vault backup: 2026-04-29 22:50:36

2026-04-29 22:50:36 +01:00 · 2026-04-29 22:50:36 +01:00 · 5fc78e8086
commit 5fc78e8086
parent e2c2bba088
6 changed files with 154 additions and 2 deletions
--- a/wiki/_master-index.md
+++ b/wiki/_master-index.md
@ -23,7 +23,7 @@ This 3-hop pattern works for hundreds of articles without vector search.
 | [[wiki/tech-patterns/_index\|tech-patterns/]] | Recurring tech stacks: FastAPI, React/Vite, Next.js, Azure AD, AI, Box, One2Edit, Redis/Celery, cost-tracker | 15 |
 | [[wiki/architecture/_index\|architecture/]] | Cross-cutting architectural patterns: Docker Compose, multi-agent AI, GCP timeout, RAG, hotfolder, optical-dev deploy, cost-tracker, new-project checklist, troubleshooting playbooks, ADR log, Cloud Run Jobs | 11 |
 | [[wiki/client-knowledge/_index\|client-knowledge/]] | Per-client notes for Ford, H&M, L'Oréal, Barclays, Ferrero, 3M | 6 |
-| [[wiki/concepts/_index\|concepts/]] | Atomic knowledge extracted from Claude Code sessions | 73 |
+| [[wiki/concepts/_index\|concepts/]] | Atomic knowledge extracted from Claude Code sessions | 75 |
 | [[wiki/connections/_index\|connections/]] | Cross-cutting insights linking 2+ concepts: FastAPI+Azure AD+Docker trinity, AI→cost-tracker, Apache+Vite basePath, GCP→REST polling, Box+hotfolder, Docker DNS+AdGuard | 9 |
 | [[wiki/qa/_index\|qa/]] | Filed answers to queries (saved with `--file-back`) | 0 |
 | [[wiki/homelab/_index\|homelab/]] | Self-hosted infra: Proxmox install, IOMMU/PCI passthrough, hypervisor setup, budget builds, HP Elitedesk G3, Homarr API + Apps + Boards + Certificates + Integrations + Settings + Tasks + AdGuard + Clock + Docker Stats + Docker Integration + Download Client + Firewall + Proxmox Integration + Radarr + Readarr + Sonarr + Bookmarks + Calendar + Icons + App Widget + Weather + GitHub + Nextcloud + qBittorrent + RSS Feed + Speedtest Tracker + System Health Monitoring + System Resources + Services Map + Media Stack | 39 |
--- a/wiki/architecture/optical-dev-server-deploy.md
+++ b/wiki/architecture/optical-dev-server-deploy.md
@ -3,7 +3,7 @@ title: "optical-dev Server — Apache Deployment Pattern"
 description: "Single-vhost Apache pattern on optical-dev.oliver.solutions GCP server — port allocation, Include fragments, SPA routing, deploy script best practices"
 tags: [architecture, apache, deployment, docker, ubuntu, gcp]
 created: 2026-04-17
-updated: 2026-04-17
+updated: 2026-04-29
 ---

 # optical-dev Server — Apache Deployment Pattern
@ -26,6 +26,9 @@ updated: 2026-04-17

 ## Apache Single-Vhost Pattern

+> [!warning] ProxyPass in Include fragments is silently ignored
+> `ProxyPass` / `ProxyPassReverse` directives inside `<Location>` blocks in Include fragment files (`/etc/apache2/sites-available/includes/`) are **silently ignored** on this Apache setup — no error, proxy just doesn't work. Always add ProxyPass directly to the main vhost file. See [[wiki/concepts/apache-proxypass-include-files-ignored]].
