dragonflight/services/web-ui/nginx.conf

# Map for proper WebSocket upgrade handling on the proxied locations below.
# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx
# into tunnel-mode for every request — which silently drops response headers
# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login:
# mam-api was issuing the cookie, web-ui's proxy was eating it before it
# reached the browser. With this map, Connection is only set to "upgrade"
# when the client actually requested an Upgrade (real WebSocket); otherwise
# it's "close" and the response flows through normally.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
    server_name _;

    # Docker embedded DNS — defers upstream resolution to request time
    # This prevents nginx crashing at startup if sibling containers aren't
    # ready yet (which happens on the first `docker compose up`).
    resolver 127.0.0.11 valid=10s ipv6=off;

    # Allow unlimited client upload size
    client_max_body_size 0;

    # Gzip compression
    gzip on;
    gzip_types text/plain text/css text/javascript application/javascript application/json;
    gzip_min_length 1000;

    # Root location - serve static files
    root /usr/share/nginx/html;

    # Fonts, icons, images: rarely change, safe to cache aggressively.
    location ~* \.(png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # CSS / JS — must revalidate so a redeploy is picked up immediately.
    # The index.html links these without a version query string, so without
    # this rule a stale stylesheet/script sits in the browser cache forever
    # (which produced the unstyled calendar that triggered this fix).
    location ~* \.(css|js)$ {
        expires -1;
        add_header Cache-Control "no-cache, must-revalidate";
    }

    # HTML files - no cache
    location ~* \.html?$ {
        expires -1;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # Live HLS — served from /live (bind-mounted shared volume), low cache so playlist refreshes
    location /live/ {
        alias /live/;
        types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; }
        add_header Cache-Control "no-cache";
        add_header Access-Control-Allow-Origin *;
    }

    # API proxy - forward to mam-api service
    location /api/ {
        set $api_upstream http://mam-api:3000;
        client_max_body_size 0;
        proxy_pass $api_upstream;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # Preserve Content-Type so multer receives the full multipart boundary (#74)
        proxy_set_header Content-Type $content_type;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
    }

    # Capture proxy - forward to capture service
    location /capture/ {
        set $capture_upstream http://capture:3001;
        proxy_pass $capture_upstream;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_request_buffering off;
    }

    # Premiere panel downloads — served as binary attachments
    location /downloads/ {
        add_header Cache-Control "public, max-age=86400";
        add_header Content-Disposition 'attachment';
    }

    # SPA fallback - try to serve file, else route to the React shell.
    location / {
        try_files $uri $uri/ /index.html;
        expires -1;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # Deny access to dotfiles
    location ~ /\. {
        deny all;
    }
}
fix(web-ui): stop nginx from eating Set-Cookie on /api/ and /capture/ Login was infinite-looping in production. Server side was healthy (sessions landing in PG, /me returning 200 to a manually-signed cookie) but the browser never received `Set-Cookie`. Bisected the proxy chain layer by layer with direct curls on the box: - mam-api direct (port 47432) → Set-Cookie present - web-ui nginx (port 47434) → Set-Cookie STRIPPED - NPM (https://dragonflight.live) → Set-Cookie stripped (because web-ui ate it) Root cause was this in /api/ and /capture/: proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; The literal "upgrade" was being sent on every request, not just real WebSocket negotiations. Nginx then routes the upstream response through its tunnel/upgrade code path, which doesn't preserve all response headers the same way — Set-Cookie got silently dropped. mam-api doesn't speak WebSockets today so it never sent a 101, and the bad pattern went unnoticed until session-cookie auth shipped. Fix is the standard conditional pattern: a `map` directive at the top of default.conf computes $connection_upgrade as "upgrade" only when the client actually requested Upgrade, otherwise "close". Both location blocks now send `Connection $connection_upgrade` instead of the hardcoded literal. WebSocket support on either location continues to work unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-27 21:48:49 -04:00			`# Map for proper WebSocket upgrade handling on the proxied locations below.`
			# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx
			`# into tunnel-mode for every request — which silently drops response headers`
			`# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login:`
			`# mam-api was issuing the cookie, web-ui's proxy was eating it before it`
			`# reached the browser. With this map, Connection is only set to "upgrade"`
			`# when the client actually requested an Upgrade (real WebSocket); otherwise`
			`# it's "close" and the response flows through normally.`
			`map $http_upgrade $connection_upgrade {`
			`default upgrade;`
			`'' close;`
			`}`

