deployment: add nginx vhost for ui-dashboard.gnerim.ru

deployment/nginx/ui-dashboard.gnerim.ru.conf

@@ -0,0 +1,50 @@
+# Production vhost for ui-dashboard.gnerim.ru.
+# Symlink into /etc/nginx/sites-enabled/ and reload nginx.
+# TLS certs assumed to exist via certbot (separate process).
+
+server {
+    listen 80;
+    server_name ui-dashboard.gnerim.ru;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name ui-dashboard.gnerim.ru;
+
+    ssl_certificate     /etc/letsencrypt/live/ui-dashboard.gnerim.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ui-dashboard.gnerim.ru/privkey.pem;
+
+    auth_basic           "ui-dashboard";
+    auth_basic_user_file /etc/nginx/htpasswd/ui-dashboard;
+
+    # SSR app on loopback (container bound to 127.0.0.1:8081)
+    location / {
+        proxy_pass http://127.0.0.1:8081;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+
+        # Long-poll friendliness for any future SignalR / SSE
+        proxy_read_timeout 300s;
+        proxy_buffering    off;
+    }
+
+    # API proxy — bypass basic auth (gates HTML, not API).
+    # Static route on the host sends 172.18.0.0/16 via 192.168.88.58 (webzavod).
+    # /etc/hosts pins flights.test.aeroflot.ru → 172.18.0.121.
+    location /api/ {
+        auth_basic off;
+        proxy_pass         https://flights.test.aeroflot.ru;
+        proxy_set_header   Host flights.test.aeroflot.ru;
+        proxy_ssl_server_name on;
+    }
+
+    location /map/api/ {
+        auth_basic off;
+        proxy_pass         https://flights.test.aeroflot.ru;
+        proxy_set_header   Host flights.test.aeroflot.ru;
+        proxy_ssl_server_name on;
+    }
+}