ci: docker_tag=dev-test chore(nginx): découpe par routes de ngnix_dev4.4nkweb.com-https.conf avec includes; ajout exceptions .gitignore

2025-09-30 10:03:49 +00:00 · 2025-09-30 10:03:49 +00:00 · 57d47815f9
commit 57d47815f9
parent f75e45103d
17 changed files with 247 additions and 3 deletions
--- a/.cursorignore
+++ b/.cursorignore
@ -1,13 +1,13 @@
 # PROTECTION COMPLÈTE - Empêcher l'accès Cursor à storage/
-storage/
+# storage/

 # Variables d'environnement (protection renforcée)
 */.env
 */.env*
 */.toml
 */.toml*
-*/.conf
-*/.conf*
+# */.conf
+# */.conf*

 # Clés utilisateur et données sensibles
 **/_keys/
--- a/.gitignore
+++ b/.gitignore
@ -76,6 +76,8 @@ storage/
 !storage/*/README.md
 !storage/*/bitcoin/
 !storage/*/bitcoin/*.conf
+!storage/*/nginx/
+!storage/*/nginx/*.conf

 # Clés utilisateur (double protection)
 storage/*/_keys/
--- a/storage/dev/nginx/ngnix_dev4.4nkweb.com-http.conf
+++ b/storage/dev/nginx/ngnix_dev4.4nkweb.com-http.conf
@ -0,0 +1,15 @@
+# HTTP server for ACME and redirect to HTTPS
+server {
+    listen 80 default_server;
+    server_name _;
+
+    # ACME HTTP-01 challenges
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+    }
+
+    # Redirection vers HTTPS pour toutes les autres requêtes
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
--- a/storage/dev/nginx/ngnix_dev4.4nkweb.com-https.conf
+++ b/storage/dev/nginx/ngnix_dev4.4nkweb.com-https.conf
@ -0,0 +1,56 @@
+# Configuration HTTPS pour $HOST
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name $HOST;
+
+    # Certificats SSL
+    ssl_certificate     $CERT_PATH/fullchain.pem;
+    ssl_certificate_key $CERT_PATH/privkey.pem;
+
+    # Configuration SSL
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Headers de sécurité
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Grafana - Interface de monitoring (DOIT être avant location /)
+    include $NGINX_CONF_DIR/route_grafana.conf;
+
+    # Loki API - API de logs (DOIT être avant location /)
+    include $NGINX_CONF_DIR/route_loki.conf;
+
+    # Page de statut des services (DOIT être avant location /)
+    include $NGINX_CONF_DIR/route_status.conf;
+    include $NGINX_CONF_DIR/route_status_redirect.conf;
+    include $NGINX_CONF_DIR/route_status_api.conf;
+
+    # API backend - route /back/ vers /api/ du backend
+    include $NGINX_CONF_DIR/route_back_proxy.conf;
+
+    # WebSocket relay (sdk_relay)
+    include $NGINX_CONF_DIR/route_ws.conf;
+
+    # favicon
+    include $NGINX_CONF_DIR/route_favicon.conf;
+
+    # blindbit
+    include $NGINX_CONF_DIR/route_blindbit.conf;
+
+    # lecoffre-front - Application LeCoffre
+    include $NGINX_CONF_DIR/route_lecoffre_redirect.conf;
+    include $NGINX_CONF_DIR/route_lecoffre.conf;
+    include $NGINX_CONF_DIR/route_lecoffre_hmr.conf;
+    include $NGINX_CONF_DIR/route_next_assets.conf;
+
+    # ihm_client (root) - DOIT être en dernier
+
+    include $NGINX_CONF_DIR/route_ihm_client.conf;
+}
--- a/storage/dev/nginx/route_blindbit.conf
+++ b/storage/dev/nginx/route_blindbit.conf
@ -0,0 +1,8 @@
+    location $URL_ROUTE_BLINDBIT/ {
+        proxy_pass http://localhost:$BLINDBIT_PORT/;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+    }
--- a/storage/dev/nginx/route_favicon.conf
+++ b/storage/dev/nginx/route_favicon.conf
@ -0,0 +1,4 @@
+    location = /favicon.ico {
+        root $NGINX_CONF_DIR/assets;
+        try_files /favicon.ico =404;
+    }
--- a/storage/dev/nginx/route_grafana.conf
+++ b/storage/dev/nginx/route_grafana.conf
@ -0,0 +1,24 @@
+    location $URL_ROUTE_GRAFAN/ {
+        proxy_pass http://localhost:$GRAFANA_PORT/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Configuration spécifique pour Grafana
+        proxy_set_header X-Grafana-Org-Id 1;
+
