admin/changemaker.lite
1
0
Fork 0
Code Issues Packages Projects Releases 31 Wiki Activity
changemaker.lite/nginx/conf.d/services.conf.template
bunker-admin 36b709b911 Automate Gitea init, NocoDB auto sign-in, and fix prod compose 
- Add scripts/gitea-init.sh: runs migrations + creates admin user on
  first boot, replacing the manual installation wizard
- Set GITEA__security__INSTALL_LOCK=true in both compose files
- Add NocoDB auth bridge (nginx) + /api/services/nocodb-auth proxy
  endpoint so the admin iframe auto-authenticates
- Update NocoDBPage.tsx to fetch token and use auth bridge flow
- Fix docker-compose.prod.yml missing Gitea env vars for API container
  (GITEA_URL, GITEA_API_TOKEN, GITEA_ADMIN_PASSWORD, etc.)
- Pass NC_ADMIN_EMAIL/PASSWORD to API for NocoDB auth proxy
- Increase Gitea auto-setup retries from 3 to 6 with admin auth check
- Update config.sh non-interactive mode to set GITEA_ADMIN_USER
- Include gitea-init.sh in release tarball (build-release.sh)

Bunker Admin
2026-04-09 12:49:33 -06:00

717 lines
26 KiB
Plaintext
Raw Blame History

# Gitea — allows iframe embedding from admin (app.${DOMAIN})
# SSO: nginx validates cml_session cookie via API auth_request, injects X-WEBAUTH-USER
server {
listen 80;
server_name git.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
# Increase max body size for large git pushes (2GB)
client_max_body_size 2048M;
# Internal: validate SSO session cookie via API
location = /_auth {
internal;
set $upstream_api http://changemaker-v2-api:4000;
proxy_pass $upstream_api/api/auth/gitea-sso-validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
}
location / {
auth_request /_auth;
auth_request_set $gitea_user $upstream_http_x_gitea_user;
set $upstream_gitea http://gitea-changemaker:3000;
proxy_pass $upstream_gitea;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSO header — empty string if not authenticated (Gitea ignores it)
proxy_set_header X-WEBAUTH-USER $gitea_user;
}
}
# n8n — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name n8n.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_n8n http://n8n-changemaker:5678;
proxy_pass $upstream_n8n;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Grafana — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name grafana.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_grafana http://grafana-changemaker:3000;
proxy_pass $upstream_grafana;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# NocoDB (data browser) — allows iframe embedding from admin
server {
listen 80;
server_name db.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
# Auth bridge for iframe auto-sign-in (token passed via URL hash, never sent to server)
location = /auth-bridge {
default_type text/html;
add_header Cache-Control "no-store" always;
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
return 200 '<!DOCTYPE html><html><head><meta charset="utf-8"><script>(function(){var t=location.hash.substring(1);if(!t){document.body.innerText="No token";return;}document.cookie="nocodb-token="+encodeURIComponent(t)+";path=/;SameSite=Lax;max-age=86400";try{localStorage.setItem("nocodb-token",JSON.stringify(t));}catch(e){}window.location.replace("/dashboard/");})()</script></head><body>Signing in...</body></html>';
}
location / {
set $upstream_nocodb http://changemaker-v2-nocodb:8080;
proxy_pass $upstream_nocodb;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Listmonk — via auth proxy, allows iframe embedding from admin
server {
listen 80;
server_name listmonk.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_listmonk http://changemaker-v2-api:9002;
proxy_pass $upstream_listmonk;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# MkDocs — allows iframe embedding from admin
server {
listen 80;
server_name docs.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_mkdocs http://mkdocs-changemaker:8000;
proxy_pass $upstream_mkdocs;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Code Server — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name code.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_code http://code-server-changemaker:8443;
proxy_pass $upstream_code;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# MailHog (email testing) — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name mail.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_mailhog http://mailhog-changemaker:8025;
proxy_pass $upstream_mailhog;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for MailHog live updates
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Mini QR — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name qr.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_miniqr http://mini-qr:8080;
proxy_pass $upstream_miniqr;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Excalidraw — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name draw.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_excalidraw http://excalidraw-changemaker:80;
proxy_pass $upstream_excalidraw;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for collaboration
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Vaultwarden (password manager) — allows iframe embedding from admin
server {
listen 80;
server_name vault.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_vaultwarden http://vaultwarden-changemaker:80;
proxy_pass $upstream_vaultwarden;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Rocket.Chat (team chat) — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name chat.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_rocketchat http://rocketchat-changemaker:3000;
proxy_pass $upstream_rocketchat;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support (critical for RC real-time messaging)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
client_max_body_size 100m;
}
}
# Gancio (event management) — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name events.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_gancio http://gancio-changemaker:13120;
proxy_pass $upstream_gancio;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Jitsi Meet (video conferencing) — allows iframe embedding from admin (app.${DOMAIN})
server {
listen 80;
server_name meet.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_jitsi http://jitsi-web-changemaker:80;
proxy_pass $upstream_jitsi;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# --- Embed proxy ports (for iframe embedding without DNS/subdomain) ---
