admin/changemaker.lite
1
0
Fork 0
Code Issues Packages Projects Releases 31 Wiki Activity
changemaker.lite/changemaker-control-panel/templates/nginx/conf.d/services.conf.hbs
bunker-admin 91db29402c Add Gitea SSO, fix security audit findings, harden production defaults 
Gitea SSO: cookie-based single sign-on via nginx auth_request — sets
cml_session cookie on login/refresh, validates via /api/auth/gitea-sso-validate,
injects X-WEBAUTH-USER header for reverse proxy auth. Dedicated GITEA_SSO_SECRET
and SERVICE_PASSWORD_SALT env vars isolate secret rotation.

Security fixes from March 30 audit: IDOR on ticketed events (requireEventOwnership
middleware), IDOR on action items (admin/assignee/creator check), path traversal
on photos (resolve-based validation), CSV upload size limit (5MB), shared calendar
email exposure removed.

Gitea provisioner: auto-sync docs repo collaborator access based on role
(CONTENT_ROLES get write, SUPER_ADMIN gets admin). Gitea client extended
with collaborator management API methods.

Production hardening: NODE_ENV defaults to production in docker-compose.prod.yml,
Grafana anonymous auth disabled, install.sh branch ref updated to main.

Admin UI: moved docs reset from toolbar to MkDocs Settings danger zone,
improved collab Ctrl+S to explicitly save + cache-bust preview.

MkDocs site rebuild with updated repo data, upgrade screenshots, and content.

Bunker Admin
2026-03-31 11:20:01 -06:00

296 lines
10 KiB
Handlebars
Raw Blame History

# Changemaker Lite — Instance: {{name}}
# Embed proxy ports for iframe embedding in admin GUI.
# These strip X-Frame-Options and CSP so services can be iframed.
# Internal ports 8881-8894 are mapped to host ports via docker-compose.
# NocoDB embed proxy (internal 8881)
server {
listen 8881;
location / {
set $upstream_nocodb http://{{containerPrefix}}-nocodb:8080;
proxy_pass $upstream_nocodb;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# n8n embed proxy (internal 8882)
server {
listen 8882;
location / {
set $upstream_n8n http://{{containerPrefix}}-n8n:5678;
proxy_pass $upstream_n8n;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Gitea embed proxy (internal 8883) — SSO via auth_request
server {
listen 8883;
client_max_body_size 2048M;
# Internal: validate SSO session cookie via API
location = /_auth {
internal;
set $upstream_api http://{{containerPrefix}}-api:4000;
proxy_pass $upstream_api/api/auth/gitea-sso-validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
}
location / {
auth_request /_auth;
auth_request_set $gitea_user $upstream_http_x_gitea_user;
set $upstream_gitea http://{{containerPrefix}}-gitea:3000;
proxy_pass $upstream_gitea;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSO header — empty string if not authenticated (Gitea ignores it)
proxy_set_header X-WEBAUTH-USER $gitea_user;
}
}
# MailHog embed proxy (internal 8884)
server {
listen 8884;
location / {
set $upstream_mailhog http://{{containerPrefix}}-mailhog:8025;
proxy_pass $upstream_mailhog;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Mini QR embed proxy (internal 8885)
server {
listen 8885;
location / {
set $upstream_miniqr http://{{containerPrefix}}-mini-qr:8080;
proxy_pass $upstream_miniqr;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Excalidraw embed proxy (internal 8886)
server {
listen 8886;
location / {
set $upstream_excalidraw http://{{containerPrefix}}-excalidraw:80;
proxy_pass $upstream_excalidraw;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Homepage embed proxy (internal 8887)
server {
listen 8887;
location / {
set $upstream_homepage http://{{containerPrefix}}-homepage:3000;
proxy_pass $upstream_homepage;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Code Server embed proxy (internal 8888)
server {
listen 8888;
location / {
set $upstream_code http://{{containerPrefix}}-code-server:8443;
proxy_pass $upstream_code;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# MkDocs embed proxy (internal 8889)
server {
listen 8889;
location / {
set $upstream_mkdocs http://{{containerPrefix}}-mkdocs:8000;
proxy_pass $upstream_mkdocs;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Vaultwarden embed proxy (internal 8890)
server {
listen 8890;
location / {
set $upstream_vaultwarden http://{{containerPrefix}}-vaultwarden:80;
proxy_pass $upstream_vaultwarden;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Rocket.Chat embed proxy (internal 8891)
{{#if enableChat}}
server {
listen 8891;
location / {
set $upstream_rocketchat http://{{containerPrefix}}-rocketchat:3000;
proxy_pass $upstream_rocketchat;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
client_max_body_size 100m;
}
}
{{/if}}
# Gancio embed proxy (internal 8892)
{{#if enableGancio}}
server {
listen 8892;
location / {
set $upstream_gancio http://{{containerPrefix}}-gancio:13120;
proxy_pass $upstream_gancio;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
{{/if}}
# Grafana embed proxy (internal 8893)
{{#if enableMonitoring}}
server {
listen 8893;
location / {
set $upstream_grafana http://{{containerPrefix}}-grafana:3000;
proxy_pass $upstream_grafana;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
{{/if}}
# Listmonk embed proxy (internal 8894)
{{#if enableListmonk}}
server {
listen 8894;
location / {
set $upstream_listmonk http://{{containerPrefix}}-listmonk:9000;
proxy_pass $upstream_listmonk;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
{{/if}}
# MkDocs site server proxy (internal 8895) — static built documentation site
server {
listen 8895;
location / {
set $upstream_mkdocs_site http://{{containerPrefix}}-mkdocs-site:80;
proxy_pass $upstream_mkdocs_site;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Jitsi Meet embed proxy (internal 8896)
{{#if enableMeet}}
server {
listen 8896;
location / {
set $upstream_jitsi http://{{containerPrefix}}-jitsi-web:80;
proxy_pass $upstream_jitsi;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
{{/if}}
Reference in New Issue View Git Blame Copy Permalink