' '"/ledger"'; sub_filter '"http://vexhub.stella-ops.local"' '"/vex"'; sub_filter '"http://vexlens.stella-ops.local"' '"/vexlens"'; } # --- Static files + SPA fallback (must be last) --- location / { try_files $uri $uri/ /index.html; } }