From 33e1ff290735b53f3bdc7daf859185e34014cf47 Mon Sep 17 00:00:00 2001
From: admin <admin@bnkops.ca>
Date: Tue, 10 Mar 2026 10:47:59 -0600
Subject: [PATCH 1/2] Add WebSocket upgrade headers to nginx API proxy blocks
 for docs collaboration

The /api/ location blocks in both default.conf and services.conf templates
were missing Upgrade/Connection headers, preventing the Hocuspocus WebSocket
connection from establishing through nginx.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 nginx/conf.d/default.conf.template  | 6 +++++-
 nginx/conf.d/services.conf.template | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/nginx/conf.d/default.conf.template b/nginx/conf.d/default.conf.template
index 0f7db57a..febcb9cd 100644
--- a/nginx/conf.d/default.conf.template
+++ b/nginx/conf.d/default.conf.template
@@ -79,8 +79,8 @@ server {
     # Rewrites /media/* to /api/* (matches Vite dev proxy behavior)
     # Uses variable proxy_pass for runtime DNS resolution after container restarts
     location /media/ {
-        rewrite ^/media/(.*) /api/$1 break;
         set $upstream_media_default http://changemaker-media-api:4100;
+        rewrite ^/media/(.*) /api/$1 break;
         proxy_pass $upstream_media_default;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -126,5 +126,9 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support (docs collaboration)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
     }
 }
diff --git a/nginx/conf.d/services.conf.template b/nginx/conf.d/services.conf.template
index 0d00d175..3ec7c196 100644
--- a/nginx/conf.d/services.conf.template
+++ b/nginx/conf.d/services.conf.template
@@ -444,8 +444,8 @@ server {
     # Rewrites /media/* to /api/* (matches Vite dev proxy behavior)
     # Uses variable proxy_pass for runtime DNS resolution after container restarts
     location /media/ {
-        rewrite ^/media/(.*) /api/$1 break;
         set $upstream_media_app http://changemaker-media-api:4100;
+        rewrite ^/media/(.*) /api/$1 break;
         proxy_pass $upstream_media_app;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -502,6 +502,10 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support (docs collaboration)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
     }
 }
 

From 9267f070b3ad94456df412dd301e1b8e2c010543 Mon Sep 17 00:00:00 2001
From: admin <admin@bnkops.ca>
Date: Tue, 10 Mar 2026 18:26:41 -0600
Subject: [PATCH 2/2] Fix Vaultwarden iframe embedding by stripping upstream
 CSP header

Vaultwarden sends a restrictive Content-Security-Policy with frame-ancestors
that blocks iframe embedding. The embed proxy (port 8890) already stripped
this header, but the subdomain server block did not.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 nginx/conf.d/services.conf.template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nginx/conf.d/services.conf.template b/nginx/conf.d/services.conf.template
index 3ec7c196..9e530917 100644
--- a/nginx/conf.d/services.conf.template
+++ b/nginx/conf.d/services.conf.template
@@ -194,6 +194,7 @@ server {
         set $upstream_vaultwarden http://vaultwarden-changemaker:80;
         proxy_pass $upstream_vaultwarden;
         proxy_hide_header X-Frame-Options;
+        proxy_hide_header Content-Security-Policy;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;