fix: resolve nginx 405 on POST and CAE internal mode issues

Ashwal-Microsoft · Copilot · Ashwal-Microsoft · commit 8c0985c82daf · 2026-05-07T18:18:39.000+05:30
- Change proxy_set_header Host from $host to $proxy_host so Container
  Apps ingress routes to the API app (not back to web app)
- Add client_max_body_size 100m and proxy timeouts to nginx config
- Add safe default for APP_BACKEND_API_URL in env.sh
- Revert CAE to external mode (internal: false) - only API ingress is
  internal; web app remains publicly accessible without App Gateway
- Remove unnecessary Private DNS Zone for CAE
- Update post-deployment scripts to use web app /api proxy when private
  networking is enabled (instead of calling unreachable internal API)
- Add ENABLE_PRIVATE_NETWORKING bicep output for post-deployment detection

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -931,8 +931,8 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
       }
     ]
     enableTelemetry: enableTelemetry
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
-    internal: enablePrivateNetworking ? true : false
+    publicNetworkAccess: 'Enabled'
+    internal: false
 
     // <========== WAF related parameters
 
@@ -945,34 +945,6 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
   }
 }
 
-// ========== Private DNS Zone for internal Container App Environment ========== //
-// When the CAE is internal, its FQDN is resolvable only within the VNet via this zone.
-module caeDnsZone 'br/public:avm/res/network/private-dns-zone:0.8.0' = if (enablePrivateNetworking) {
-  name: take('avm.res.network.private-dns-zone.cae.${solutionSuffix}', 64)
-  params: {
-    name: avmContainerAppEnv.outputs.defaultDomain
-    tags: tags
-    enableTelemetry: enableTelemetry
-    a: [
-      {
-        name: '*'
-        aRecords: [
-          {
-            ipv4Address: avmContainerAppEnv.outputs.staticIp
-          }
-        ]
-        ttl: 300
-      }
-    ]
-    virtualNetworkLinks: [
-      {
-        name: take('vnetlink-vnet-${solutionSuffix}-cae', 64)
-        virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
-      }
-    ]
-  }
-}
-
 // //=========== Managed Identity for Container Registry ========== //
 module avmContainerRegistryReader 'br/public:avm/res/managed-identity/user-assigned-identity:0.5.0' = {
   name: take('avm.res.managed-identity.user-assigned-identity.${solutionSuffix}', 64)
@@ -1971,5 +1943,8 @@ output CONTAINER_REGISTRY_LOGIN_SERVER string = avmContainerRegistry.outputs.log
 @description('The name of the Content Understanding AI Services account.')
 output CONTENT_UNDERSTANDING_ACCOUNT_NAME string = avmAiServices_cu.outputs.name
 
+@description('Whether private networking (WAF) is enabled.')
+output ENABLE_PRIVATE_NETWORKING bool = enablePrivateNetworking
+
 @description('The resource group the resources were deployed into.')
 output AZURE_RESOURCE_GROUP string = resourceGroup().name
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -934,8 +934,8 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
       }
     ]
     enableTelemetry: enableTelemetry
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
-    internal: enablePrivateNetworking ? true : false
+    publicNetworkAccess: 'Enabled'
+    internal: false
 
     // <========== WAF related parameters
 
@@ -948,34 +948,6 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
   }
 }
 
-// ========== Private DNS Zone for internal Container App Environment ========== //
-// When the CAE is internal, its FQDN is resolvable only within the VNet via this zone.
-module caeDnsZone 'br/public:avm/res/network/private-dns-zone:0.8.0' = if (enablePrivateNetworking) {
-  name: take('avm.res.network.private-dns-zone.cae.${solutionSuffix}', 64)
-  params: {
-    name: avmContainerAppEnv.outputs.defaultDomain
-    tags: tags
-    enableTelemetry: enableTelemetry
-    a: [
-      {
-        name: '*'
-        aRecords: [
-          {
-            ipv4Address: avmContainerAppEnv.outputs.staticIp
-          }
-        ]
-        ttl: 300
-      }
-    ]
-    virtualNetworkLinks: [
-      {
-        name: take('vnetlink-vnet-${solutionSuffix}-cae', 64)
-        virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
-      }
-    ]
-  }
-}
-
 // //=========== Managed Identity for Container Registry ========== //
 module avmContainerRegistryReader 'br/public:avm/res/managed-identity/user-assigned-identity:0.5.0' = {
   name: take('avm.res.managed-identity.user-assigned-identity.${solutionSuffix}', 64)
@@ -2012,5 +1984,8 @@ output AZURE_CONTAINER_REGISTRY_ENDPOINT string = avmContainerRegistry.outputs.l
 @description('The name of the Content Understanding AI Services account.')
 output CONTENT_UNDERSTANDING_ACCOUNT_NAME string = avmAiServices_cu.outputs.name
 
