# Gitea — allows iframe embedding from admin (app.cmlite.org) server { listen 80; server_name git.cmlite.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always; # Increase max body size for large git pushes (2GB) client_max_body_size 2048M; location / { set $upstream_gitea http://gitea-changemaker:3000; proxy_pass $upstream_gitea; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # n8n — allows iframe embedding from admin (app.cmlite.org) server { listen 80; server_name n8n.cmlite.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always; location / { set $upstream_n8n http://n8n-changemaker:5678; proxy_pass $upstream_n8n; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # Grafana server { listen 80; server_name grafana.cmlite.org grafana.betteredmonton.org; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_grafana http://grafana-changemaker:3000; proxy_pass $upstream_grafana; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # NocoDB (data browser) — allows iframe embedding from admin server { listen 80; server_name db.cmlite.org db.betteredmonton.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always; location / { set $upstream_nocodb http://changemaker-v2-nocodb:8080; proxy_pass $upstream_nocodb; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Listmonk server { listen 80; server_name listmonk.cmlite.org listmonk.betteredmonton.org; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_listmonk http://listmonk-app:9000; proxy_pass $upstream_listmonk; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # MkDocs — allows iframe embedding from admin server { listen 80; server_name docs.cmlite.org docs.betteredmonton.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always; location / { set $upstream_mkdocs http://mkdocs-changemaker:8000; proxy_pass $upstream_mkdocs; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # Code Server — allows iframe embedding from admin (app.cmlite.org) server { listen 80; server_name code.cmlite.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always; location / { set $upstream_code http://code-server-changemaker:8080; proxy_pass $upstream_code; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # MailHog (email testing) — allows iframe embedding from admin (app.cmlite.org) server { listen 80; server_name mail.cmlite.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always; location / { set $upstream_mailhog http://mailhog-changemaker:8025; proxy_pass $upstream_mailhog; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for MailHog live updates proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # Mini QR — allows iframe embedding from admin (app.cmlite.org) server { listen 80; server_name qr.cmlite.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always; location / { set $upstream_miniqr http://mini-qr:8080; proxy_pass $upstream_miniqr; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Excalidraw — allows iframe embedding from admin (app.cmlite.org) server { listen 80; server_name draw.cmlite.org; add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always; location / { set $upstream_excalidraw http://excalidraw-changemaker:80; proxy_pass $upstream_excalidraw; proxy_hide_header X-Frame-Options; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for collaboration proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; } } # --- Embed proxy ports (for iframe embedding without DNS/subdomain) --- # These listen on dedicated ports so the admin GUI can iframe services via # localhost:PORT, bypassing X-Frame-Options without needing *.localhost DNS. server { listen 8881; location / { set $upstream_nocodb http://changemaker-v2-nocodb:8080; proxy_pass $upstream_nocodb; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 8882; location / { set $upstream_n8n http://n8n-changemaker:5678; proxy_pass $upstream_n8n; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 8883; # Increase max body size for large git pushes (2GB) client_max_body_size 2048M; location / { set $upstream_gitea http://gitea-changemaker:3000; proxy_pass $upstream_gitea; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 8884; location / { set $upstream_mailhog http://mailhog-changemaker:8025; proxy_pass $upstream_mailhog; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 8885; location / { set $upstream_miniqr http://mini-qr:8080; proxy_pass $upstream_miniqr; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Excalidraw embed proxy (port 8886) server { listen 8886; location / { set $upstream_excalidraw http://excalidraw-changemaker:80; proxy_pass $upstream_excalidraw; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for collaboration proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; } } # Admin GUI — app subdomain server { listen 80; server_name app.cmlite.org app.betteredmonton.org; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_admin http://changemaker-v2-admin:3000; proxy_pass $upstream_admin; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for Vite HMR proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Media API endpoints (must come BEFORE /api/ for longest prefix match) location /api/media/ { set $upstream_media http://changemaker-media-api:4100; proxy_pass $upstream_media; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Large upload support client_max_body_size 10G; proxy_read_timeout 3600s; proxy_connect_timeout 75s; proxy_request_buffering off; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # API (Express) location /api/ { set $upstream_api http://changemaker-v2-api:4000; proxy_pass $upstream_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # MkDocs built static site — root domain server { listen 80; server_name cmlite.org; location / { set $upstream_site http://mkdocs-site-server-changemaker:80; proxy_pass $upstream_site; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Root domain — routes to admin GUI (supports custom DOMAIN env var) server { listen 80; server_name betteredmonton.org; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_admin http://changemaker-v2-admin:3000; proxy_pass $upstream_admin; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for Vite HMR proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Media API endpoints (must come BEFORE /api/ for longest prefix match) location /api/media/ { set $upstream_media http://changemaker-media-api:4100; proxy_pass $upstream_media; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Large upload support client_max_body_size 10G; proxy_read_timeout 3600s; proxy_connect_timeout 75s; proxy_request_buffering off; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # API (Express) location /api/ { set $upstream_api http://changemaker-v2-api:4000; proxy_pass $upstream_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Homepage dashboard server { listen 80; server_name home.cmlite.org; add_header X-Frame-Options "SAMEORIGIN" always; location / { set $upstream_homepage http://homepage-changemaker:3000; proxy_pass $upstream_homepage; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }