admin/changemaker.lite
1
0
Fork 0
Code Issues Packages Projects Releases 31 Wiki Activity
changemaker.lite/nginx/conf.d/services.conf
bunker-admin 1bf19fff0e Security audit: fix 30 findings across auth, IDOR, XSS, path traversal, infrastructure 
Comprehensive 6-domain security audit addressing 8 Critical, 17 Important,
and 5 Low findings. Key fixes:

Critical:
- Strip PII from unauthenticated ticket lookup (IDOR)
- Add role+permission checks to event check-in routes
- Validate tier-to-event ownership on update/delete (IDOR)
- Fix path traversal in video replace (resolve + prefix check)
- Enable MongoDB authentication for Rocket.Chat
- Disable Grafana anonymous access
- Sanitize CSV exports against formula injection (payments)
- Apply DOMPurify to richDescription on public event page (XSS)

Important:
- Require current password for self-service password changes
- Atomic password reset token consumption (race condition fix)
- Scope postMessage to specific origin (not wildcard)
- Validate redirect parameter against open redirect
- Replace weak temp passwords (5760 values → crypto.randomBytes)
- Move shift capacity check inside transaction (TOCTOU fix)
- Fix EVENTS_ADMIN privilege inversion in ticketed events
- Make ENCRYPTION_KEY required (remove optional fallback)
- Add internal Prometheus metrics endpoint for Docker scraping
- Add nginx-level rate limiting (limit_req_zone)
- Fix X-Forwarded-For to use $remote_addr (prevents spoofing)
- Replace CSP stripping with frame-ancestors in embed proxies
- Remove error.message from Fastify 500 responses
- Strip PII from volunteer canvass address data
- Wrap GrapesJS output in {% raw %} to prevent Jinja2 SSTI
- Scope SSE token query param to /sse path only
- Sanitize Listmonk email query against injection

