# Map for proper WebSocket upgrade handling on the proxied locations below. # Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx # into tunnel-mode for every request — which silently drops response headers # including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login: # mam-api was issuing the cookie, web-ui's proxy was eating it before it # reached the browser. With this map, Connection is only set to "upgrade" # when the client actually requested an Upgrade (real WebSocket); otherwise # it's "close" and the response flows through normally. map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; server_name _; # Docker embedded DNS — defers upstream resolution to request time # This prevents nginx crashing at startup if sibling containers aren't # ready yet (which happens on the first `docker compose up`). resolver 127.0.0.11 valid=10s ipv6=off; # Allow unlimited client upload size client_max_body_size 0; # Gzip compression gzip on; gzip_types text/plain text/css text/javascript application/javascript application/json; gzip_min_length 1000; # Root location - serve static files root /usr/share/nginx/html; # Fonts, icons, images: rarely change, safe to cache aggressively. location ~* \.(png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; } # CSS / JS — must revalidate so a redeploy is picked up immediately. # The index.html links these without a version query string, so without # this rule a stale stylesheet/script sits in the browser cache forever # (which produced the unstyled calendar that triggered this fix). location ~* \.(css|js)$ { expires -1; add_header Cache-Control "no-cache, must-revalidate"; } # HTML files - no cache location ~* \.html?$ { expires -1; add_header Cache-Control "no-cache, no-store, must-revalidate"; } # Live HLS — served from /live (bind-mounted shared volume), low cache so playlist refreshes location /live/ { alias /live/; types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; } add_header Cache-Control "no-cache"; add_header Access-Control-Allow-Origin *; } # API proxy - forward to mam-api service location /api/ { set $api_upstream http://mam-api:3000; client_max_body_size 0; proxy_pass $api_upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Preserve Content-Type so multer receives the full multipart boundary (#74) proxy_set_header Content-Type $content_type; proxy_buffering off; proxy_request_buffering off; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; } # Capture proxy - forward to capture service location /capture/ { set $capture_upstream http://capture:3001; proxy_pass $capture_upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; } # Premiere panel downloads — served as binary attachments location /downloads/ { add_header Cache-Control "public, max-age=86400"; add_header Content-Disposition 'attachment'; } # SPA fallback - try to serve file, else route to the React shell. location / { try_files $uri $uri/ /index.html; expires -1; add_header Cache-Control "no-cache, no-store, must-revalidate"; } # Deny access to dotfiles location ~ /\. { deny all; } }