+@description('Whether private networking (WAF) is enabled.')
+output ENABLE_PRIVATE_NETWORKING bool = enablePrivateNetworking
+
 @description('The resource group the resources were deployed into.')
 output AZURE_RESOURCE_GROUP string = resourceGroup().name
diff --git a/infra/scripts/post_deployment.ps1 b/infra/scripts/post_deployment.ps1
@@ -50,11 +50,26 @@ Write-Host "  [Link] Portal URL: $WORKFLOW_APP_PORTAL_URL"
 
 Write-Host ""
 Write-Host "[Package] Registering schemas and creating schema set..."
+
+# Check if private networking (WAF) is enabled
+$ENABLE_PRIVATE_NETWORKING = $null
+try {
+    $ENABLE_PRIVATE_NETWORKING = azd env get-value ENABLE_PRIVATE_NETWORKING 2>$null
+} catch { }
+
+# When private networking is enabled, the API is internal-only (ingressExternal=false).
+# Use the web app's /api proxy to reach the backend through same-origin routing.
+if ($ENABLE_PRIVATE_NETWORKING -eq "true") {
+    Write-Host "  [Info] Private networking (WAF) is enabled. Using web app /api proxy to reach backend."
+    $ApiBaseUrl = "https://$CONTAINER_WEB_APP_FQDN/api"
+} else {
+    $ApiBaseUrl = "https://$CONTAINER_API_APP_FQDN"
+}
+
 Write-Host "  [Wait] Waiting for API to be ready..."
 
 $MaxRetries = 10
 $RetryInterval = 15
-$ApiBaseUrl = "https://$CONTAINER_API_APP_FQDN"
 $ApiReady = $false
 
 for ($i = 1; $i -le $MaxRetries; $i++) {
diff --git a/infra/scripts/post_deployment.sh b/infra/scripts/post_deployment.sh
@@ -60,11 +60,23 @@ echo "  🔗 Portal URL: $WORKFLOW_APP_PORTAL_URL"
 
 echo ""
 echo "📦 Registering schemas and creating schema set..."
+
+# Check if private networking (WAF) is enabled
+ENABLE_PRIVATE_NETWORKING=$(azd env get-value ENABLE_PRIVATE_NETWORKING 2>/dev/null || echo "")
+
+# When private networking is enabled, the API is internal-only (ingressExternal=false).
+# Use the web app's /api proxy to reach the backend through same-origin routing.
+if [ "$ENABLE_PRIVATE_NETWORKING" = "true" ]; then
+  echo "  ℹ️  Private networking (WAF) is enabled. Using web app /api proxy to reach backend."
+  API_BASE_URL="https://$CONTAINER_WEB_APP_FQDN/api"
+else
+  API_BASE_URL="https://$CONTAINER_API_APP_FQDN"
+fi
+
 echo "  ⏳ Waiting for API to be ready..."
 
 MAX_RETRIES=10
 RETRY_INTERVAL=15
-API_BASE_URL="https://$CONTAINER_API_APP_FQDN"
 
 for i in $(seq 1 $MAX_RETRIES); do
   STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$API_BASE_URL/schemavault/" 2>/dev/null || echo "000")
diff --git a/src/ContentProcessorWeb/env.sh b/src/ContentProcessorWeb/env.sh
@@ -1,4 +1,10 @@
 #!/bin/sh
+
+# Ensure APP_BACKEND_API_URL has a safe default so nginx can always start.
+# When not set, the /api/ proxy_pass will point to a non-routable placeholder
+# and return 502, which is acceptable — the direct API path still works.
+export APP_BACKEND_API_URL="${APP_BACKEND_API_URL:-http://localhost:8080}"
+
 for i in $(env | grep ^APP_)
 do
     key=$(echo $i | cut -d '=' -f 1)
diff --git a/src/ContentProcessorWeb/nginx-custom.conf b/src/ContentProcessorWeb/nginx-custom.conf
@@ -14,19 +14,28 @@ http {
     types_hash_max_size 2048;
     types_hash_bucket_size 128;
 
+    # Allow large file uploads through the /api proxy
+    client_max_body_size 100m;
+
     server {
         listen 3000;
         server_name localhost;
 
         # Route browser API calls through the web container so private backend
         # endpoints remain internal-only in WAF/private networking deployments.
+        # APP_BACKEND_API_URL is substituted at runtime by env.sh; if unset, this
+        # block is effectively a no-op (returns 502) which is safe for nginx startup.
         location /api/ {
             proxy_http_version 1.1;
-            proxy_set_header Host $host;
+            proxy_set_header Host $proxy_host;
+            proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 120s;
+            proxy_read_timeout 120s;
             proxy_pass APP_BACKEND_API_URL/;
         }
 
