lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/docker/fips-ui/nginx.conf

34 lines
1.3 KiB
Nginx Configuration File
Raw Permalink Normal View History

feat(fips): connect to public mesh anchor over TCP + wire daemon updates The whole fleet was silently never reaching the FIPS mesh: the default public anchor was configured as fips.v0l.io:8668/udp, but the anchor only answers on TCP/8443. Fix the default to 185.18.221.160:8443/tcp (IPv4 literal — the hostname resolves IPv6-first and the daemon binds v4-only, which fails the handshake with EAFNOSUPPORT), and auto-seed it in anchors::load() so every node dials it without operator action (removal still persists). Proven live on .116: cold start → anchor_connected in ~400ms, anchor became mesh parent. Wire fips::update::apply() against upstream GitHub releases (stable channel only): resolve /releases/latest → SHA256-verify the .deb against checksums-linux.txt → install → restart. dpkg runs via `systemd-run` to escape archipelago's ProtectSystem=strict sandbox (else /var/lib/dpkg is read-only), with --force-confold (archipelago manages /etc/fips conffiles) and --force-downgrade (dev builds sort newer than the stable tag). Validated live: .116 upgraded 0.3.0-dev -> stable v0.3.0. Also: standalone fips-ui dashboard app (apps/fips-ui + docker/fips-ui, static nginx proxying /rpc/v1 same-origin, copiable own-anchor address); reserve UI port 8336; register fips/fips-ui as platform-managed. Includes the Lightning wallet cross-origin (CORS) + LND proxy auth + nginx self-healer fix so the wallet screen connects instead of "failed to fetch". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 06:41:48 -04:00
server {
listen 8336;
server_name _;
root /usr/share/nginx/html;
index index.html;
# Proxy archipelago RPC same-origin so the browser never makes a
# cross-origin request (no CORS needed). The FIPS app is served on
# this node's :8336; cookies are scoped by host (not port), so the
# browser already carries the `session` (HttpOnly) and `csrf_token`
# cookies set by the main UI on :80. We forward both, plus the
# X-CSRF-Token header the app derives from the readable csrf_token
# cookie, to the backend RPC on 127.0.0.1:5678.
#
# Unlike bitcoin-ui this config is fully static (baked into the
# image) — there is no upstream secret to substitute; the browser's
# own archipelago session is the credential.
location /rpc/v1 {
proxy_pass http://127.0.0.1:5678/rpc/v1;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-CSRF-Token $http_x_csrf_token;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 60s;
add_header Cache-Control "no-store";
}
location / {
try_files $uri $uri/ /index.html;
}
}
Reference in New Issue Copy Permalink