From 5c2af3405e631af92b005d1c8cb791cb0179663b Mon Sep 17 00:00:00 2001 From: Padreug Date: Wed, 20 May 2026 17:11:45 +0200 Subject: [PATCH] dev-stack: front pict-rs with nginx CORS sidecar pict-rs itself doesn't emit Access-Control-* headers; production papers over that with an nginx vhost (deploy/server-deploy/modules/services/ pict-rs.nix), which the dev compose was claiming to mirror but didn't. Cross-origin uploads from the webapp dev server got blocked. Move pict-rs to internal-only (`expose`) and add a pict-rs-nginx sidecar publishing :6033, reusing the exact CORS block from the prod nix module. Closes the dev/prod divergence so browser upload behavior matches between local and deployed. Co-Authored-By: Claude Opus 4.7 (1M context) --- docker-compose.dev.yml | 28 +++++++++++++++++++++++----- pict-rs-nginx.conf | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 5 deletions(-) create mode 100644 pict-rs-nginx.conf diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index f7d5ce5..5da5f07 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -77,9 +77,9 @@ services: - ./data/fava:/bean # Image hosting backend. Mirrors the deploy flake's services.pict-rs - # (modules/services/pict-rs.nix → port 6033). Webapp + extensions reach - # it on http://localhost:6033 from the host; in-network containers can - # use http://pict-rs:6033. + # (modules/services/pict-rs.nix → port 6033). The container is now + # internal-only; host traffic goes through the pict-rs-nginx sidecar + # which adds the CORS layer that production's nginx vhost provides. pict-rs: image: asonix/pictrs:0.5 hostname: pict-rs @@ -87,7 +87,25 @@ services: user: "0:0" environment: PICTRS__SERVER__ADDRESS: 0.0.0.0:6033 - ports: - - 6033:6033 + expose: + - "6033" volumes: - ./data/pict-rs:/mnt + + # Reverse proxy in front of pict-rs. Production runs pict-rs behind + # an nginx vhost (deploy/server-deploy/modules/services/pict-rs.nix) + # that adds the CORS headers and OPTIONS preflight handling browsers + # need for cross-origin uploads from the webapp dev server. Without + # this, POST /image from http://localhost:5173 gets blocked even + # though pict-rs itself is healthy. Config mirrors the prod nginx + # vhost verbatim. + pict-rs-nginx: + image: nginx:alpine + hostname: pict-rs-nginx + restart: on-failure + depends_on: + - pict-rs + ports: + - 6033:80 + volumes: + - ./pict-rs-nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/pict-rs-nginx.conf b/pict-rs-nginx.conf new file mode 100644 index 0000000..703aeb9 --- /dev/null +++ b/pict-rs-nginx.conf @@ -0,0 +1,41 @@ +events {} + +http { + # Mirrors deploy/server-deploy/modules/services/pict-rs.nix so the dev + # stack speaks the same CORS contract as production. Webapps (Vite + # dev server on a different origin) need preflight handling and the + # Access-Control-* headers on responses. + + server { + listen 80; + server_name _; + + client_max_body_size 50M; + + location / { + proxy_pass http://pict-rs:6033; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + + add_header Access-Control-Allow-Origin "*" always; + add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always; + add_header Access-Control-Max-Age 86400 always; + + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"; + add_header Access-Control-Max-Age 86400; + add_header Content-Length 0; + add_header Content-Type text/plain; + return 204; + } + } + } +}