From c24c6156dcfe942cb8e5e069c14ad87ece1bf0ab Mon Sep 17 00:00:00 2001 From: Zac Gaetano Date: Wed, 27 May 2026 21:48:49 -0400 Subject: [PATCH] fix(web-ui): stop nginx from eating Set-Cookie on /api/ and /capture/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Login was infinite-looping in production. Server side was healthy (sessions landing in PG, /me returning 200 to a manually-signed cookie) but the browser never received `Set-Cookie`. Bisected the proxy chain layer by layer with direct curls on the box: - mam-api direct (port 47432) → Set-Cookie present - web-ui nginx (port 47434) → Set-Cookie STRIPPED - NPM (https://dragonflight.live) → Set-Cookie stripped (because web-ui ate it) Root cause was this in /api/ and /capture/: proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; The literal "upgrade" was being sent on every request, not just real WebSocket negotiations. Nginx then routes the upstream response through its tunnel/upgrade code path, which doesn't preserve all response headers the same way — Set-Cookie got silently dropped. mam-api doesn't speak WebSockets today so it never sent a 101, and the bad pattern went unnoticed until session-cookie auth shipped. Fix is the standard conditional pattern: a `map` directive at the top of default.conf computes $connection_upgrade as "upgrade" only when the client actually requested Upgrade, otherwise "close". Both location blocks now send `Connection $connection_upgrade` instead of the hardcoded literal. WebSocket support on either location continues to work unchanged. Co-Authored-By: Claude Opus 4.7 --- services/web-ui/nginx.conf | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/services/web-ui/nginx.conf b/services/web-ui/nginx.conf index 0f3ecd4..e3b2e91 100644 --- a/services/web-ui/nginx.conf +++ b/services/web-ui/nginx.conf @@ -1,3 +1,16 @@ +# Map for proper WebSocket upgrade handling on the proxied locations below. +# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx +# into tunnel-mode for every request — which silently drops response headers +# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login: +# mam-api was issuing the cookie, web-ui's proxy was eating it before it +# reached the browser. With this map, Connection is only set to "upgrade" +# when the client actually requested an Upgrade (real WebSocket); otherwise +# it's "close" and the response flows through normally. +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + server { listen 80; server_name _; @@ -54,7 +67,7 @@ server { proxy_pass $api_upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -74,7 +87,7 @@ server { proxy_pass $capture_upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;