404 When going to sign in/create an account

Simple issue, everything seems from the outside to work, but when I go to sign/in create an account, I get a 404 error from nginx according to docker compose up output: GET /?context=fx_desktop_v3&entrypoint=fxa_toolbar_button&action=email&service=sync HTTP/1.1" 404 0 "-" "[redacted]"
here is my config.yml:
#! THIS FILE USING YTT(https://github.com/k14s/ytt/) FORMAT
#! this is a general config for all related stuffs
#@data/values
---
#! Once config.yml changed you should rerun ./init.sh to regenerate `dest`/docker-compose.yml

#! if PERSISTENCEPATH is relative, it relates to `dest`/docker-compose.yml
persistencepath: .
#! [WARNING] DO NOT DOWNGRADE WITHOUT A CLEAN DB SINCE SCHEMA CANNOT DOWNGRADE.

#! latest tested version is : v1.277.3

#! [NOTE] Pin mysql version to 8.4 to make server compatible with argument "mysql-native-password"
#! [NOTE] You could also try my (upgraded) syncserver3 in Python3, No data integrity guaranteed!
#! [NOTE] Since we use docker-compose-wait to build wait chain, so ./wait binary in dest folder is not necessary, you could delete it.
#! [WORKAROUND] patch fxa-auth-server https://github.com/mozilla/fxa/issues/16491
#! [NOTE] Although channelserver issue fixed , still using latest sha256 digest tag.
#! [NOTE] don't use fxa version between 1.250.x to 1.258.x, https://github.com/mozilla/fxa/issues/15320
#! [NOTE] from v1.242.4 mysql version upgrade to 8.0.16+
#! [WORKAROUND] we use method 2 to to resolve below issue
#! [ISSUE]  cannot change avatar due to https://github.com/mozilla/fxa/pull/7972 -> checkAvatar -> we have same domain with monogramUrl's one. issue: https://github.com/mozilla/fxa/issues/12426 
#!          so either 1. use different domain like profile-img or 2. patch it 
#! [WORKAROUND] add LASTACCESSTIME_UPDATES_SAMPLE_RATE=1 to make sync api/v1/account/devices not return 500. see https://github.com/mozilla/fxa/issues/12373
#! [ISSUE][RESOLVED] v1.222.0 db-migration db connection need not workaround now.
#! [WORKAROUD] v1.219.5 require smtp.user and smtp.pass (even not used) to make fxa-auth-server not send mail by AWS SES. (will cause a crash if AWS_ACCESS_KEY not set)
#! [WORKAROUD] v1.215.4 workaround for 1. graphql-api's internal connection to fxa-auth-server (see debug.full_self_sign_workaround) and 2. db-migration db connection.
#! [NOTE] from v1.215.2 mysql version upgrade to 5.7 . docker-compose requires supporting `service_completed_successfully`
#! [ISSUE][RESOLVED] v1.196.0  oauth.domain.local/config return 404 causing syncserver fail to start.; fixed in https://github.com/mozilla/fxa/pull/7204
#! [NOTE]from v1.192.0  all fxa docker's image are merge into mozilla/fxa-mono so it's a breaking change!
#! [ISSUE][RESOLVED] v1.172.0 500 error after new-signup connect-another-device page maybe caused by https://github.com/mozilla/fxa/commit/2f9729154 ; fixed in https://github.com/mozilla/fxa/pull/5477
#! [NOTE] v1.173+ change base docker image . missing key_*.json in fxa-auth-server so we change to branch br-v1.174.0 to apply breaking changes