# These listen on dedicated ports so the admin GUI can iframe services via
# localhost:PORT, bypassing X-Frame-Options without needing *.localhost DNS.
# Ports are configurable via env vars to avoid conflicts in multi-instance deployments.
server {
listen ${NOCODB_EMBED_PORT};
# Auth bridge for iframe auto-sign-in (localhost/dev variant)
location = /auth-bridge {
default_type text/html;
add_header Cache-Control "no-store" always;
return 200 '<!DOCTYPE html><html><head><meta charset="utf-8"><script>(function(){var t=location.hash.substring(1);if(!t){document.body.innerText="No token";return;}document.cookie="nocodb-token="+encodeURIComponent(t)+";path=/;SameSite=Lax;max-age=86400";try{localStorage.setItem("nocodb-token",JSON.stringify(t));}catch(e){}window.location.replace("/dashboard/");})()</script></head><body>Signing in...</body></html>';
}
location / {
set $upstream_nocodb http://changemaker-v2-nocodb:8080;
proxy_pass $upstream_nocodb;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen ${N8N_EMBED_PORT};
location / {
set $upstream_n8n http://n8n-changemaker:5678;
proxy_pass $upstream_n8n;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Gitea embed proxy — SSO via auth_request (same as subdomain block)
server {
listen ${GITEA_EMBED_PORT};
# Increase max body size for large git pushes (2GB)
client_max_body_size 2048M;
# Internal: validate SSO session cookie via API
location = /_auth {
internal;
set $upstream_api http://changemaker-v2-api:4000;
proxy_pass $upstream_api/api/auth/gitea-sso-validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
}
location / {
auth_request /_auth;
auth_request_set $gitea_user $upstream_http_x_gitea_user;
set $upstream_gitea http://gitea-changemaker:3000;
proxy_pass $upstream_gitea;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSO header — empty string if not authenticated (Gitea ignores it)
proxy_set_header X-WEBAUTH-USER $gitea_user;
}
}
server {
listen ${MAILHOG_EMBED_PORT};
location / {
set $upstream_mailhog http://mailhog-changemaker:8025;
proxy_pass $upstream_mailhog;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen ${MINI_QR_EMBED_PORT};
location / {
set $upstream_miniqr http://mini-qr:8080;
proxy_pass $upstream_miniqr;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Excalidraw embed proxy
server {
listen ${EXCALIDRAW_EMBED_PORT};
location / {
set $upstream_excalidraw http://excalidraw-changemaker:80;
proxy_pass $upstream_excalidraw;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for collaboration
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Admin GUI — app subdomain
server {
listen 80;
server_name app.${DOMAIN};
add_header X-Frame-Options "SAMEORIGIN" always;
# Auth check iframe — allows root domain to embed this tiny page
# for cross-origin login state detection (MkDocs header)
location = /auth-check.html {
add_header Content-Security-Policy "frame-ancestors 'self' https://${DOMAIN} http://${DOMAIN}" always;
set $upstream_admin_authcheck http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin_authcheck;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# Social media bot detection for OG meta tags
set $is_bot 0;
if ($http_user_agent ~* "(Twitterbot|facebookexternalhit|LinkedInBot|Slackbot|TelegramBot|WhatsApp|Discordbot|Googlebot|bingbot|Pinterest|Embedly|Quora Link Preview|Showyoubot|outbrain|vkShare|W3C_Validator)") {
set $is_bot 1;
}
# Bot-specific rewrites for rich social previews
location ~ ^/campaign/([^/]+)$ {
if ($is_bot) {
rewrite ^/campaign/(.+)$ /api/og/campaign/$1 last;
}
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/p/([^/]+)$ {
if ($is_bot) {
rewrite ^/p/(.+)$ /api/og/page/$1 last;
}
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/gallery/watch/([^/]+)$ {
if ($is_bot) {
rewrite ^/gallery/watch/(.+)$ /api/og/gallery/$1 last;