Bunker Admin
2026-03-27 08:47:24 -06:00

732 lines
27 KiB
Plaintext
Raw Blame History

# Gitea — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name git.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
# Increase max body size for large git pushes (2GB)
client_max_body_size 2048M;
location / {
set $upstream_gitea http://gitea-changemaker:3000;
proxy_pass $upstream_gitea;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# n8n — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name n8n.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
location / {
set $upstream_n8n http://n8n-changemaker:5678;
proxy_pass $upstream_n8n;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Grafana — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name grafana.cmlite.org grafana.betteredmonton.org grafana.pridecorner.ca;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always;
location / {
set $upstream_grafana http://grafana-changemaker:3000;
proxy_pass $upstream_grafana;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# NocoDB (data browser) — allows iframe embedding from admin
server {
listen 80;
server_name db.cmlite.org db.betteredmonton.org db.pridecorner.ca;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always;
location / {
set $upstream_nocodb http://changemaker-v2-nocodb:8080;
proxy_pass $upstream_nocodb;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Listmonk — via auth proxy, allows iframe embedding from admin
server {
listen 80;
server_name listmonk.cmlite.org listmonk.betteredmonton.org listmonk.pridecorner.ca;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org app.pridecorner.ca" always;
location / {
set $upstream_listmonk http://changemaker-v2-api:9002;
proxy_pass $upstream_listmonk;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# MkDocs — allows iframe embedding from admin
server {
listen 80;
server_name docs.cmlite.org docs.betteredmonton.org docs.pridecorner.ca;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always;
location / {
set $upstream_mkdocs http://mkdocs-changemaker:8000;
proxy_pass $upstream_mkdocs;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Code Server — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name code.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
location / {
set $upstream_code http://code-server-changemaker:8443;
proxy_pass $upstream_code;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# MailHog (email testing) — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name mail.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
location / {
set $upstream_mailhog http://mailhog-changemaker:8025;
proxy_pass $upstream_mailhog;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for MailHog live updates
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Mini QR — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name qr.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
location / {
set $upstream_miniqr http://mini-qr:8080;
proxy_pass $upstream_miniqr;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Excalidraw — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name draw.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
location / {
set $upstream_excalidraw http://excalidraw-changemaker:80;
proxy_pass $upstream_excalidraw;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for collaboration
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Vaultwarden (password manager) — allows iframe embedding from admin
server {
listen 80;
server_name vault.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
location / {
set $upstream_vaultwarden http://vaultwarden-changemaker:80;
proxy_pass $upstream_vaultwarden;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Rocket.Chat (team chat) — allows iframe embedding from admin
server {
listen 80;
server_name chat.cmlite.org chat.betteredmonton.org chat.pridecorner.ca;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always;
location / {
set $upstream_rocketchat http://rocketchat-changemaker:3000;
proxy_pass $upstream_rocketchat;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support (critical for RC real-time messaging)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
client_max_body_size 100m;
}
}
# Gancio (event management) — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name events.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;
location / {
set $upstream_gancio http://gancio-changemaker:13120;
proxy_pass $upstream_gancio;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Jitsi Meet (video conferencing) — allows iframe embedding from admin (app.cmlite.org)
server {
listen 80;
server_name meet.cmlite.org meet.betteredmonton.org meet.pridecorner.ca;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always;
location / {
set $upstream_jitsi http://jitsi-web-changemaker:80;
proxy_pass $upstream_jitsi;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# --- Embed proxy ports (for iframe embedding without DNS/subdomain) ---
# These listen on dedicated ports so the admin GUI can iframe services via
# localhost:PORT, bypassing X-Frame-Options without needing *.localhost DNS.
# NOTE: In Docker deployments, these ports come from env vars via the .template file.
# These hardcoded values are defaults for reference only.
server {
listen 8881;
location / {
set $upstream_nocodb http://changemaker-v2-nocodb:8080;
proxy_pass $upstream_nocodb;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 8882;
location / {
set $upstream_n8n http://n8n-changemaker:5678;
proxy_pass $upstream_n8n;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 8883;
# Increase max body size for large git pushes (2GB)
client_max_body_size 2048M;
location / {
set $upstream_gitea http://gitea-changemaker:3000;
proxy_pass $upstream_gitea;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 8884;
location / {
set $upstream_mailhog http://mailhog-changemaker:8025;
proxy_pass $upstream_mailhog;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 8885;
location / {
set $upstream_miniqr http://mini-qr:8080;
proxy_pass $upstream_miniqr;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Excalidraw embed proxy (port 8886)
server {
listen 8886;
location / {
set $upstream_excalidraw http://excalidraw-changemaker:80;
