From 5fc78e8086d3273242cd7d2b45976a3ceafbe099 Mon Sep 17 00:00:00 2001 From: Vadym Samoilenko Date: Wed, 29 Apr 2026 22:50:36 +0100 Subject: [PATCH] vault backup: 2026-04-29 22:50:36 --- wiki/_master-index.md | 2 +- .../architecture/optical-dev-server-deploy.md | 5 +- wiki/concepts/_index.md | 3 + .../apache-proxypass-include-files-ignored.md | 66 ++++++++++++++++ .../cookie-domain-migration-auth-loop.md | 75 +++++++++++++++++++ wiki/log.md | 5 ++ 6 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 wiki/concepts/apache-proxypass-include-files-ignored.md create mode 100644 wiki/concepts/cookie-domain-migration-auth-loop.md diff --git a/wiki/_master-index.md b/wiki/_master-index.md index 7849e3e..43dd837 100644 --- a/wiki/_master-index.md +++ b/wiki/_master-index.md @@ -23,7 +23,7 @@ This 3-hop pattern works for hundreds of articles without vector search. | [[wiki/tech-patterns/_index\|tech-patterns/]] | Recurring tech stacks: FastAPI, React/Vite, Next.js, Azure AD, AI, Box, One2Edit, Redis/Celery, cost-tracker | 15 | | [[wiki/architecture/_index\|architecture/]] | Cross-cutting architectural patterns: Docker Compose, multi-agent AI, GCP timeout, RAG, hotfolder, optical-dev deploy, cost-tracker, new-project checklist, troubleshooting playbooks, ADR log, Cloud Run Jobs | 11 | | [[wiki/client-knowledge/_index\|client-knowledge/]] | Per-client notes for Ford, H&M, L'Oréal, Barclays, Ferrero, 3M | 6 | -| [[wiki/concepts/_index\|concepts/]] | Atomic knowledge extracted from Claude Code sessions | 73 | +| [[wiki/concepts/_index\|concepts/]] | Atomic knowledge extracted from Claude Code sessions | 75 | | [[wiki/connections/_index\|connections/]] | Cross-cutting insights linking 2+ concepts: FastAPI+Azure AD+Docker trinity, AI→cost-tracker, Apache+Vite basePath, GCP→REST polling, Box+hotfolder, Docker DNS+AdGuard | 9 | | [[wiki/qa/_index\|qa/]] | Filed answers to queries (saved with `--file-back`) | 0 | | [[wiki/homelab/_index\|homelab/]] | Self-hosted infra: Proxmox install, IOMMU/PCI passthrough, hypervisor setup, budget builds, HP Elitedesk G3, Homarr API + Apps + Boards + Certificates + Integrations + Settings + Tasks + AdGuard + Clock + Docker Stats + Docker Integration + Download Client + Firewall + Proxmox Integration + Radarr + Readarr + Sonarr + Bookmarks + Calendar + Icons + App Widget + Weather + GitHub + Nextcloud + qBittorrent + RSS Feed + Speedtest Tracker + System Health Monitoring + System Resources + Services Map + Media Stack | 39 | diff --git a/wiki/architecture/optical-dev-server-deploy.md b/wiki/architecture/optical-dev-server-deploy.md index abe68aa..2357384 100644 --- a/wiki/architecture/optical-dev-server-deploy.md +++ b/wiki/architecture/optical-dev-server-deploy.md @@ -3,7 +3,7 @@ title: "optical-dev Server — Apache Deployment Pattern" description: "Single-vhost Apache pattern on optical-dev.oliver.solutions GCP server — port allocation, Include fragments, SPA routing, deploy script best practices" tags: [architecture, apache, deployment, docker, ubuntu, gcp] created: 2026-04-17 -updated: 2026-04-17 +updated: 2026-04-29 --- # optical-dev Server — Apache Deployment Pattern @@ -26,6 +26,9 @@ updated: 2026-04-17 ## Apache Single-Vhost Pattern +> [!warning] ProxyPass in Include fragments is silently ignored +> `ProxyPass` / `ProxyPassReverse` directives inside `` blocks in Include fragment files (`/etc/apache2/sites-available/includes/`) are **silently ignored** on this Apache setup — no error, proxy just doesn't work. Always add ProxyPass directly to the main vhost file. See [[wiki/concepts/apache-proxypass-include-files-ignored]]. + **One vhost file handles ALL projects:** ``` /etc/apache2/sites-available/optical-dev.oliver.solutions.conf diff --git a/wiki/concepts/_index.md b/wiki/concepts/_index.md index a52ff5b..8e3f8bf 100644 --- a/wiki/concepts/_index.md +++ b/wiki/concepts/_index.md @@ -84,5 +84,8 @@ | [[wiki/concepts/double-submit-cookie-csrf]] | CSRF for stateless JWT APIs: csrf_token cookie + X-CSRF-Token header; every login path must set both cookies | daily/2026-04-29.md | 2026-04-29 | | [[wiki/concepts/time-sleep-blocks-asyncio]] | `time.sleep()` inside async FastAPI handlers blocks the entire event loop — replace with `asyncio.sleep()` or `run_in_executor` | daily/2026-04-29.md | 2026-04-29 | +| [[wiki/concepts/apache-proxypass-include-files-ignored]] | ProxyPass in Apache Include fragment files is silently ignored on optical-dev — always add ProxyPass directly to the main vhost file | daily/2026-04-29.md | 2026-04-29 | +| [[wiki/concepts/cookie-domain-migration-auth-loop]] | COOKIE_DOMAIN mismatch after domain migration causes silent auth failure — browser drops cookie, manifests as infinite /login redirect loop; Vite bundle must be rebuilt after env var changes | daily/2026-04-29.md | 2026-04-29 | + diff --git a/wiki/concepts/apache-proxypass-include-files-ignored.md b/wiki/concepts/apache-proxypass-include-files-ignored.md new file mode 100644 index 0000000..5625617 --- /dev/null +++ b/wiki/concepts/apache-proxypass-include-files-ignored.md @@ -0,0 +1,66 @@ +--- +title: "Apache ProxyPass Silently Ignored in Include Files" +aliases: [apache-proxypass-include, apache-include-proxypass-ignored] +tags: [apache, proxy, gotcha, optical-dev, deployment] +sources: + - "daily/2026-04-29.md" +created: 2026-04-29 +updated: 2026-04-29 +--- + +# Apache ProxyPass Silently Ignored in Include Files + +On `optical-dev.oliver.solutions`, `ProxyPass` / `ProxyPassReverse` directives inside `` blocks placed in Apache include files (`/etc/apache2/sites-available/includes/`) are **silently ignored** — no error, proxy just doesn't work. Discovered after a long debugging session migrating video-accessibility from `ai-sandbox` to `optical-dev`. + +## Key Points + +- `ProxyPass` inside `` in an `Include`d fragment file does NOT take effect on this server +- The failure is completely silent — Apache loads the config without error, but requests are not proxied +- Confirmed on two projects (video-accessibility and barclays) — same outcome +- Fix: add `ProxyPass` directives **directly** to the main vhost file +- Standard inline `` blocks in `Include` fragments (for aliases, rewrites) still work fine — only `ProxyPass` is affected + +## Details + +### The Pattern That Fails + +```apache +# /etc/apache2/sites-available/includes/video-accessibility.conf +# (loaded via Include in the main vhost) + + ProxyPass http://127.0.0.1:8042/api/ + ProxyPassReverse http://127.0.0.1:8042/api/ + +``` + +Despite the file being included and Apache reloading cleanly (`configtest OK`), requests to `/video-accessibility/api/` are not forwarded to the backend. + +### The Fix + +Add `ProxyPass` blocks directly to the main vhost file: + +```apache +# /etc/apache2/sites-available/optical-dev.oliver.solutions.conf + + ... + # Inline — ProxyPass works here + ProxyPass /video-accessibility/api/ http://127.0.0.1:8042/api/ + ProxyPassReverse /video-accessibility/api/ http://127.0.0.1:8042/api/ + + Include /opt/video-accessibility/deploy/apache-video-accessibility.conf + +``` + +The `Include` fragment can still handle `Alias`, ``, `RewriteRule` — only `ProxyPass` must live in the main file. + +### Diagnosis Approach + +If a new project proxy suddenly stops working after migration to optical-dev: +1. Check if `ProxyPass` is inside an Include fragment +2. Move it to the main vhost file +3. `sudo apache2ctl configtest && sudo systemctl reload apache2` + +## Related Concepts + +- [[wiki/architecture/optical-dev-server-deploy]] — full optical-dev Apache pattern, port table, deploy scripts +- [[wiki/connections/optical-dev-apache-vite-basepath]] — SPA basePath + Apache ProxyPass connection diff --git a/wiki/concepts/cookie-domain-migration-auth-loop.md b/wiki/concepts/cookie-domain-migration-auth-loop.md new file mode 100644 index 0000000..2997c60 --- /dev/null +++ b/wiki/concepts/cookie-domain-migration-auth-loop.md @@ -0,0 +1,75 @@ +--- +title: "Cookie Domain Mismatch After Migration Causes Silent Auth Loop" +aliases: [cookie-domain-auth-loop, cookie-domain-migration, auth-redirect-loop] +tags: [auth, cookies, migration, fastapi, debugging, gotcha] +sources: + - "daily/2026-04-29.md" +created: 2026-04-29 +updated: 