feat(infra): add nginx WebSocket proxy and SSH relay config to compose files

- Add WebSocket upgrade map to nginx and proxy /ws/ssh to poller:8080 - Update CSP connect-src to allow ws: and wss: for terminal connections - Add tunnel port range 49000-49100, SSH relay env vars, ulimits, and healthcheck to poller in both override and prod compose files - Increase poller memory limit to 512M in prod for tunnel/SSH overhead Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 15:40:53 -05:00
parent 4860fad643
commit 27f4403856
3 changed files with 68 additions and 2 deletions
--- a/infrastructure/docker/nginx-spa.conf
+++ b/infrastructure/docker/nginx-spa.conf
@@ -1,3 +1,8 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
 server {
    listen 80;
    server_name _;
@@ -18,7 +23,7 @@ server {

    # CSP for React SPA with Tailwind CSS and Leaflet maps
    # worker-src required for SRP key derivation Web Worker (Safari won't fall back to script-src)
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.tile.openstreetmap.org; font-src 'self'; connect-src 'self'; worker-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.tile.openstreetmap.org; font-src 'self'; connect-src 'self' ws: wss:; worker-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;

    # Proxy API requests to the backend service
    # The api container is reachable via Docker internal DNS as "api" on port 8000
@@ -40,6 +45,29 @@ server {
        proxy_hide_header Content-Security-Policy;
    }

+    # WebSocket proxy for SSH terminal
+    location /ws/ssh {
+        resolver 127.0.0.11 valid=10s ipv6=off;
+        set $poller_upstream http://poller:8080;
+
+        proxy_pass $poller_upstream;
+        proxy_http_version 1.1;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+
+        proxy_read_timeout 1800s;
+        proxy_send_timeout 1800s;
+
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_busy_buffers_size 512k;
+        proxy_buffers 8 512k;
+    }
+
    # Serve static assets with long cache headers
    # Note: add_header in a location block clears parent-block headers,
    # so we re-add the essential security header for static assets.