aiolabs/regtest
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dev-stack: front pict-rs with nginx CORS sidecar
Some checks failed
ci / regtest (push) Has been cancelled
Details

Browse source 
pict-rs itself doesn't emit Access-Control-* headers; production papers
over that with an nginx vhost (deploy/server-deploy/modules/services/
pict-rs.nix), which the dev compose was claiming to mirror but didn't.
Cross-origin uploads from the webapp dev server got blocked.

Move pict-rs to internal-only (`expose`) and add a pict-rs-nginx sidecar
publishing :6033, reusing the exact CORS block from the prod nix
module. Closes the dev/prod divergence so browser upload behavior
matches between local and deployed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Padreug 2026-05-20 17:11:45 +02:00
commit 5c2af3405e
2 changed files with 64 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

28
docker-compose.dev.yml
View file

@ -77,9 +77,9 @@ services:
- ./data/fava:/bean - ./data/fava:/bean
# Image hosting backend. Mirrors the deploy flake's services.pict-rs # Image hosting backend. Mirrors the deploy flake's services.pict-rs
# (modules/services/pict-rs.nix → port 6033). Webapp + extensions reach # (modules/services/pict-rs.nix → port 6033). The container is now
# it on http://localhost:6033 from the host; in-network containers can # internal-only; host traffic goes through the pict-rs-nginx sidecar
# use http://pict-rs:6033. # which adds the CORS layer that production's nginx vhost provides.
pict-rs: pict-rs:
image: asonix/pictrs:0.5 image: asonix/pictrs:0.5
hostname: pict-rs hostname: pict-rs
@ -87,7 +87,25 @@ services:
user: "0:0" user: "0:0"
environment: environment:
PICTRS__SERVER__ADDRESS: 0.0.0.0:6033 PICTRS__SERVER__ADDRESS: 0.0.0.0:6033
ports: expose:
- 6033:6033 - "6033"
volumes: volumes:
- ./data/pict-rs:/mnt - ./data/pict-rs:/mnt
# Reverse proxy in front of pict-rs. Production runs pict-rs behind
# an nginx vhost (deploy/server-deploy/modules/services/pict-rs.nix)
# that adds the CORS headers and OPTIONS preflight handling browsers
# need for cross-origin uploads from the webapp dev server. Without
# this, POST /image from http://localhost:5173 gets blocked even
# though pict-rs itself is healthy. Config mirrors the prod nginx
# vhost verbatim.
pict-rs-nginx:
image: nginx:alpine
hostname: pict-rs-nginx
restart: on-failure
depends_on:
- pict-rs
ports:
- 6033:80
volumes:
- ./pict-rs-nginx.conf:/etc/nginx/nginx.conf:ro

41
pict-rs-nginx.conf Normal file
View file

@ -0,0 +1,41 @@
events {}
http {
# Mirrors deploy/server-deploy/modules/services/pict-rs.nix so the dev
# stack speaks the same CORS contract as production. Webapps (Vite
# dev server on a different origin) need preflight handling and the
# Access-Control-* headers on responses.
server {
listen 80;
server_name _;
client_max_body_size 50M;
location / {
proxy_pass http://pict-rs:6033;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always;
add_header Access-Control-Max-Age 86400 always;
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With";
add_header Access-Control-Max-Age 86400;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
}
}
}