2026-04-29 +--- + +# Cookie Domain Mismatch After Migration Causes Silent Auth Loop + +When a project is migrated to a new domain and `COOKIE_DOMAIN` is not updated, the browser silently drops the auth cookie set for the wrong domain. This manifests as an infinite redirect loop to `/login` with no visible error — one of the harder auth bugs to diagnose. + +## Key Points + +- `COOKIE_DOMAIN` mismatch causes silent cookie rejection by the browser — no 4xx, no JS error +- Symptom: page loads → immediately redirects to `/login` → repeat (infinite loop) +- Root cause: server sets `Set-Cookie: domain=old-domain.com`, browser on `new-domain.com` drops it silently +- After fixing `API_BASE_URL`, the frontend **must be rebuilt** — env vars are baked into the JS bundle at build time +- Double `/api/api/` in request URLs is a separate symptom: `API_BASE_URL` already includes `/api` AND frontend code appends another `/api` segment + +## Details + +### Symptom Pattern + +``` +User navigates to /dashboard +→ Frontend checks auth → calls /api/auth/me +→ Server returns 401 (no valid session cookie) +→ Frontend redirects to /login +→ User logs in → server issues cookie for wrong domain +→ Browser drops cookie silently +→ Next request: 401 again → redirect to /login → loop +``` + +No error appears in the console or server logs that clearly identifies the domain mismatch — the only signal is the redirect loop itself. + +### Diagnosis Checklist + +1. **Check `COOKIE_DOMAIN` in `.env`** — must match the current deployment domain +2. **Open DevTools → Application → Cookies** — does the cookie appear after login? If not, domain mismatch +3. **Check `API_BASE_URL` in `.env`** — if it ends with `/api`, don't add `/api` again in frontend code +4. **Rebuild frontend** after any env var change — Vite bakes vars into the bundle + +### The Double `/api/api` Symptom + +```env +# .env (wrong) +API_BASE_URL=https://optical-dev.oliver.solutions/video-accessibility/api +``` + +```typescript +// frontend code (also appends /api) +fetch(`${API_BASE_URL}/api/upload`) +// → results in: /video-accessibility/api/api/upload +``` + +Fix: either strip `/api` from `API_BASE_URL` or remove the extra `/api` from frontend call sites, then rebuild. + +### Rebuild Requirement + +```bash +# After fixing .env on the server: +cd /opt/video-accessibility/frontend +VITE_BASE_PATH=/video-accessibility npm run build +sudo cp -r dist/. /var/www/html/video-accessibility/ +``` + +Old bundle continues serving the old `API_BASE_URL` until rebuilt — environment variables are NOT read at runtime in Vite SPAs. + +## Related Concepts + +- [[wiki/architecture/optical-dev-server-deploy]] — full optical-dev deploy pattern +- [[wiki/concepts/apache-proxypass-include-files-ignored]] — the Apache gotcha discovered in the same session diff --git a/wiki/log.md b/wiki/log.md index 8e7f88c..e94c0a3 100644 --- a/wiki/log.md +++ b/wiki/log.md @@ -153,3 +153,8 @@ - Articles created: [[wiki/architecture/cloud-run-jobs-celery]], [[wiki/concepts/docker-compose-cpu-limits-env]], [[wiki/concepts/etag-optimistic-locking]], [[wiki/concepts/double-submit-cookie-csrf]], [[wiki/concepts/time-sleep-blocks-asyncio]] - Articles updated: [[wiki/client-knowledge/ford]] (SSH alias box-cli/not box-cli-01, full directory paths with /home/box-cli/FORD_SCRIPTS/ prefix, service names dev vs prod, GPAS zip naming, git stash deploy pattern, ford-gechub-sftp path) - Index updates: [[wiki/concepts/_index]] (69→73); [[wiki/architecture/_index]] (10→11); [[wiki/_master-index]] (concepts 69→73, architecture 10→11) + +## [2026-04-29T23:00:00+01:00] compile | 2026-04-29.md +- Articles created: [[wiki/concepts/apache-proxypass-include-files-ignored]], [[wiki/concepts/cookie-domain-migration-auth-loop]] +- Articles updated: [[wiki/client-knowledge/ford]] (service path, GPAS naming, SSH alias), [[wiki/architecture/cloud-run-jobs-celery]] (USE_CELERY_FALLBACK, optical-dev override), [[wiki/architecture/optical-dev-server-deploy]] (ProxyPass include limitation) +- Index updates: [[wiki/concepts/_index]] (73→75); [[wiki/_master-index]] (concepts 73→75)