add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`server {`
			`listen 80;`
			`server_name _;`

fix(nginx): use Docker embedded DNS resolver to avoid startup DNS failure nginx resolves upstream hostnames at config load time, which fails when sibling containers haven't registered with the Docker DNS yet. Using resolver 127.0.0.11 with set $upstream defers resolution to request time, preventing the "host not found in upstream" startup crash. 2026-05-16 08:44:50 -04:00			`# Docker embedded DNS — defers upstream resolution to request time`
			`# This prevents nginx crashing at startup if sibling containers aren't`
			# ready yet (which happens on the first `docker compose up`).
			`resolver 127.0.0.11 valid=10s ipv6=off;`

Phase 2: services/web-ui/nginx.conf 2026-04-07 22:05:41 -04:00			`# Allow unlimited client upload size`
			`client_max_body_size 0;`

add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`# Gzip compression`
			`gzip on;`
			`gzip_types text/plain text/css text/javascript application/javascript application/json;`
			`gzip_min_length 1000;`

			`# Root location - serve static files`
			`root /usr/share/nginx/html;`

fix(web-ui): css must-revalidate so deployed styles are picked up immediately Nginx was serving css with `expires 1y; Cache-Control: public, immutable`, which combined with version-less <link href="styles-rest.css"> meant every browser permanently pinned whatever stylesheet it cached first. Users were seeing pre-polish-round-2 CSS even after the new image was deployed — the calendar grid rendered as a vertical stack of weekday names because the .cal-* rules didn't exist in the cached file. Move css into the same bucket as js: must-revalidate via ETag. Fonts, icons, and raster assets stay in the immutable 1y bucket since they don't change between deploys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-23 15:40:26 -04:00			`# Fonts, icons, images: rarely change, safe to cache aggressively.`
			`location ~* \.(png\|jpg\|jpeg\|gif\|ico\|svg\|woff\|woff2\|ttf\|eot)$ {`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`expires 1y;`
			`add_header Cache-Control "public, immutable";`
			`}`

fix(web-ui): css must-revalidate so deployed styles are picked up immediately Nginx was serving css with `expires 1y; Cache-Control: public, immutable`, which combined with version-less <link href="styles-rest.css"> meant every browser permanently pinned whatever stylesheet it cached first. Users were seeing pre-polish-round-2 CSS even after the new image was deployed — the calendar grid rendered as a vertical stack of weekday names because the .cal-* rules didn't exist in the cached file. Move css into the same bucket as js: must-revalidate via ETag. Fonts, icons, and raster assets stay in the immutable 1y bucket since they don't change between deploys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-23 15:40:26 -04:00			`# CSS / JS — must revalidate so a redeploy is picked up immediately.`
			`# The index.html links these without a version query string, so without`
			`# this rule a stale stylesheet/script sits in the browser cache forever`
			`# (which produced the unstyled calendar that triggered this fix).`
			`location ~* \.(css\|js)$ {`
fix(web-ui): bust JS cache so api.js fix actually reaches the browser The api.js library-list fix from the previous commit never reached the browser because nginx served all .js with `Cache-Control: public, immutable; max-age=31536000`. The HTML referenced api.js with no version query, so the browser kept its year-cached buggy copy. * nginx.conf: drop .js from the immutable long-cache block, add a no-cache must-revalidate block so future redeploys are picked up immediately. * All HTML files: tag api.js refs with ?v=4 so already-running browsers fetch the new version on next page load. 2026-05-17 08:30:49 -04:00			`expires -1;`
			`add_header Cache-Control "no-cache, must-revalidate";`
			`}`

