changes in nginx config, couse i retarded enough to do it in one approach

docker-compose.yaml

@@ -44,9 +44,9 @@ services:
       args:
         APP_DIR: ${API_APP_DIR:-./cmd/api}
     environment:
-      VAULT_ADDR: "http://vault:8200"
+      VAULT_ADDR: "http://host.docker.internal:8200"
-      VAULT_TOKEN: "root"
+      VAULT_TOKEN: "hvs.tZ4eh9P18sCZ5c1PZIz59EmH"
-      VAULT_KV_PATH: "kv/data/snoop"
+      # VAULT_KV_PATH: "kv/data/snoop"
       MINIO_ENDPOINT: "http://minio:9000"
       JWT_SECRET: ${JWT_SECRET}
     env_file:

nginx/dev.conf

@@ -6,6 +6,23 @@ map $http_upgrade $connection_upgrade {
 # Helpful for larger uploads via API (tweak as you wish)
 client_max_body_size 400m;
 
+log_format mtls_debug '
+[$time_local] $remote_addr:$remote_port  →  $server_name:$server_port
+"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
+TLS=$ssl_protocol/$ssl_cipher
+ClientVerify=$ssl_client_verify
+ClientSerial=$ssl_client_serial
+ClientSubject="$ssl_client_s_dn"
+ClientIssuer="$ssl_client_i_dn"
+RequestTime=$request_time
+ProxyUpstreamAddr=$upstream_addr
+ProxyStatus=$upstream_status
+';
+
+# Default access & error logs for both 80 and 443 servers
+access_log /var/log/nginx/access.log mtls_debug;
+error_log  /var/log/nginx/error.log warn;
+
 server {
   listen 80;
   server_name _;
@@ -60,6 +77,9 @@ server {
   listen 443 ssl http2;
   server_name _;
 
+  access_log /var/log/nginx/access.log mtls_debug;
+  error_log  /var/log/nginx/error.log info;
+
   ssl_certificate      /etc/nginx/ssl/certs/fullchain.pem;
   ssl_certificate_key  /etc/nginx/ssl/certs/privkey.pem;
   ssl_protocols        TLSv1.2 TLSv1.3;
@@ -98,25 +118,28 @@ server {
   }
 
   # ---- mTLS-protected paths ----
-  location ^~ /api/records {
+  location ^~ /api/records/upload {
     if ($ssl_client_verify != SUCCESS) { 
       return 495; 
     }
-    proxy_pass http://snoop-api:8080/;
+    rewrite ^/api/(.*)$ /$1 break;
+    proxy_pass http://snoop-api:8080;
   }
 
   location ^~ /api/tasks {
     if ($ssl_client_verify != SUCCESS) { 
       return 495; 
     }
-    proxy_pass http://snoop-api:8080/;
+    rewrite ^/api/(.*)$ /$1 break;
+    proxy_pass http://snoop-api:8080;
   }
 
   location ^~ /api/renew {
     if ($ssl_client_verify != SUCCESS) { 
       return 495; 
     }
-    proxy_pass http://snoop-api:8080/;
+    rewrite ^/api/(.*)$ /$1 break;
+    proxy_pass http://snoop-api:8080;
   }
 
   # MediaMTX HLS
@@ -128,13 +151,17 @@ server {
   }
 
   # MediaMTX WebRTC (WHIP/WHEP/test)
-  location ^~ /webrtc/ {
+  location ^~ /whip/ {
     if ($ssl_client_verify != SUCCESS) { 
       return 495; 
     }
-    proxy_pass http://mediamtx:8889/;
+    proxy_pass http://mediamtx:8889;
-    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host $host;
-    proxy_set_header Connection $connection_upgrade;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_request_buffering off;
+    client_max_body_size 35m;
+    proxy_read_timeout  3600s;
+    proxy_send_timeout  3600s;
   }
 
   # MQTT WS entry points (guarded by mTLS)

server/internal/handlers/certs.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -108,7 +109,7 @@ func (h *CertsHandler) Enroll(c *gin.Context) {
 	defer cancel()
 	sign, err := h.pki.SignCSR(ctx, csr, "urn:device:"+guid, h.ttl)
 	if err != nil {
-		c.JSON(http.StatusBadGateway, gin.H{"error": "vault sign failed"})
+		c.JSON(http.StatusBadGateway, gin.H{"error": fmt.Sprintf("vault sign failed: %s", err)})
 		return
 	}