server {
    listen 8336;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;

    # Proxy archipelago RPC same-origin so the browser never makes a
    # cross-origin request (no CORS needed). The FIPS app is served on
    # this node's :8336; cookies are scoped by host (not port), so the
    # browser already carries the `session` (HttpOnly) and `csrf_token`
    # cookies set by the main UI on :80. We forward both, plus the
    # X-CSRF-Token header the app derives from the readable csrf_token
    # cookie, to the backend RPC on 127.0.0.1:5678.
    #
    # Unlike bitcoin-ui this config is fully static (baked into the
    # image) — there is no upstream secret to substitute; the browser's
    # own archipelago session is the credential.
    location /rpc/v1 {
        proxy_pass http://127.0.0.1:5678/rpc/v1;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Cookie $http_cookie;
        proxy_set_header X-CSRF-Token $http_x_csrf_token;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 60s;
        add_header Cache-Control "no-store";
    }

    location / {
        try_files $uri $uri/ /index.html;
    }
}