}
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for Vite HMR
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Media API (direct path - used by admin GUI media-api.ts client)
# Rewrites /media/* to /api/* (matches Vite dev proxy behavior)
# Uses variable proxy_pass for runtime DNS resolution after container restarts
location /media/ {
set $upstream_media_app http://changemaker-media-api:4100;
rewrite ^/media/(.*) /api/$1 break;
proxy_pass $upstream_media_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large file upload support
client_max_body_size 10G;
proxy_read_timeout 3600s;
proxy_connect_timeout 75s;
proxy_request_buffering off;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Media API endpoints (must come BEFORE /api/ for longest prefix match)
location /api/media/ {
set $upstream_media http://changemaker-media-api:4100;
proxy_pass $upstream_media;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large upload support
client_max_body_size 10G;
proxy_read_timeout 3600s;
proxy_connect_timeout 75s;
proxy_request_buffering off;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# MkDocs proxy (docs search index for volunteer map)
location /mkdocs-proxy/ {
set $upstream_mkdocs http://mkdocs-changemaker:8000;
rewrite ^/mkdocs-proxy/(.*) /$1 break;
proxy_pass $upstream_mkdocs;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# API (Express)
location /api/ {
set $upstream_api http://changemaker-v2-api:4000;
proxy_pass $upstream_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support (docs collaboration)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Root domain — routes to MkDocs static site only
server {
listen 80;
server_name ${DOMAIN};
location / {
set $upstream_site http://mkdocs-site-server-changemaker:80;
proxy_pass $upstream_site;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Homepage dashboard — allows iframe embedding from admin
server {
listen 80;
server_name home.${DOMAIN};
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
location / {
set $upstream_homepage http://homepage-changemaker:3000;
proxy_pass $upstream_homepage;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Homepage embed proxy
server {
listen ${HOMEPAGE_EMBED_PORT};
location / {
set $upstream_homepage http://homepage-changemaker:3000;
proxy_pass $upstream_homepage;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Vaultwarden embed proxy
server {
listen ${VAULTWARDEN_EMBED_PORT};
location / {
set $upstream_vaultwarden http://vaultwarden-changemaker:80;
proxy_pass $upstream_vaultwarden;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Rocket.Chat embed proxy
server {
listen ${ROCKETCHAT_EMBED_PORT};
location / {
set $upstream_rocketchat http://rocketchat-changemaker:3000;
proxy_pass $upstream_rocketchat;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
client_max_body_size 100m;
}
}
# Gancio embed proxy
server {
listen ${GANCIO_EMBED_PORT};
location / {
set $upstream_gancio http://gancio-changemaker:13120;
proxy_pass $upstream_gancio;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Jitsi Meet embed proxy
server {
listen ${JITSI_EMBED_PORT};
location / {
set $upstream_jitsi http://jitsi-web-changemaker:80;
proxy_pass $upstream_jitsi;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Grafana embed proxy
server {
listen ${GRAFANA_EMBED_PORT};
location / {
set $upstream_grafana http://grafana-changemaker:3000;
proxy_pass $upstream_grafana;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Alertmanager embed proxy
server {
listen ${ALERTMANAGER_EMBED_PORT};
location / {
set $upstream_alertmanager http://alertmanager-changemaker:9093;
proxy_pass $upstream_alertmanager;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Reference in New Issue View Git Blame Copy Permalink