feat: serve melody .bsm binaries over plain HTTP instead of Firebase Storage
ESP32 devices can't spare the 40KB+ RAM a TLS client needs, so Firebase
Storage's HTTPS-only download URLs were blocking melody downloads. Binaries
are now written to local disk (./data/melody_binaries) and served through a
new unauthenticated /api/melodies/download/{pid} route, exposed publicly on
a separate melodies.bellsystems.net vhost (plain HTTP, no TLS) so the main
console domain can stay HTTPS-only with no exceptions. Preview audio still
uses Firebase Storage since it's only ever fetched by the HTTPS admin UI.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
@@ -54,4 +54,25 @@ http {
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
}
|
||||
|
||||
# Plain-HTTP-only host for ESP32 melody downloads. Kept separate from the
|
||||
# console.bellsystems.net server block above so console can stay HTTPS-only
|
||||
# in NPM with no path-based TLS exceptions. ESP32 devices can't afford the
|
||||
# RAM for a TLS client, so this host must never be forced to HTTPS upstream.
|
||||
server {
|
||||
listen 80;
|
||||
server_name melodies.bellsystems.net;
|
||||
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend_upstream http://backend:8000;
|
||||
|
||||
location /download/ {
|
||||
rewrite ^/download/(.*)$ /api/melodies/download/$1 break;
|
||||
proxy_pass $backend_upstream$uri;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user