From 776aa6fbac314ee435cd949cc7ff09a3cee1a707 Mon Sep 17 00:00:00 2001 From: bunker-admin Date: Fri, 27 Mar 2026 09:55:27 -0600 Subject: [PATCH] Fix nginx templates (source of truth) + add reservedCount migration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The generated api.conf and services.conf we edited earlier were overwritten at container startup by envsubst from *.template files. Fix the actual templates: - api.conf.template: X-Forwarded-For → $remote_addr, add limit_req - services.conf.template: add frame-ancestors CSP after proxy_hide_header - Add Prisma migration file for ticket_tiers.reserved_count Bunker Admin --- .../migration.sql | 3 +++ nginx/conf.d/api.conf.template | 6 ++++-- nginx/conf.d/services.conf.template | 6 ++++++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 api/prisma/migrations/20260327100000_add_ticket_tier_reserved_count/migration.sql diff --git a/api/prisma/migrations/20260327100000_add_ticket_tier_reserved_count/migration.sql b/api/prisma/migrations/20260327100000_add_ticket_tier_reserved_count/migration.sql new file mode 100644 index 00000000..546012ba --- /dev/null +++ b/api/prisma/migrations/20260327100000_add_ticket_tier_reserved_count/migration.sql @@ -0,0 +1,3 @@ +-- AlterTable: Add reserved_count for ticket overselling prevention +-- Tracks pending Stripe checkout sessions to prevent concurrent overselling +ALTER TABLE "ticket_tiers" ADD COLUMN "reserved_count" INTEGER NOT NULL DEFAULT 0; diff --git a/nginx/conf.d/api.conf.template b/nginx/conf.d/api.conf.template index 61e6ac63..c2e5802f 100644 --- a/nginx/conf.d/api.conf.template +++ b/nginx/conf.d/api.conf.template @@ -6,12 +6,13 @@ server { # Media API endpoints (must come BEFORE / for longest prefix match) # Uses variable proxy_pass for runtime DNS resolution after container restarts location /media/ { + limit_req zone=api_global burst=60 nodelay; set $upstream_media http://changemaker-media-api:4100; rewrite ^/media/(.*) /api/$1 break; proxy_pass $upstream_media; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; # Large upload support @@ -27,11 +28,12 @@ server { # Main API (Express) location / { + limit_req zone=api_global burst=60 nodelay; set $upstream_api http://changemaker-v2-api:4000; proxy_pass $upstream_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; proxy_connect_timeout 75s; diff --git a/nginx/conf.d/services.conf.template b/nginx/conf.d/services.conf.template index e1c1e70a..a37351d8 100644 --- a/nginx/conf.d/services.conf.template +++ b/nginx/conf.d/services.conf.template @@ -276,6 +276,7 @@ server { proxy_pass $upstream_nocodb; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -308,6 +309,7 @@ server { proxy_pass $upstream_gitea; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -338,6 +340,7 @@ server { proxy_pass $upstream_miniqr; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -551,6 +554,7 @@ server { proxy_pass $upstream_homepage; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -603,6 +607,7 @@ server { proxy_pass $upstream_gancio; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -653,6 +658,7 @@ server { proxy_pass $upstream_alertmanager; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;