+
 **One vhost file handles ALL projects:**
 ```
 /etc/apache2/sites-available/optical-dev.oliver.solutions.conf
--- a/wiki/concepts/_index.md
+++ b/wiki/concepts/_index.md
@ -84,5 +84,8 @@
 | [[wiki/concepts/double-submit-cookie-csrf]] | CSRF for stateless JWT APIs: csrf_token cookie + X-CSRF-Token header; every login path must set both cookies | daily/2026-04-29.md | 2026-04-29 |
 | [[wiki/concepts/time-sleep-blocks-asyncio]] | `time.sleep()` inside async FastAPI handlers blocks the entire event loop — replace with `asyncio.sleep()` or `run_in_executor` | daily/2026-04-29.md | 2026-04-29 |

+| [[wiki/concepts/apache-proxypass-include-files-ignored]] | ProxyPass in Apache Include fragment files is silently ignored on optical-dev — always add ProxyPass directly to the main vhost file | daily/2026-04-29.md | 2026-04-29 |
+| [[wiki/concepts/cookie-domain-migration-auth-loop]] | COOKIE_DOMAIN mismatch after domain migration causes silent auth failure — browser drops cookie, manifests as infinite /login redirect loop; Vite bundle must be rebuilt after env var changes | daily/2026-04-29.md | 2026-04-29 |
+
 <!-- Articles added automatically by compile.py -->
 <!-- Format: | [[concepts/slug]] | One-line summary | daily/YYYY-MM-DD.md | date | -->
--- a/wiki/concepts/apache-proxypass-include-files-ignored.md
+++ b/wiki/concepts/apache-proxypass-include-files-ignored.md
@ -0,0 +1,66 @@
+---
+title: "Apache ProxyPass Silently Ignored in Include Files"
+aliases: [apache-proxypass-include, apache-include-proxypass-ignored]
+tags: [apache, proxy, gotcha, optical-dev, deployment]
+sources:
+  - "daily/2026-04-29.md"
+created: 2026-04-29
+updated: 2026-04-29
+---
+
+# Apache ProxyPass Silently Ignored in Include Files
+
+On `optical-dev.oliver.solutions`, `ProxyPass` / `ProxyPassReverse` directives inside `<Location>` blocks placed in Apache include files (`/etc/apache2/sites-available/includes/`) are **silently ignored** — no error, proxy just doesn't work. Discovered after a long debugging session migrating video-accessibility from `ai-sandbox` to `optical-dev`.
+
+## Key Points
+
+- `ProxyPass` inside `<Location>` in an `Include`d fragment file does NOT take effect on this server
+- The failure is completely silent — Apache loads the config without error, but requests are not proxied
+- Confirmed on two projects (video-accessibility and barclays) — same outcome
+- Fix: add `ProxyPass` directives **directly** to the main vhost file
+- Standard inline `<Location>` blocks in `Include` fragments (for aliases, rewrites) still work fine — only `ProxyPass` is affected
+
+## Details
+
+### The Pattern That Fails
+
+```apache
+# /etc/apache2/sites-available/includes/video-accessibility.conf
+# (loaded via Include in the main vhost)
+<Location /video-accessibility/api/>
+    ProxyPass http://127.0.0.1:8042/api/
+    ProxyPassReverse http://127.0.0.1:8042/api/
+</Location>
+```
+
+Despite the file being included and Apache reloading cleanly (`configtest OK`), requests to `/video-accessibility/api/` are not forwarded to the backend.
+
+### The Fix
+
+Add `ProxyPass` blocks directly to the main vhost file:
+
+```apache
+# /etc/apache2/sites-available/optical-dev.oliver.solutions.conf
+<VirtualHost *:443>
+    ...
+    # Inline — ProxyPass works here
+    ProxyPass        /video-accessibility/api/ http://127.0.0.1:8042/api/
+    ProxyPassReverse /video-accessibility/api/ http://127.0.0.1:8042/api/
+
+    Include /opt/video-accessibility/deploy/apache-video-accessibility.conf
+</VirtualHost>
+```
+
+The `Include` fragment can still handle `Alias`, `<Directory>`, `RewriteRule` — only `ProxyPass` must live in the main file.
+
+### Diagnosis Approach
+
+If a new project proxy suddenly stops working after migration to optical-dev:
+1. Check if `ProxyPass` is inside an Include fragment
+2. Move it to the main vhost file
+3. `sudo apache2ctl configtest && sudo systemctl reload apache2`
+
+## Related Concepts
+
+- [[wiki/architecture/optical-dev-server-deploy]] — full optical-dev Apache pattern, port table, deploy scripts
+- [[wiki/connections/optical-dev-apache-vite-basepath]] — SPA basePath + Apache ProxyPass connection
--- a/wiki/concepts/cookie-domain-migration-auth-loop.md
+++ b/wiki/concepts/cookie-domain-migration-auth-loop.md
@ -0,0 +1,75 @@
+---
+title: "Cookie Domain Mismatch After Migration Causes Silent Auth Loop"
+aliases: [cookie-domain-auth-loop, cookie-domain-migration, auth-redirect-loop]
+tags: [auth, cookies, migration, fastapi, debugging, gotcha]
+sources:
+  - "daily/2026-04-29.md"
+created: 2026-04-29
+updated: 2026-04-29
+---
+
+# Cookie Domain Mismatch After Migration Causes Silent Auth Loop
+
+When a project is migrated to a new domain and `COOKIE_DOMAIN` is not updated, the browser silently drops the auth cookie set for the wrong domain. This manifests as an infinite redirect loop to `/login` with no visible error — one of the harder auth bugs to diagnose.
