# Gitea — allows iframe embedding from admin (app.${DOMAIN}) server { listen 80; server_name git.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; # Increase max body size for large git pushes (2GB) client_max_body_size 2048M; location / { set $upstream_gitea http://gitea-changemaker:3000; proxy_pass $upstream_gitea; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # n8n — allows iframe embedding from admin (app.${DOMAIN}) server { listen 80; server_name n8n.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_n8n http://n8n-changemaker:5678; proxy_pass $upstream_n8n; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # Grafana server { listen 80; server_name grafana.${DOMAIN}; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_grafana http://grafana-changemaker:3000; proxy_pass $upstream_grafana; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # NocoDB (data browser) — allows iframe embedding from admin server { listen 80; server_name db.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_nocodb http://changemaker-v2-nocodb:8080; proxy_pass $upstream_nocodb; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Listmonk server { listen 80; server_name listmonk.${DOMAIN}; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_listmonk http://listmonk-app:9000; proxy_pass $upstream_listmonk; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # MkDocs — allows iframe embedding from admin server { listen 80; server_name docs.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_mkdocs http://mkdocs-changemaker:8000; proxy_pass $upstream_mkdocs; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # Code Server — allows iframe embedding from admin (app.${DOMAIN}) server { listen 80; server_name code.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_code http://code-server-changemaker:8080; proxy_pass $upstream_code; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # MailHog (email testing) — allows iframe embedding from admin (app.${DOMAIN}) server { listen 80; server_name mail.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_mailhog http://mailhog-changemaker:8025; proxy_pass $upstream_mailhog; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for MailHog live updates proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # Mini QR — allows iframe embedding from admin (app.${DOMAIN}) server { listen 80; server_name qr.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_miniqr http://mini-qr:8080; proxy_pass $upstream_miniqr; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Excalidraw — allows iframe embedding from admin (app.${DOMAIN}) server { listen 80; server_name draw.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_excalidraw http://excalidraw-changemaker:80; proxy_pass $upstream_excalidraw; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for collaboration proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; } } # --- Embed proxy ports (for iframe embedding without DNS/subdomain) --- # These listen on dedicated ports so the admin GUI can iframe services via # localhost:PORT, bypassing X-Frame-Options without needing *.localhost DNS. server { listen 8881; location / { set $upstream_nocodb http://changemaker-v2-nocodb:8080; proxy_pass $upstream_nocodb; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 8882; location / { set $upstream_n8n http://n8n-changemaker:5678; proxy_pass $upstream_n8n; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 8883; # Increase max body size for large git pushes (2GB) client_max_body_size 2048M; location / { set $upstream_gitea http://gitea-changemaker:3000; proxy_pass $upstream_gitea; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 8884; location / { set $upstream_mailhog http://mailhog-changemaker:8025; proxy_pass $upstream_mailhog; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 8885; location / { set $upstream_miniqr http://mini-qr:8080; proxy_pass $upstream_miniqr; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Excalidraw embed proxy (port 8886) server { listen 8886; location / { set $upstream_excalidraw http://excalidraw-changemaker:80; proxy_pass $upstream_excalidraw; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for collaboration proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; } } # Admin GUI — app subdomain server { listen 80; server_name app.${DOMAIN}; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_admin http://changemaker-v2-admin:3000; proxy_pass $upstream_admin; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for Vite HMR proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Media API routes rewrite (matches Vite dev proxy behavior) # Rewrites /media/* to /api/* on media-api (port 4100) location /media/ { rewrite ^/media/(.*) /api/$1 break; proxy_pass http://changemaker-media-api:4100; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Large file upload support client_max_body_size 10G; proxy_read_timeout 3600s; proxy_connect_timeout 75s; proxy_request_buffering off; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Media API endpoints (must come BEFORE /api/ for longest prefix match) location /api/media/ { set $upstream_media http://changemaker-media-api:4100; proxy_pass $upstream_media; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Large upload support client_max_body_size 10G; proxy_read_timeout 3600s; proxy_connect_timeout 75s; proxy_request_buffering off; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # API (Express) location /api/ { set $upstream_api http://changemaker-v2-api:4000; proxy_pass $upstream_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Root domain — routes to MkDocs static site only server { listen 80; server_name ${DOMAIN}; location / { set $upstream_site http://mkdocs-site-server-changemaker:80; proxy_pass $upstream_site; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Homepage dashboard — allows iframe embedding from admin server { listen 80; server_name home.${DOMAIN}; add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always; location / { set $upstream_homepage http://homepage-changemaker:3000; proxy_pass $upstream_homepage; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Homepage embed proxy (port 8887) server { listen 8887; location / { set $upstream_homepage http://homepage-changemaker:3000; proxy_pass $upstream_homepage; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }