From 017a590220e56e9c0c4c100c579d6ed93ffc9604 Mon Sep 17 00:00:00 2001
From: lockbitchat <lockbitchat@tutanota.com>
Date: Mon, 15 Jun 2026 16:30:39 -0400
Subject: [PATCH] fix(deploy): 404 missing assets instead of HTML fallback;
 ship public STUN config

- nginx: asset extensions use try_files $uri =404 so a missing file (e.g.
  config/ice-servers.js) no longer serves index.html with the wrong content type
- add config/ice-servers.prod.js (public STUN, no secrets); Dockerfile copies it
  to the git-ignored config/ice-servers.js so the operator-override path exists
---
 Dockerfile                 |  6 ++++++
 config/ice-servers.prod.js | 10 ++++++++++
 deploy/nginx.conf          |  9 ++++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 config/ice-servers.prod.js

diff --git a/Dockerfile b/Dockerfile
index b09d256..503f5a8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,12 @@ COPY deploy/nginx.conf /etc/nginx/nginx.conf
 # Serve the repository (src/, assets/, libs/, dist/, config/, logo/, sw.js, ...).
 COPY . /usr/share/nginx/html
 
+# config/ice-servers.js is git-ignored (it can hold operator TURN credentials),
+# so it is absent from the build context. Provide the public-STUN production
+# override so the operator-override path is populated and nothing 404s.
+RUN cp /usr/share/nginx/html/config/ice-servers.prod.js \
+       /usr/share/nginx/html/config/ice-servers.js
+
 # Fly.io health checks and routing target this port.
 EXPOSE 8080
 
diff --git a/config/ice-servers.prod.js b/config/ice-servers.prod.js
new file mode 100644
index 0000000..adad569
--- /dev/null
+++ b/config/ice-servers.prod.js
@@ -0,0 +1,10 @@
+// Production ICE override baked into the Fly.io image (no secrets — public STUN
+// only). The Dockerfile copies this to config/ice-servers.js, which is otherwise
+// git-ignored. Users who want a TURN relay can add one via "Advanced network
+// settings"; to ship an operator TURN here, add it below (TURN credentials are
+// visible to every browser, so rotate them if exposed).
+window.SECUREBIT_ICE_SERVERS = [
+  { urls: 'stun:stun.cloudflare.com:3478' },
+  { urls: 'stun:stun.l.google.com:19302' },
+  { urls: 'stun:stun1.l.google.com:19302' }
+];
diff --git a/deploy/nginx.conf b/deploy/nginx.conf
index d99f907..efb480c 100644
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -58,7 +58,14 @@ http {
         add_header Cache-Control            $sb_cache                          always;
         add_header Service-Worker-Allowed   "/"                                always;
 
-        # SPA-style fallback so unknown routes still load the app shell.
+        # Real asset files must return 404 when missing — never fall back to the
+        # HTML shell, which would be served with the wrong content type and break
+        # module/script loading (e.g. a missing config/ice-servers.js).
+        location ~* \.(js|mjs|jsx|css|json|map|woff2?|ttf|otf|png|jpe?g|gif|webp|svg|ico|mp3|mp4|webm)$ {
+            try_files $uri =404;
+        }
+
+        # SPA-style fallback so unknown navigation routes still load the app shell.
         location / {
             try_files $uri $uri/ /index.html;
         }