add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`# HTML files - no cache`
			`location ~* \.html?$ {`
			`expires -1;`
			`add_header Cache-Control "no-cache, no-store, must-revalidate";`
			`}`

feat(growing-files): Phase 1 - live HLS preview during recording While a recorder is running, the capture container tees an HLS stream into /live/<assetId>/ alongside the ProRes master upload. The asset row is pre-created at recorder start with status='live' so the clip appears in the library immediately. /api/v1/assets/:id/stream returns the HLS playlist URL until recording stops, then proxy. * docker-compose: shared wild-dragon-live mount on api/capture/web-ui * migration 001-add-live-status: idempotent ALTER TYPE for asset_status * mam-api: runMigrations() on boot; recorders.js pre-creates live asset + passes ASSET_ID; assets.js POST upserts on existing live row instead of inserting a duplicate, and stream route returns HLS for live assets * capture: parallel HLS ffmpeg into /live/<assetId>/; ASSET_ID env * web-ui: nginx serves /live/, preview.js loads hls.js, LIVE badge added 2026-05-18 07:29:50 -04:00			`# Live HLS — served from /live (bind-mounted shared volume), low cache so playlist refreshes`
			`location /live/ {`
			`alias /live/;`
			`types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; }`
			`add_header Cache-Control "no-cache";`
			`add_header Access-Control-Allow-Origin *;`
			`}`

add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`# API proxy - forward to mam-api service`
			`location /api/ {`
fix(nginx): use Docker embedded DNS resolver to avoid startup DNS failure nginx resolves upstream hostnames at config load time, which fails when sibling containers haven't registered with the Docker DNS yet. Using resolver 127.0.0.11 with set $upstream defers resolution to request time, preventing the "host not found in upstream" startup crash. 2026-05-16 08:44:50 -04:00			`set $api_upstream http://mam-api:3000;`
Phase 2: services/web-ui/nginx.conf 2026-04-07 22:05:41 -04:00			`client_max_body_size 0;`
fix(nginx): use Docker embedded DNS resolver to avoid startup DNS failure nginx resolves upstream hostnames at config load time, which fails when sibling containers haven't registered with the Docker DNS yet. Using resolver 127.0.0.11 with set $upstream defers resolution to request time, preventing the "host not found in upstream" startup crash. 2026-05-16 08:44:50 -04:00			`proxy_pass $api_upstream;`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
fix(web-ui): stop nginx from eating Set-Cookie on /api/ and /capture/ Login was infinite-looping in production. Server side was healthy (sessions landing in PG, /me returning 200 to a manually-signed cookie) but the browser never received `Set-Cookie`. Bisected the proxy chain layer by layer with direct curls on the box: - mam-api direct (port 47432) → Set-Cookie present - web-ui nginx (port 47434) → Set-Cookie STRIPPED - NPM (https://dragonflight.live) → Set-Cookie stripped (because web-ui ate it) Root cause was this in /api/ and /capture/: proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; The literal "upgrade" was being sent on every request, not just real WebSocket negotiations. Nginx then routes the upstream response through its tunnel/upgrade code path, which doesn't preserve all response headers the same way — Set-Cookie got silently dropped. mam-api doesn't speak WebSockets today so it never sent a 101, and the bad pattern went unnoticed until session-cookie auth shipped. Fix is the standard conditional pattern: a `map` directive at the top of default.conf computes $connection_upgrade as "upgrade" only when the client actually requested Upgrade, otherwise "close". Both location blocks now send `Connection $connection_upgrade` instead of the hardcoded literal. WebSocket support on either location continues to work unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-27 21:48:49 -04:00			`proxy_set_header Connection $connection_upgrade;`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
fix: close all 24 open issues (#40–#94) Bug fixes: - #91: dockerApi() 10s socket timeout (Docker daemon hang) - #77: await syncToAmpp() with .catch() — no longer fire-and-forget - #75: migration 016 — add 'proxy','import' to job_type enum; add 'completed' to job_status - #73: BullMQ orphan job cleanup on hard asset delete - #70: batch-trim jobs table gets expires_at; trim-status auto-expires stale rows - #66: scheduler tick marks stale live assets (>2h) as error - #63: migration 017 — partial unique index prevents concurrent live asset overwrite - #61: recorders.js uses getS3Bucket() not stale process.env.S3_BUCKET - #60: already fixed (copy nulls proxy/thumbnail keys, requeues proxy) - #40: already fixed (All projects clears openProject) - #64: already fixed (sourceType/needsProxy handled) - #90: GET /jobs now includes DB jobs table (trim jobs visible in UI) - #74: nginx Content-Type header preserved; multer 500MB file size limit - #68: GET /upload returns in-progress ingesting assets - #58: /stream and /video endpoints fall back to original file for all video types - #55: recorder poll .catch() logs auth errors cleanly; redirect stops interval - #52: thumb-status and thumb-duration moved inside position:relative wrapper - #50: ProjectCard gets onContextMenu handler with rename/delete menu - #49: project context menu dismisses on contextmenu + scroll events Features: - #93: POST /assets/:id/reprocess?type=proxy\|thumbnail — force re-queue any asset Asset ⋯ menu now shows 'Re-generate proxy' and 'Re-generate thumbnail' buttons UI: - Logo: brightness(0) invert(1) filter applied consistently in sidebar, launcher, and login — white logo pops on dark UI; inline style removed from login.html 2026-05-26 10:10:44 -04:00			`# Preserve Content-Type so multer receives the full multipart boundary (#74)`
			`proxy_set_header Content-Type $content_type;`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`proxy_buffering off;`
			`proxy_request_buffering off;`
Phase 2: services/web-ui/nginx.conf 2026-04-07 22:05:41 -04:00			`proxy_connect_timeout 300;`
			`proxy_send_timeout 300;`
			`proxy_read_timeout 300;`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`}`

