flights_web/deployment/nginx/ui-dashboard.gnerim.ru.conf

# Production vhost for ui-dashboard.gnerim.ru.
# Symlink into /etc/nginx/sites-enabled/ and reload nginx.
# TLS certs assumed to exist via certbot (separate process).

server {
    listen 80;
    server_name ui-dashboard.gnerim.ru;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name ui-dashboard.gnerim.ru;

    ssl_certificate     /etc/letsencrypt/live/ui-dashboard.gnerim.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ui-dashboard.gnerim.ru/privkey.pem;

    auth_basic           "ui-dashboard";
    auth_basic_user_file /etc/nginx/htpasswd/ui-dashboard;

    # SSR app on loopback (container bound to 127.0.0.1:3002)
    location / {
        proxy_pass http://127.0.0.1:3002;
        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;

        # Long-poll friendliness for any future SignalR / SSE
        proxy_read_timeout 300s;
        proxy_buffering    off;
    }

    # API proxy — bypass basic auth (gates HTML, not API).
    # Routed via the flights-tim-tunnel.service systemd unit (see
    # deployment/systemd/flights-tim-tunnel.service): 127.0.0.1:8443 is an
    # ssh -L tunnel to webzavod which exits via ppp0 with a corp-VPN source IP
    # the upstream WAF whitelists. SNI/Host are set explicitly because the
    # TCP target is loopback rather than the real hostname.
    location /api/ {
        auth_basic off;
        proxy_pass         https://127.0.0.1:8443;
        proxy_set_header   Host flights.test.aeroflot.ru;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_ssl_server_name on;
        proxy_ssl_name        flights.test.aeroflot.ru;
    }

    location /map/api/ {
        auth_basic off;
        proxy_pass         https://127.0.0.1:8443;
        proxy_set_header   Host flights.test.aeroflot.ru;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_ssl_server_name on;
        proxy_ssl_name        flights.test.aeroflot.ru;
    }
}