feat(infra): add nginx WebSocket proxy and SSH relay config to compose files

- Add WebSocket upgrade map to nginx and proxy /ws/ssh to poller:8080 - Update CSP connect-src to allow ws: and wss: for terminal connections - Add tunnel port range 49000-49100, SSH relay env vars, ulimits, and healthcheck to poller in both override and prod compose files - Increase poller memory limit to 512M in prod for tunnel/SSH overhead Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 15:40:53 -05:00
parent 4860fad643
commit 27f4403856
3 changed files with 68 additions and 2 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -44,6 +44,20 @@ services:
    environment:
      ENVIRONMENT: production
      LOG_LEVEL: info
+      TUNNEL_PORT_MIN: 49000
+      TUNNEL_PORT_MAX: 49100
+      TUNNEL_IDLE_TIMEOUT: 300
+      SSH_RELAY_PORT: 8080
+      SSH_IDLE_TIMEOUT: 900
+      SSH_MAX_SESSIONS: 200
+      SSH_MAX_PER_USER: 10
+      SSH_MAX_PER_DEVICE: 20
+    ports:
+      - "127.0.0.1:49000-49100:49000-49100"
+    ulimits:
+      nofile:
+        soft: 8192
+        hard: 8192
    depends_on:
      postgres:
        condition: service_healthy
@@ -51,10 +65,15 @@ services:
        condition: service_healthy
      nats:
        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget --spider -q http://localhost:8080/healthz || exit 1"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
    deploy:
      resources:
        limits:
-          memory: 256M
+          memory: 512M  # increased from 256M for tunnel/SSH overhead
    restart: unless-stopped
    logging:
      driver: json-file