-
Notifications
You must be signed in to change notification settings - Fork 889
Expand file tree
/
Copy pathnginx.conf.template
More file actions
86 lines (65 loc) · 3.04 KB
/
nginx.conf.template
File metadata and controls
86 lines (65 loc) · 3.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Rate limiting zone for external National ID API (2 requests/second per IP)
limit_req_zone $binary_remote_addr zone=external_nationalid:10m rate=2r/s;
# Rate limiting zone for Remittance API (2 requests/second per IP)
limit_req_zone $binary_remote_addr zone=remittance_api:10m rate=2r/s;
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
index index.html;
# Fineract API proxy
location /fineract-provider/ {
proxy_pass ${FINERACT_API_URL}/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# External National ID API proxy (only if configured)
location /external-nationalid {
# Use Docker DNS resolver for upstream resolution
resolver 127.0.0.11 valid=30s;
# Rate limit to prevent abuse of the upstream National ID API
limit_req zone=external_nationalid burst=5 nodelay;
# Read target from env var at runtime (set via envsubst on container start)
set $external_nationalid_target "${EXTERNAL_NATIONALID_API_URL}";
# Rewrite path: strip /external-nationalid prefix before proxying
rewrite ^/external-nationalid(.*)$ $1 break;
proxy_pass $external_nationalid_target;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Inject API key server-side so it is never exposed to the browser
proxy_set_header ${EXTERNAL_NATIONAL_ID_SYSTEM_API_HEADER} "${EXTERNAL_NATIONAL_ID_SYSTEM_API_KEY}";
# Pass through the original headers from the client
proxy_pass_request_headers on;
# CORS is not needed since requests come from the same origin
}
# Remittance API proxy
location /remittance-api {
resolver 127.0.0.11 valid=30s;
# Rate limit to prevent abuse of the upstream Remittance API
limit_req zone=remittance_api burst=5 nodelay;
set $remittance_target "${MIFOS_REMITTANCE_API_URL}";
# Rewrite path: /remittance-api/... -> /1.0/remittance/...
rewrite ^/remittance-api(.*)$ /1.0/remittance$1 break;
proxy_pass $remittance_target;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Inject API key server-side so it is never exposed to the browser
proxy_set_header ${MIFOS_REMITTANCE_API_HEADER} "${MIFOS_REMITTANCE_API_KEY}";
proxy_pass_request_headers on;
}
# Angular app - serve index.html for all routes
location / {
try_files $uri $uri/ /index.html;
}
# Cache static assets
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}