ui: fix nginx conf

Signed-off-by: Viktor Login <[email protected]>

Author: batazor

boundaries/ui/ops/Dockerfile

@@ -102,9 +102,8 @@ RUN apk add --no-cache curl \
 ###############################################################################
 # NGINX configuration & static assets
 ###############################################################################
-COPY ./ops/conf/ui.local     /etc/nginx/conf.d/default.conf
-COPY ./ops/conf/nginx.conf   /etc/nginx/nginx.conf
-COPY ./ops/conf/templates    /etc/nginx/template
+COPY ./ops/conf/ui.local   /etc/nginx/conf.d/default.conf
+COPY ./ops/conf/nginx.conf /etc/nginx/nginx.conf
 
 # Next.js export build from the builder stage
 COPY --from=builder /app/out /usr/share/nginx/html

boundaries/ui/ops/conf/nginx.conf

@@ -1,52 +1,46 @@
 # Load the OpenTelemetry (OTel) module for NGINX
 load_module modules/ngx_otel_module.so;
 
-worker_processes auto;        # Use one worker per CPU core
-pid /tmp/nginx.pid;           # PID file in /tmp (container-friendly)
-env OTEL_EXPORTER_OTLP_ENDPOINT;  # Inherit the environment variable into NGINX
+worker_processes auto;
+pid /tmp/nginx.pid;
+error_log /dev/stderr warn;
 
 events {
-    worker_connections 2048;  # Max connections per worker
-    use epoll;                # Efficient Linux event notification mechanism
-    multi_accept on;          # Accept multiple connections at once
+    worker_connections 2048;
+    use epoll;
+    multi_accept on;
 }
 
 http {
-    # Map the environment variable to a configuration variable, with fallback
-    map $OTEL_EXPORTER_OTLP_ENDPOINT $otel_exporter_endpoint {
-        default $OTEL_EXPORTER_OTLP_ENDPOINT;
-        ""      "http://grafana-tempo.grafana:4317";
-    }
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
 
-    # OpenTelemetry exporter configuration
+    # OTEL exporter
     otel_exporter {
-        endpoint $otel_exporter_endpoint;  # Send spans to this endpoint
-        interval 1s;                       # Flush interval
-        batch_size 2048;                   # Maximum spans per batch
+        endpoint http://grafana-tempo.grafana:4317;
+        interval 1s;
+        batch_size 2048;
     }
 
-    otel_service_name "shortlink-ui";  # Service name seen in tracing backend
-    otel_trace on;                      # Enable tracing for HTTP requests
-    otel_trace_context propagate;       # Propagate W3C trace context to upstream
+    otel_service_name "shortlink-ui";
+    otel_trace on;
+    otel_trace_context propagate;
 
-    # Temporary file paths (suitable for containers)
+    # Temp paths (container-safe)
     proxy_temp_path       /tmp/proxy_temp;
     client_body_temp_path /tmp/client_temp;
     fastcgi_temp_path     /tmp/fastcgi_temp;
     uwsgi_temp_path       /tmp/uwsgi_temp;
     scgi_temp_path        /tmp/scgi_temp;
 
-    # Static file & connection optimisations
-    sendfile        on;
-    tcp_nopush      on;
-    tcp_nodelay     on;
+    # IO options
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
     keepalive_timeout 65s;
     keepalive_requests 1000;
 
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    # Logging in JSON format, including trace IDs
+    # Logging (JSON format)
     map $upstream_response_time $temprt {
         default $upstream_response_time;
         ""      0;
@@ -66,14 +60,13 @@ http {
         '"http_referrer":"$http_referer",'
         '"http_user_agent":"$http_user_agent"}';
 
-    access_log  /var/log/nginx/access.log json;
-    error_log   /var/log/nginx/error.log warn;
+    access_log /dev/stdout json;
 
-    # Gzip compression settings
-    gzip              on;
-    gzip_min_length   10240;
-    gzip_proxied      any;
-    gzip_disable      "msie6";
+    # Gzip
+    gzip on;
+    gzip_min_length 10240;
+    gzip_proxied any;
+    gzip_disable "msie6";
     gzip_types
         text/plain
         text/css
@@ -83,6 +76,5 @@ http {
         application/javascript
         image/svg+xml;
 
-    # Include other server/location configs
-    include /etc/nginx/conf.d/*;
+    include /etc/nginx/conf.d/default.conf;
 }

boundaries/ui/ops/conf/ssl/.keep

@@ -1,49 +1,56 @@
 server {
-    listen      8080;
-    listen [::]:8080;
+    listen 8080 default_server;
+    listen [::]:8080 default_server;
     server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+    charset utf-8;
+
     absolute_redirect off;
     port_in_redirect off;
 
-    # Support for URL/ → file.html
+    add_header X-DNS-Prefetch-Control "off" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    location = /favicon.ico {
+        access_log off;
+        log_not_found off;
+    }
+
+    location = /robots.txt {
+        access_log off;
+        log_not_found off;
+    }
+
     location ~ ^/(.*)/$ {
         try_files /$1.html =404;
     }
 
-    # GZIP settings
-    gzip on;
-    gzip_proxied any;
-    gzip_comp_level 4;
-    gzip_types text/css application/javascript image/svg+xml;
-
-    # Static assets
     location ~* \.(?:ico|gif|jpe?g|png|woff2?|eot|otf|ttf|svg|js|css)$ {
         try_files $uri $uri/ =404;
     }
 
-    # Main routing
     location / {
         try_files $uri.html $uri $uri/ @htmlext;
     }
 
-    # Direct .html access
     location ~ \.html$ {
         try_files $uri =404;
     }
 
-    # Rewrite to .html
     location @htmlext {
         rewrite ^(.*)$ $1.html last;
     }
 
-    # Liveness
     location = /live {
         access_log off;
         default_type application/json;
         return 200 '{"status":"healthy"}';
     }
 
-    # Readiness
     location = /ready {
         access_log off;
         default_type application/json;