monoadmin/the-other-dude
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(infra): add nginx WebSocket proxy and SSH relay config to compose files

Browse Source 
- Add WebSocket upgrade map to nginx and proxy /ws/ssh to poller:8080
- Update CSP connect-src to allow ws: and wss: for terminal connections
- Add tunnel port range 49000-49100, SSH relay env vars, ulimits, and healthcheck to poller in both override and prod compose files
- Increase poller memory limit to 512M in prod for tunnel/SSH overhead

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Staack
2026-03-12 15:40:53 -05:00
parent 4860fad643
commit 27f4403856
3 changed files with 68 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docker-compose.override.yml
View File

@@ -81,6 +81,20 @@ services:
OPENBAO_TOKEN: dev-openbao-token OPENBAO_TOKEN: dev-openbao-token
POLL_INTERVAL_SECONDS: 60 POLL_INTERVAL_SECONDS: 60
WIREGUARD_GATEWAY: wireguard WIREGUARD_GATEWAY: wireguard
TUNNEL_PORT_MIN: 49000
TUNNEL_PORT_MAX: 49100
TUNNEL_IDLE_TIMEOUT: 300
SSH_RELAY_PORT: 8080
SSH_IDLE_TIMEOUT: 900
SSH_MAX_SESSIONS: 200
SSH_MAX_PER_USER: 10
SSH_MAX_PER_DEVICE: 20
ports:
- "127.0.0.1:49000-49100:49000-49100"
ulimits:
nofile:
soft: 8192
hard: 8192
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
depends_on: depends_on:
@@ -90,6 +104,11 @@ services:
condition: service_healthy condition: service_healthy
nats: nats:
condition: service_healthy condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "wget --spider -q http://localhost:8080/healthz || exit 1"]
interval: 30s
timeout: 3s
retries: 3
deploy: deploy:
resources: resources:
limits: limits:

21
docker-compose.prod.yml
View File

@@ -44,6 +44,20 @@ services:
environment: environment:
ENVIRONMENT: production ENVIRONMENT: production
LOG_LEVEL: info LOG_LEVEL: info
TUNNEL_PORT_MIN: 49000
TUNNEL_PORT_MAX: 49100
TUNNEL_IDLE_TIMEOUT: 300
SSH_RELAY_PORT: 8080
SSH_IDLE_TIMEOUT: 900
SSH_MAX_SESSIONS: 200
SSH_MAX_PER_USER: 10
SSH_MAX_PER_DEVICE: 20
ports:
- "127.0.0.1:49000-49100:49000-49100"
ulimits:
nofile:
soft: 8192
hard: 8192
depends_on: depends_on:
postgres: postgres:
condition: service_healthy condition: service_healthy
@@ -51,10 +65,15 @@ services:
condition: service_healthy condition: service_healthy
nats: nats:
condition: service_healthy condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "wget --spider -q http://localhost:8080/healthz || exit 1"]
interval: 30s
timeout: 3s
retries: 3
deploy: deploy:
resources: resources:
limits: limits:
memory: 256M memory: 512M # increased from 256M for tunnel/SSH overhead
restart: unless-stopped restart: unless-stopped
logging: logging:
driver: json-file driver: json-file

30
infrastructure/docker/nginx-spa.conf
View File

@@ -1,3 +1,8 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server { server {
listen 80; listen 80;
server_name _; server_name _;
@@ -18,7 +23,7 @@ server {
# CSP for React SPA with Tailwind CSS and Leaflet maps # CSP for React SPA with Tailwind CSS and Leaflet maps
# worker-src required for SRP key derivation Web Worker (Safari won't fall back to script-src) # worker-src required for SRP key derivation Web Worker (Safari won't fall back to script-src)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.tile.openstreetmap.org; font-src 'self'; connect-src 'self'; worker-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.tile.openstreetmap.org; font-src 'self'; connect-src 'self' ws: wss:; worker-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
# Proxy API requests to the backend service # Proxy API requests to the backend service
# The api container is reachable via Docker internal DNS as "api" on port 8000 # The api container is reachable via Docker internal DNS as "api" on port 8000
@@ -40,6 +45,29 @@ server {
proxy_hide_header Content-Security-Policy; proxy_hide_header Content-Security-Policy;
} }
# WebSocket proxy for SSH terminal
location /ws/ssh {
resolver 127.0.0.11 valid=10s ipv6=off;
set $poller_upstream http://poller:8080;
proxy_pass $poller_upstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_read_timeout 1800s;
proxy_send_timeout 1800s;
proxy_buffering off;
proxy_request_buffering off;
proxy_busy_buffers_size 512k;
proxy_buffers 8 512k;
}
# Serve static assets with long cache headers # Serve static assets with long cache headers
# Note: add_header in a location block clears parent-block headers, # Note: add_header in a location block clears parent-block headers,
# so we re-add the essential security header for static assets. # so we re-add the essential security header for static assets.