feat(pitch-deck): HTTPS via Nginx reverse proxy on port 3012

- Add Nginx SSL server block for pitch-deck on port 3012 - Route through Nginx instead of direct container port - Restore secure cookie flag (requires HTTPS) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 17:13:52 +02:00
parent 32b5e0223d
commit 512088ab93
3 changed files with 34 additions and 3 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -61,6 +61,7 @@ services:
      - "3008:3008"     # Admin Core
      - "3010:3010"     # Portal Dashboard
      - "8011:8011"     # Compliance Docs (MkDocs)
+      - "3012:3012"     # Pitch Deck
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      - vault_certs:/etc/nginx/certs:ro
@@ -873,8 +874,8 @@ services:
      dockerfile: Dockerfile
    container_name: bp-core-pitch-deck
    platform: linux/arm64
-    ports:
-      - "3012:3000"
+    expose:
+      - "3000"
    environment:
      NODE_ENV: production
      DATABASE_URL: postgres://${POSTGRES_USER:-breakpilot}:${POSTGRES_PASSWORD:-breakpilot123}@postgres:5432/${POSTGRES_DB:-breakpilot_db}
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -760,3 +760,33 @@ server {
        try_files $uri $uri/ /index.html;
    }
 }
+
+# =========================================================
+# PITCH DECK: Investor Presentation on port 3012
+# =========================================================
+server {
+    listen 3012 ssl;
+    http2 on;
+    server_name macmini localhost;
+
+    ssl_certificate /etc/nginx/certs/macmini.crt;
+    ssl_certificate_key /etc/nginx/certs/macmini.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+    ssl_prefer_server_ciphers off;
+
+    location / {
+        set $upstream_pitch bp-core-pitch-deck:3000;
+        proxy_pass http://$upstream_pitch;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 300s;
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 300s;
+    }
+}
--- a/pitch-deck/lib/admin-auth.ts
+++ b/pitch-deck/lib/admin-auth.ts
@@ -112,7 +112,7 @@ export async function setAdminCookie(jwt: string): Promise<void> {
  const cookieStore = await cookies()
  cookieStore.set(ADMIN_COOKIE_NAME, jwt, {
    httpOnly: true,
-    secure: process.env.PITCH_SECURE_COOKIE === 'true',
+    secure: process.env.NODE_ENV === 'production',
    sameSite: 'lax',
    path: '/',
    maxAge: ADMIN_SESSION_EXPIRY_HOURS * 60 * 60,