proxy_pass $upstream_excalidraw;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for collaboration
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Admin GUI — app subdomain
server {
listen 80;
server_name app.cmlite.org app.betteredmonton.org app.pridecorner.ca;
add_header X-Frame-Options "SAMEORIGIN" always;
# Social media bot detection for OG meta tags
set $is_bot 0;
if ($http_user_agent ~* "(Twitterbot|facebookexternalhit|LinkedInBot|Slackbot|TelegramBot|WhatsApp|Discordbot|Googlebot|bingbot|Pinterest|Embedly|Quora Link Preview|Showyoubot|outbrain|vkShare|W3C_Validator)") {
set $is_bot 1;
}
# Bot-specific rewrites — serve OG meta from API for rich social previews
location ~ ^/campaign/([^/]+)$ {
if ($is_bot) {
rewrite ^/campaign/(.+)$ /api/og/campaign/$1 last;
}
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/p/([^/]+)$ {
if ($is_bot) {
rewrite ^/p/(.+)$ /api/og/page/$1 last;
}
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/gallery/watch/([^/]+)$ {
if ($is_bot) {
rewrite ^/gallery/watch/(.+)$ /api/og/gallery/$1 last;
}
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for Vite HMR
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Media API (direct path - used by admin GUI media-api.ts client)
# Rewrites /media/* to /api/* (matches Vite dev proxy behavior)
# Uses variable proxy_pass for runtime DNS resolution after container restarts
location /media/ {
rewrite ^/media/(.*) /api/$1 break;
set $upstream_media_app http://changemaker-media-api:4100;
proxy_pass $upstream_media_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large file upload support
client_max_body_size 10G;
proxy_read_timeout 3600s;
proxy_connect_timeout 75s;
proxy_request_buffering off;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Media API endpoints (must come BEFORE /api/ for longest prefix match)
location /api/media/ {
set $upstream_media http://changemaker-media-api:4100;
proxy_pass $upstream_media;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large upload support
client_max_body_size 10G;
proxy_read_timeout 3600s;
proxy_connect_timeout 75s;
proxy_request_buffering off;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# MkDocs proxy (docs search index for volunteer map)
location /mkdocs-proxy/ {
set $upstream_mkdocs http://mkdocs-changemaker:8000;
rewrite ^/mkdocs-proxy/(.*) /$1 break;
proxy_pass $upstream_mkdocs;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# API (Express)
location /api/ {
set $upstream_api http://changemaker-v2-api:4000;
proxy_pass $upstream_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# MkDocs built static site — root domain
server {
listen 80;
server_name cmlite.org;
location / {
set $upstream_site http://mkdocs-site-server-changemaker:80;
proxy_pass $upstream_site;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Root domain — routes to admin GUI (supports custom DOMAIN env var)
server {
listen 80;
server_name betteredmonton.org pridecorner.ca;
add_header X-Frame-Options "SAMEORIGIN" always;
location / {
set $upstream_admin http://changemaker-v2-admin:3000;
proxy_pass $upstream_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for Vite HMR
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Media API (direct path - used by admin GUI media-api.ts client)
# Uses variable proxy_pass for runtime DNS resolution after container restarts
location /media/ {
rewrite ^/media/(.*) /api/$1 break;
set $upstream_media_root http://changemaker-media-api:4100;
proxy_pass $upstream_media_root;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large file upload support
client_max_body_size 10G;
proxy_read_timeout 3600s;
proxy_connect_timeout 75s;
proxy_request_buffering off;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Media API endpoints (must come BEFORE /api/ for longest prefix match)
location /api/media/ {
set $upstream_media http://changemaker-media-api:4100;
proxy_pass $upstream_media;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large upload support
client_max_body_size 10G;
proxy_read_timeout 3600s;
proxy_connect_timeout 75s;
proxy_request_buffering off;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# API (Express)
location /api/ {
set $upstream_api http://changemaker-v2-api:4000;
proxy_pass $upstream_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Homepage dashboard — allows iframe embedding from admin
server {
listen 80;
server_name home.cmlite.org;
add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org app.betteredmonton.org" always;
location / {
set $upstream_homepage http://homepage-changemaker:3000;
proxy_pass $upstream_homepage;
proxy_hide_header X-Frame-Options;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Homepage embed proxy (port 8887)
server {
listen 8887;
location / {
set $upstream_homepage http://homepage-changemaker:3000;
proxy_pass $upstream_homepage;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Vaultwarden embed proxy (port 8890)
server {
listen 8890;
location / {
set $upstream_vaultwarden http://vaultwarden-changemaker:80;
proxy_pass $upstream_vaultwarden;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Rocket.Chat embed proxy (port 8891)
server {
listen 8891;
location / {
set $upstream_rocketchat http://rocketchat-changemaker:3000;
proxy_pass $upstream_rocketchat;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
client_max_body_size 100m;
}
}
# Gancio embed proxy (port 8892)
server {
listen 8892;
location / {
set $upstream_gancio http://gancio-changemaker:13120;
proxy_pass $upstream_gancio;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Jitsi Meet embed proxy (port 8893)
server {
listen 8893;
location / {
set $upstream_jitsi http://jitsi-web-changemaker:80;
proxy_pass $upstream_jitsi;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
# Grafana embed proxy (port 8894)
server {
listen 8894;
location / {
set $upstream_grafana http://grafana-changemaker:3000;
proxy_pass $upstream_grafana;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Alertmanager embed proxy (port 8895)
server {
listen 8895;
location / {
set $upstream_alertmanager http://alertmanager-changemaker:9093;
proxy_pass $upstream_alertmanager;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' localhost 127.0.0.1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Reference in New Issue View Git Blame Copy Permalink