+
+## Key Points
+
+- `COOKIE_DOMAIN` mismatch causes silent cookie rejection by the browser — no 4xx, no JS error
+- Symptom: page loads → immediately redirects to `/login` → repeat (infinite loop)
+- Root cause: server sets `Set-Cookie: domain=old-domain.com`, browser on `new-domain.com` drops it silently
+- After fixing `API_BASE_URL`, the frontend **must be rebuilt** — env vars are baked into the JS bundle at build time
+- Double `/api/api/` in request URLs is a separate symptom: `API_BASE_URL` already includes `/api` AND frontend code appends another `/api` segment
+
+## Details
+
+### Symptom Pattern
+
+```
+User navigates to /dashboard
+→ Frontend checks auth → calls /api/auth/me
+→ Server returns 401 (no valid session cookie)
+→ Frontend redirects to /login
+→ User logs in → server issues cookie for wrong domain
+→ Browser drops cookie silently
+→ Next request: 401 again → redirect to /login → loop
+```
+
+No error appears in the console or server logs that clearly identifies the domain mismatch — the only signal is the redirect loop itself.
+
+### Diagnosis Checklist
+
+1. **Check `COOKIE_DOMAIN` in `.env`** — must match the current deployment domain
+2. **Open DevTools → Application → Cookies** — does the cookie appear after login? If not, domain mismatch
+3. **Check `API_BASE_URL` in `.env`** — if it ends with `/api`, don't add `/api` again in frontend code
+4. **Rebuild frontend** after any env var change — Vite bakes vars into the bundle
+
+### The Double `/api/api` Symptom
+
+```env
+# .env (wrong)
+API_BASE_URL=https://optical-dev.oliver.solutions/video-accessibility/api
+```
+
+```typescript
+// frontend code (also appends /api)
+fetch(`${API_BASE_URL}/api/upload`)
+// → results in: /video-accessibility/api/api/upload
+```
+
+Fix: either strip `/api` from `API_BASE_URL` or remove the extra `/api` from frontend call sites, then rebuild.
+
+### Rebuild Requirement
+
+```bash
+# After fixing .env on the server:
+cd /opt/video-accessibility/frontend
+VITE_BASE_PATH=/video-accessibility npm run build
+sudo cp -r dist/. /var/www/html/video-accessibility/
+```
+
+Old bundle continues serving the old `API_BASE_URL` until rebuilt — environment variables are NOT read at runtime in Vite SPAs.
+
+## Related Concepts
+
+- [[wiki/architecture/optical-dev-server-deploy]] — full optical-dev deploy pattern
+- [[wiki/concepts/apache-proxypass-include-files-ignored]] — the Apache gotcha discovered in the same session
--- a/wiki/log.md
+++ b/wiki/log.md
@ -153,3 +153,8 @@
 - Articles created: [[wiki/architecture/cloud-run-jobs-celery]], [[wiki/concepts/docker-compose-cpu-limits-env]], [[wiki/concepts/etag-optimistic-locking]], [[wiki/concepts/double-submit-cookie-csrf]], [[wiki/concepts/time-sleep-blocks-asyncio]]
 - Articles updated: [[wiki/client-knowledge/ford]] (SSH alias box-cli/not box-cli-01, full directory paths with /home/box-cli/FORD_SCRIPTS/ prefix, service names dev vs prod, GPAS zip naming, git stash deploy pattern, ford-gechub-sftp path)
 - Index updates: [[wiki/concepts/_index]] (69→73); [[wiki/architecture/_index]] (10→11); [[wiki/_master-index]] (concepts 69→73, architecture 10→11)
+
+## [2026-04-29T23:00:00+01:00] compile | 2026-04-29.md
+- Articles created: [[wiki/concepts/apache-proxypass-include-files-ignored]], [[wiki/concepts/cookie-domain-migration-auth-loop]]
+- Articles updated: [[wiki/client-knowledge/ford]] (service path, GPAS naming, SSH alias), [[wiki/architecture/cloud-run-jobs-celery]] (USE_CELERY_FALLBACK, optical-dev override), [[wiki/architecture/optical-dev-server-deploy]] (ProxyPass include limitation)
+- Index updates: [[wiki/concepts/_index]] (73→75); [[wiki/_master-index]] (concepts 73→75)