			`# Capture proxy - forward to capture service`
			`location /capture/ {`
fix(nginx): use Docker embedded DNS resolver to avoid startup DNS failure nginx resolves upstream hostnames at config load time, which fails when sibling containers haven't registered with the Docker DNS yet. Using resolver 127.0.0.11 with set $upstream defers resolution to request time, preventing the "host not found in upstream" startup crash. 2026-05-16 08:44:50 -04:00			`set $capture_upstream http://capture:3001;`
			`proxy_pass $capture_upstream;`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
fix(web-ui): stop nginx from eating Set-Cookie on /api/ and /capture/ Login was infinite-looping in production. Server side was healthy (sessions landing in PG, /me returning 200 to a manually-signed cookie) but the browser never received `Set-Cookie`. Bisected the proxy chain layer by layer with direct curls on the box: - mam-api direct (port 47432) → Set-Cookie present - web-ui nginx (port 47434) → Set-Cookie STRIPPED - NPM (https://dragonflight.live) → Set-Cookie stripped (because web-ui ate it) Root cause was this in /api/ and /capture/: proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; The literal "upgrade" was being sent on every request, not just real WebSocket negotiations. Nginx then routes the upstream response through its tunnel/upgrade code path, which doesn't preserve all response headers the same way — Set-Cookie got silently dropped. mam-api doesn't speak WebSockets today so it never sent a 101, and the bad pattern went unnoticed until session-cookie auth shipped. Fix is the standard conditional pattern: a `map` directive at the top of default.conf computes $connection_upgrade as "upgrade" only when the client actually requested Upgrade, otherwise "close". Both location blocks now send `Connection $connection_upgrade` instead of the hardcoded literal. WebSocket support on either location continues to work unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-27 21:48:49 -04:00			`proxy_set_header Connection $connection_upgrade;`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_buffering off;`
			`proxy_request_buffering off;`
			`}`