#! by default we use tested version , using latest at your own risk.
fxa_version: "v1.277.3"
option:
  sync:
    #! set true to keep all your sync items not expired
    neverexpire: true
  #! for device pairing
  channelserver:
    enable: true
  #! Since send is EOL , so use it at your own risk
  send:
    enable: false
    settings:
      #! settings are upperize to send ENV
      #! [TODO] send android , client_id 20f7931c9054d833
      fxa_client_id: "fced6b5e3f4c66b9"
      #![TODO] file_dir need volumes or not or ....
      max_file_size:
      #! for security and network bandwith/traffic sake , you'd better not  allow annoymous user to use your send in the internet
      #! see : https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/
      #! see https://portswigger.net/daily-swig/firefox-send-suspended-amid-concern-over-malware-abuse
      #! [NOTE] number 0 will be treated as false 
      anon_max_file_size: "0"
      #! expire_times_seconds array format "a,b,c"
      expire_times_seconds:
      default_expire_seconds:
      max_expire_seconds:
      anon_max_expire_seconds:
      max_downloads:
      anon_max_downloads:
      max_files_per_archive:
      max_archives_per_user:
      #! download_counts array format "a,b,c"
      download_counts:
  notes:
    enable: false
    settings:
      #! client_id is a must , depends on what you set in https://github.com/mozilla/notes/src/background.js
      #! client_id should equal to _init/auth/oauthserver-prod 
      client_id:
        webext: #! sample: "a3dbd8c5a6fd93e2"
        android: #! sample: "7f368c6886429f19"
  #!  According to https://blog.mozilla.org/addons/2020/07/09/changes-to-storage-sync-in-firefox-79/
  #!  since Firefox 79 ,it will use syncserver to replace kinto in webextension storage.sync API, so disabled by default
  #!  if you still want to use this , make about:config webextensions.storage.sync.kinto : true and webextensions.storage.sync.serverURL point to kinto domain name below
  webext_storagesync:
    enable: false
    settings:
      #! you shall not change this , "5882386c6d801776" means firefox
      client_id: "5882386c6d801776"
      #! [deprecated] fxa-oauth.clients.storagesync.client_id: "5882386c6d801776"
  #! last tested 13.6.3
  kinto_version: "latest"
  #! [TODO] intergate with kinto
  #! both with_notes and with_webext_storagesync need kinto server and it's postgres
  #! see kinto usage https://wiki.mozilla.org/Firefox/Kinto
  #! https://testpilot.settings.services.mozilla.com/v1/
  #! client_id 5882386c6d801776 == firefox
  #! https://webextensions.settings.services.mozilla.com/v1/
#! [TODO] make docker-compose.tmp.yml data.values.domain.name and etc reusable via define
#! domain name related stuff
domain:
  #! base name
  name: "[redacted]"
  #! for content-server
  content: "www"
  auth: "api"
  oauth: "oauth"
  #! for profile server
  profile: "profile"
  #! for syncserver
  sync: "token"
  #! for graphql-api
  graphql: "graphql"
  #! must if option.channelserver.enable == true
  channelserver: "channelserver"
  #! for firefox send 
  #! must if option.send.enable == true
  send: "send"
  #! for notes and webextension storage.sync
  kinto: "kinto"
nginx:
  #! port or ip/port or unix socket folder
  #! for those who want to reverse proxy ( and then we do not a host resolver ,because we just proxy_pass ip/port )
  #! can be a folder contains unix socket like "/var/run/fxa-selfhosing" with ssl = false and unix_socket = true-> socket filename is nginx.sock
  #! make sure your reverse proxy have permission to access the folder.
  listener: "[redacted]"
  #! set to true is `listener` is a unix socket
  unix_socket: false
  #! if false certs are not required and another fxa_nossl.conf is used
  #! set to false is `listener` is a unix socket
  ssl: false
mail:
  #! types are  "localhelper" ,  "localrelay" ,"3rd"
  #! smtp_user/smtp_pass is required for "localrelay" and "3rd" (can be any non-null string) even not used.
  #! "localhelper" uses fxa-auth-local-mail-helper which self sending and receiving and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
  #!               mails are stored in memory , remeber to clean them (by DELETE api or restart container)
  #! "localrelay" use exim-sender  and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
  #! "3rd"  send mail to 3rd (like gmail etc)
  type: "3rd"
  #! for   "3rd": refer to your mail service provider
  smtp_host: [redacted]
  smtp_port: [redacted]
  smtp_user: [redacted]
  smtp_pass: [redacted]
  smtp_secure: 
  #! if smtp_sender empty use "Firefox Accounts <no-reply@domain.name>" default
  smtp_sender:
  #! only for "localhelper"
  #! web api
  localhelper:
    web: "127.0.0.1:9001"
#! Here we can add some custom OAuth Client
#! for example we add a OAuth Client which can read / write your sync data after granted by you
oauth:
  clients:
  #! [NOTE] DO NOT ENABLE BELOW IF NOT USED
#!  - id: deadbeafdeadbeaf
#!    #! hex secret 0b2b91549678167e4870d76e2b94024b2954cb8605e4a2e8179ab80ecf40b287
#!    hashedSecret: b88d5613f75ed5362ecb8c263be5b918aafbb23aac39f817eac44cbe4df7cda3
#!    name: SyncManager
#!    imageUri: ''
#!    #! if generate_redirectUri will automatic generate redircturi : https://{content}.{domain_name}/oauth/success/{id}
#!    generate_redirectUri: true
#!    redirectUri: 
#!    trusted: true
#!    #! some explain https://github.com/mozilla/fxa/blob/96cbbccfaed1de93d556a2259554acfabeb4cbe5/packages/fxa-auth-server/lib/oauth/authorized_clients.js#L55
#!    canGrant: true
#!    publicClient: true
#!    #! redirecturi will be add to contetserver.prod.tmp.yml if scope matches
#!    #! allowedScopes is a space-seperated string
#!    allowedScopes: https://identity.mozilla.com/apps/oldsync

secrets:
  authsecret: "[redacted]"
  flowidkey: "[redacted]"
  profileserver_authsecret_bearertoken: "[redacted]"
debug:
  #! for register preverifed account , we need to set fxa-auth-server 's NODE_ENV  not to be `prod`
  #! see  fxa-auth-server/lib/routes/account.js `delete routes[0].options.validate.payload.preVerified;`
  auth_server_preverifed: false
  deps_logs: false
  #! make a e2e test compose file
  #! require mail.type == localhelper
  e2e_test:
    enable: false
    #! only used when full_self_sign_workaroud == true
    root_cert:
  #! workaroud for fxa-graphql-api with full self sign
  #! if you want fxa-graphql-api communicate with fxa-auth-server internally , turn this `true`
  #! [WARN] browserid-verifier will not work. Since BrowserID is deprecated, just do not use old browser or python `syncclient`
  full_self_sign_workaround: false
  #! Use a [python3 version syncserver](https://github.com/jackyzy823/syncserver3)
  use_syncserver3: false
jackyzy823 / fxa-selfhosting

404 When going to sign in/create an account #30
