c24c6156dc
Login was infinite-looping in production. Server side was healthy (sessions landing in PG, /me returning 200 to a manually-signed cookie) but the browser never received `Set-Cookie`. Bisected the proxy chain layer by layer with direct curls on the box: - mam-api direct (port 47432) → Set-Cookie present - web-ui nginx (port 47434) → Set-Cookie STRIPPED - NPM (https://dragonflight.live) → Set-Cookie stripped (because web-ui ate it) Root cause was this in /api/ and /capture/: proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; The literal "upgrade" was being sent on every request, not just real WebSocket negotiations. Nginx then routes the upstream response through its tunnel/upgrade code path, which doesn't preserve all response headers the same way — Set-Cookie got silently dropped. mam-api doesn't speak WebSockets today so it never sent a 101, and the bad pattern went unnoticed until session-cookie auth shipped. Fix is the standard conditional pattern: a `map` directive at the top of default.conf computes $connection_upgrade as "upgrade" only when the client actually requested Upgrade, otherwise "close". Both location blocks now send `Connection $connection_upgrade` instead of the hardcoded literal. WebSocket support on either location continues to work unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
116 lines
4.2 KiB
Nginx Configuration File
116 lines
4.2 KiB
Nginx Configuration File
# Map for proper WebSocket upgrade handling on the proxied locations below.
|
|
# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx
|
|
# into tunnel-mode for every request — which silently drops response headers
|
|
# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login:
|
|
# mam-api was issuing the cookie, web-ui's proxy was eating it before it
|
|
# reached the browser. With this map, Connection is only set to "upgrade"
|
|
# when the client actually requested an Upgrade (real WebSocket); otherwise
|
|
# it's "close" and the response flows through normally.
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
# Docker embedded DNS — defers upstream resolution to request time
|
|
# This prevents nginx crashing at startup if sibling containers aren't
|
|
# ready yet (which happens on the first `docker compose up`).
|
|
resolver 127.0.0.11 valid=10s ipv6=off;
|
|
|
|
# Allow unlimited client upload size
|
|
client_max_body_size 0;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_types text/plain text/css text/javascript application/javascript application/json;
|
|
gzip_min_length 1000;
|
|
|
|
# Root location - serve static files
|
|
root /usr/share/nginx/html;
|
|
|
|
# Fonts, icons, images: rarely change, safe to cache aggressively.
|
|
location ~* \.(png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
# CSS / JS — must revalidate so a redeploy is picked up immediately.
|
|
# The index.html links these without a version query string, so without
|
|
# this rule a stale stylesheet/script sits in the browser cache forever
|
|
# (which produced the unstyled calendar that triggered this fix).
|
|
location ~* \.(css|js)$ {
|
|
expires -1;
|
|
add_header Cache-Control "no-cache, must-revalidate";
|
|
}
|
|
|
|
# HTML files - no cache
|
|
location ~* \.html?$ {
|
|
expires -1;
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
|
}
|
|
|
|
# Live HLS — served from /live (bind-mounted shared volume), low cache so playlist refreshes
|
|
location /live/ {
|
|
alias /live/;
|
|
types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; }
|
|
add_header Cache-Control "no-cache";
|
|
add_header Access-Control-Allow-Origin *;
|
|
}
|
|
|
|
# API proxy - forward to mam-api service
|
|
location /api/ {
|
|
set $api_upstream http://mam-api:3000;
|
|
client_max_body_size 0;
|
|
proxy_pass $api_upstream;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
# Preserve Content-Type so multer receives the full multipart boundary (#74)
|
|
proxy_set_header Content-Type $content_type;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
proxy_connect_timeout 300;
|
|
proxy_send_timeout 300;
|
|
proxy_read_timeout 300;
|
|
}
|
|
|
|
# Capture proxy - forward to capture service
|
|
location /capture/ {
|
|
set $capture_upstream http://capture:3001;
|
|
proxy_pass $capture_upstream;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
# Premiere panel downloads — served as binary attachments
|
|
location /downloads/ {
|
|
add_header Cache-Control "public, max-age=86400";
|
|
add_header Content-Disposition 'attachment';
|
|
}
|
|
|
|
# SPA fallback - try to serve file, else route to the React shell.
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
expires -1;
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
|
}
|
|
|
|
# Deny access to dotfiles
|
|
location ~ /\. {
|
|
deny all;
|
|
}
|
|
}
|