Support HTTPS/WSS for the deployed stack (nginx TLS termination)

[johardi]

Background

The deployed stack currently serves everything on plain HTTP via nginx on port 80. Until recently, docker-compose.yml configured the frontend to open a TLS WebSocket:

webprotege.websocketUrl: wss://${SERVER_HOST}/wsapps

but no TLS listener exists (nginx is bound only to 80/tcp, no certificate is configured, and the image doesn't listen on 443). The browser's wss:// handshake failed silently, so no events reached the frontend — stale hierarchy trees after create-subclass / create-property, etc.

As a short-term fix, webprotege.websocketUrl has been changed to ws://${SERVER_HOST}/wsapps, matching the rest of the stack which is all http://. Events flow again.

Why follow-up matters

Plain ws:// / http:// is fine for local Docker Compose development, but not for any shared or production-style deployment:

• Keycloak is already configured with KC_PROXY: edge, meaning it expects TLS to be terminated at the edge proxy (nginx). Serving it behind http:// is a misalignment waiting to bite.
• Any real browser context (non-localhost) will treat ws:// + sensitive tokens as insecure; some environments will actively block it.
• Mixed-content warnings / cookie Secure flag behavior differ between HTTP and HTTPS, and we don't want to discover those differences in production.

Scope

• webprotege-deploy/nginx/nginx.conf: add a server { listen 443 ssl; ... } block mirroring the current :80 server; reference ssl_certificate + ssl_certificate_key from a mountable path; optionally add a 301 redirect from :80 to :443.
• webprotege-deploy/docker-compose.yml:
  • nginx service — expose 443:443, mount cert files read-only into /etc/nginx/certs/.
  • Flip the http:// URLs in the webprotege-gwt-ui-server, webprotege-gwt-api-gateway, webprotege-authorization-service, and webprotege-user-management-service envs to https:// where they reference ${SERVER_HOST} (Keycloak issuer URIs, logout URLs, file upload URL, allowed origin).
  • Flip webprotege.websocketUrl back to wss://${SERVER_HOST}/wsapps.
• README.md: mkcert-based instructions for generating a locally-trusted cert for ${SERVER_HOST} so developers don't see browser warnings.

Acceptance criteria

• docker compose up brings the stack up on https://${SERVER_HOST} with a valid (local-dev) cert.
• Browser DevTools → Network → WS shows 101 Switching Protocols on wss://${SERVER_HOST}/wsapps.
• Creating a subclass updates the class-hierarchy tree immediately (no manual refresh).
• Creating a new object/data/annotation property updates the property-hierarchy tree immediately.
• No mixed-content warnings in the browser console.
• Keycloak login + logout round-trip works end-to-end.