feat: serve melody .bsm binaries over plain HTTP instead of Firebase Storage

ESP32 devices can't spare the 40KB+ RAM a TLS client needs, so Firebase
Storage's HTTPS-only download URLs were blocking melody downloads. Binaries
are now written to local disk (./data/melody_binaries) and served through a
new unauthenticated /api/melodies/download/{pid} route, exposed publicly on
a separate melodies.bellsystems.net vhost (plain HTTP, no TLS) so the main
console domain can stay HTTPS-only with no exceptions. Preview audio still
uses Firebase Storage since it's only ever fetched by the HTTPS admin UI.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-06 09:41:24 +03:00
parent 9df80dd4e1
commit 72f7e00990
6 changed files with 223 additions and 42 deletions

View File

@@ -54,4 +54,25 @@ http {
proxy_set_header Connection "upgrade";
}
}
# Plain-HTTP-only host for ESP32 melody downloads. Kept separate from the
# console.bellsystems.net server block above so console can stay HTTPS-only
# in NPM with no path-based TLS exceptions. ESP32 devices can't afford the
# RAM for a TLS client, so this host must never be forced to HTTPS upstream.
server {
listen 80;
server_name melodies.bellsystems.net;
resolver 127.0.0.11 valid=5s;
set $backend_upstream http://backend:8000;
location /download/ {
rewrite ^/download/(.*)$ /api/melodies/download/$1 break;
proxy_pass $backend_upstream$uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}