From 512088ab93d99a089a32675754b8c1539d28856a Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Mon, 13 Apr 2026 17:13:52 +0200 Subject: [PATCH] feat(pitch-deck): HTTPS via Nginx reverse proxy on port 3012 - Add Nginx SSL server block for pitch-deck on port 3012 - Route through Nginx instead of direct container port - Restore secure cookie flag (requires HTTPS) Co-Authored-By: Claude Opus 4.6 (1M context) --- docker-compose.yml | 5 +++-- nginx/conf.d/default.conf | 30 ++++++++++++++++++++++++++++++ pitch-deck/lib/admin-auth.ts | 2 +- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index f7d91ac..82cae64 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -61,6 +61,7 @@ services: - "3008:3008" # Admin Core - "3010:3010" # Portal Dashboard - "8011:8011" # Compliance Docs (MkDocs) + - "3012:3012" # Pitch Deck volumes: - ./nginx/conf.d:/etc/nginx/conf.d:ro - vault_certs:/etc/nginx/certs:ro @@ -873,8 +874,8 @@ services: dockerfile: Dockerfile container_name: bp-core-pitch-deck platform: linux/arm64 - ports: - - "3012:3000" + expose: + - "3000" environment: NODE_ENV: production DATABASE_URL: postgres://${POSTGRES_USER:-breakpilot}:${POSTGRES_PASSWORD:-breakpilot123}@postgres:5432/${POSTGRES_DB:-breakpilot_db} diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf index 9c04981..64de86f 100644 --- a/nginx/conf.d/default.conf +++ b/nginx/conf.d/default.conf @@ -760,3 +760,33 @@ server { try_files $uri $uri/ /index.html; } } + +# ========================================================= +# PITCH DECK: Investor Presentation on port 3012 +# ========================================================= +server { + listen 3012 ssl; + http2 on; + server_name macmini localhost; + + ssl_certificate /etc/nginx/certs/macmini.crt; + ssl_certificate_key /etc/nginx/certs/macmini.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; + ssl_prefer_server_ciphers off; + + location / { + set $upstream_pitch bp-core-pitch-deck:3000; + proxy_pass http://$upstream_pitch; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_read_timeout 300s; + proxy_connect_timeout 60s; + proxy_send_timeout 300s; + } +} diff --git a/pitch-deck/lib/admin-auth.ts b/pitch-deck/lib/admin-auth.ts index 0d8dc6c..ad0d405 100644 --- a/pitch-deck/lib/admin-auth.ts +++ b/pitch-deck/lib/admin-auth.ts @@ -112,7 +112,7 @@ export async function setAdminCookie(jwt: string): Promise { const cookieStore = await cookies() cookieStore.set(ADMIN_COOKIE_NAME, jwt, { httpOnly: true, - secure: process.env.PITCH_SECURE_COOKIE === 'true', + secure: process.env.NODE_ENV === 'production', sameSite: 'lax', path: '/', maxAge: ADMIN_SESSION_EXPIRY_HOURS * 60 * 60,