feat: editor coming-soon bumper + embedded Premiere panel downloads - Editor: overlay Coming Soon screen over NLE timeline (code preserved, bumper sits at z-index 100 with backdrop blur). Links to download ZXP and Windows installer directly from the bumper. - Settings → Capture SDKs: new Premiere Panel section lists v1.0.0 and v1.0.1 with ZXP + Windows Installer download buttons. Both releases embedded as static files in web-ui under /downloads/. - nginx: /downloads/ location serves files as Content-Disposition attachment with 24h cache. Files added: services/web-ui/public/downloads/dragonflight-premiere-panel-1.0.0.zxp services/web-ui/public/downloads/dragonflight-premiere-panel-1.0.0-windows-setup.exe services/web-ui/public/downloads/dragonflight-premiere-panel-1.0.1.zxp services/web-ui/public/downloads/dragonflight-premiere-panel-1.0.1-windows-setup.exe 2026-05-26 10:34:28 -04:00			`# Premiere panel downloads — served as binary attachments`
			`location /downloads/ {`
			`add_header Cache-Control "public, max-age=86400";`
			`add_header Content-Disposition 'attachment';`
			`}`

chore(web-ui): delete legacy standalone HTML pages; SPA is the only entry Before this commit /public had two parallel UIs: the React SPA (index.html + screens-*.jsx) and a stack of pre-SPA standalone pages (home.html, recorders.html, jobs.html, ...). The SPA replaces every standalone page, nothing in the .jsx tree links to them, and the only outside references were login.html redirecting to home.html and the nginx fallback pointing at home.html. Delete 16 standalone pages (~9.2k lines of dead markup, ~430KB on disk): _primitives-smoke.html api-tokens.html capture.html cluster.html containers.html edit.html editor.html home.html jobs.html player.html projects.html recorders.html settings.html tokens.html upload.html users.html Keep: index.html — the React SPA shell login.html — the sign-in / setup screen Wire the redirects to the SPA: - login.html post-signin: home.html -> / - nginx try_files fallback: /home.html -> /index.html After this, sign-in lands the operator on the real React app instead of the stale 2025-era home page. The Editor screen continues to embed the separate editor service via the /editor/ nginx proxy (unaffected). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-23 16:48:38 -04:00			`# SPA fallback - try to serve file, else route to the React shell.`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`location / {`
chore(web-ui): delete legacy standalone HTML pages; SPA is the only entry Before this commit /public had two parallel UIs: the React SPA (index.html + screens-*.jsx) and a stack of pre-SPA standalone pages (home.html, recorders.html, jobs.html, ...). The SPA replaces every standalone page, nothing in the .jsx tree links to them, and the only outside references were login.html redirecting to home.html and the nginx fallback pointing at home.html. Delete 16 standalone pages (~9.2k lines of dead markup, ~430KB on disk): _primitives-smoke.html api-tokens.html capture.html cluster.html containers.html edit.html editor.html home.html jobs.html player.html projects.html recorders.html settings.html tokens.html upload.html users.html Keep: index.html — the React SPA shell login.html — the sign-in / setup screen Wire the redirects to the SPA: - login.html post-signin: home.html -> / - nginx try_files fallback: /home.html -> /index.html After this, sign-in lands the operator on the real React app instead of the stale 2025-era home page. The Editor screen continues to embed the separate editor service via the /editor/ nginx proxy (unaffected). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-23 16:48:38 -04:00			`try_files $uri $uri/ /index.html;`
add services/web-ui/nginx.conf 2026-04-07 21:58:21 -04:00			`expires -1;`
			`add_header Cache-Control "no-cache, no-store, must-revalidate";`
			`}`

			`# Deny access to dotfiles`
			`location ~ /\. {`
			`deny all;`
			`}`
			`}`