mirror of
https://github.com/BetterCorp/BetterFrame.git
synced 2026-05-26 22:26:33 +00:00
4cf9704350
Root cause: kiosk never stored cluster_key from pairing response. Bundle ships onvif_password_encrypted (AES-256-GCM with cluster key). decrypt_cluster was a stub returning None → empty password → WSSE auth fails → CreatePullPoint rejected → no events ever. Fix: 1. ClaimResp now includes cluster_key field 2. Stored encrypted at rest alongside kiosk_key (at_rest.rs) 3. Loaded at bundle render, passed to onvif_events::start() 4. decrypt_cluster implements full AES-256-GCM: parse v1.<iv>.<tag>.<ct> format, base64url decode, decrypt with cluster key Also: removed BF_ENABLE_ONVIF_EVENTS env gate — if camera is type=onvif with onvif_host, subscribe. Gate was redundant with the type filter. Also: bump Angie proxy_read_timeout to 600s on /api/admin/ for OS bundle import (downloads ~1GB from GitHub, was timing out at 60s). NOTE: existing paired kiosks won't have cluster_key stored. They need to re-pair (delete + re-add) to receive it. New pairings get it automatically.
154 lines
5.1 KiB
Text
154 lines
5.1 KiB
Text
# BetterFrame Docker nginx config.
|
|
#
|
|
# Production proxy routes for the Docker Compose stack. Upstreams use compose
|
|
# service names and only this proxy is published on the host.
|
|
|
|
upstream betterframe_admin { server server:18080; keepalive 16; }
|
|
upstream betterframe_api { server server:18081; keepalive 16; }
|
|
upstream betterframe_ws { server server:18082; }
|
|
upstream betterframe_nodered { server nodered:1880; keepalive 8; }
|
|
|
|
limit_req_zone $binary_remote_addr zone=bf_public:10m rate=30r/s;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
client_max_body_size 16M;
|
|
|
|
location /admin/ {
|
|
proxy_pass http://betterframe_admin;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
}
|
|
|
|
location = /admin { return 301 /admin/; }
|
|
location /setup { proxy_pass http://betterframe_admin; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
|
|
location /auth/ { proxy_pass http://betterframe_admin; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
|
|
location /static/ { proxy_pass http://betterframe_admin; }
|
|
|
|
location /api/kiosk/ {
|
|
proxy_pass http://betterframe_api;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
}
|
|
|
|
location /api/pair/ {
|
|
limit_req zone=bf_public burst=10 nodelay;
|
|
proxy_pass http://betterframe_api;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
|
|
location /api/admin/ {
|
|
proxy_pass http://betterframe_admin;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
# OS bundle import downloads ~1GB from GitHub — needs long timeout.
|
|
proxy_read_timeout 600s;
|
|
proxy_send_timeout 600s;
|
|
}
|
|
|
|
location /ws/kiosk {
|
|
proxy_pass http://betterframe_ws;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_read_timeout 86400s;
|
|
proxy_send_timeout 86400s;
|
|
}
|
|
|
|
# Admin debug WS (journal + terminal) under /admin/ so Angie's existing
|
|
# /admin/* routing applies. Proxied to coordinator-ws (18082) not admin-http.
|
|
location /admin/ws/debug/ {
|
|
proxy_pass http://betterframe_ws/ws/admin/debug/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header Cookie $http_cookie;
|
|
proxy_read_timeout 86400s;
|
|
proxy_send_timeout 86400s;
|
|
}
|
|
|
|
location /nrdp/ {
|
|
auth_request /api/admin/_check;
|
|
proxy_pass http://betterframe_nodered;
|
|
proxy_set_header Host $host;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
location = /nrdp { return 301 /nrdp/; }
|
|
|
|
location /dash/ {
|
|
auth_request /api/kiosk/_check;
|
|
auth_request_set $bf_kiosk_id $upstream_http_x_betterframe_kiosk_id;
|
|
proxy_pass http://betterframe_nodered;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-BetterFrame-Kiosk-Id $bf_kiosk_id;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
location /in/public/ {
|
|
limit_req zone=bf_public burst=20 nodelay;
|
|
rewrite ^/in/public/(.*) /$1 break;
|
|
proxy_pass http://betterframe_nodered;
|
|
}
|
|
|
|
location /in/kiosk/ {
|
|
auth_request /api/kiosk/_check;
|
|
auth_request_set $bf_kiosk_id $upstream_http_x_betterframe_kiosk_id;
|
|
rewrite ^/in/kiosk/(.*) /$1 break;
|
|
proxy_pass http://betterframe_nodered;
|
|
proxy_set_header X-BetterFrame-Kiosk-Id $bf_kiosk_id;
|
|
}
|
|
|
|
location = /api/admin/_check {
|
|
internal;
|
|
proxy_pass http://betterframe_admin;
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header Cookie $http_cookie;
|
|
proxy_set_header Authorization $http_authorization;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
|
|
location = /api/kiosk/_check {
|
|
internal;
|
|
proxy_pass http://betterframe_api;
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header Authorization $http_authorization;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
|
|
location /api/ { return 404; }
|
|
location /ws/ { return 404; }
|
|
|
|
location ~ ^/(healthz|readyz|version)$ {
|
|
proxy_pass http://betterframe_admin;
|
|
}
|
|
|
|
location = / {
|
|
proxy_pass http://betterframe_admin;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://betterframe_nodered;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
}
|