+        # Support des WebSockets pour les live updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # Buffer settings
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
--- a/storage/dev/nginx/route_ihm_client.conf
+++ b/storage/dev/nginx/route_ihm_client.conf
@ -0,0 +1,11 @@
+    location $URL_ROUTE_IHM_CLIENT {
+        proxy_pass http://localhost:$IHM_CLIENT_PORT;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 300;
+    }
--- a/storage/dev/nginx/route_lecoffre.conf
+++ b/storage/dev/nginx/route_lecoffre.conf
@ -0,0 +1,24 @@
+    location ^~ $URL_ROUTE_LECOFFRE_FRONT/ {
+        # ensure no redirect here; only proxy to Next
+        add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
+        add_header Pragma "no-cache" always;
+        add_header Expires "-1" always;
+        proxy_hide_header ETag;
+        proxy_hide_header Last-Modified;
+        rewrite ^$URL_ROUTE_LECOFFRE_FRONT/(.*)$ /$1 break;
+        proxy_pass http://localhost:$LECOFFRE_FRONT_PORT;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Request-ID $x_request_id;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_read_timeout 300;
+        proxy_send_timeout 300;
+        proxy_connect_timeout 300;
+    }
--- a/storage/dev/nginx/route_lecoffre_hmr.conf
+++ b/storage/dev/nginx/route_lecoffre_hmr.conf
@ -0,0 +1,11 @@
+    location ^~ $URL_ROUTE_LECOFFRE_FRONT_HMR/ {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        rewrite ^$URL_ROUTE_LECOFFRE_FRONT_HMR/(.*)$ $URL_ROUTE_LECOFFRE_FRONT/$1 break;
+        proxy_pass http://localhost:$LECOFFRE_FRONT_PORT;
+    }
--- a/storage/dev/nginx/route_lecoffre_redirect.conf
+++ b/storage/dev/nginx/route_lecoffre_redirect.conf
@ -0,0 +1 @@
+    location = $URL_ROUTE_LECOFFRE_FRONT { return 301 $URL_ROUTE_LECOFFRE_FRONT/; }
--- a/storage/dev/nginx/route_loki.conf
+++ b/storage/dev/nginx/route_loki.conf
@ -0,0 +1,15 @@
+    location /loki/ {
+        proxy_pass http://localhost:$LOKI_PORT/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # CORS pour les requêtes depuis Grafana
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
--- a/storage/dev/nginx/route_next_assets.conf
+++ b/storage/dev/nginx/route_next_assets.conf
@ -0,0 +1,12 @@
+    location ^~ $URL_ROUTE_NEXT/ {
+        proxy_pass http://localhost:$LECOFFRE_FRONT_PORT$URL_ROUTE_NEXT/;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 300;
+        add_header Cache-Control "public, max-age=31536000, immutable";
+    }
--- a/storage/dev/nginx/route_status.conf
+++ b/storage/dev/nginx/route_status.conf
@ -0,0 +1,21 @@
+    location $URL_ROUTE_STATUS_API/ {
+        proxy_pass http://localhost:$STATUS_API_PORT;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # CORS pour les requêtes AJAX
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
+
+        # Timeouts
+        proxy_connect_timeout 10s;
+        proxy_send_timeout 10s;
+        proxy_read_timeout 10s;
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+    }
--- a/storage/dev/nginx/route_status_api.conf
+++ b/storage/dev/nginx/route_status_api.conf
@ -0,0 +1,21 @@
+    location $URL_ROUTE_STATUS {
+        proxy_pass http://localhost:3006/api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # CORS pour les requêtes AJAX
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
+
+        # Timeouts
+        proxy_connect_timeout 10s;
+        proxy_send_timeout 10s;
+        proxy_read_timeout 10s;
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+    }
--- a/storage/dev/nginx/route_status_redirect.conf
+++ b/storage/dev/nginx/route_status_redirect.conf
@ -0,0 +1,4 @@
+    location $URL_ROUTE_STATUS {
+        # Redirection vers $URL_ROUTE_STATUS/
+        return 301 $URL_ROUTE_STATUS/;
+    }
--- a/storage/dev/nginx/route_ws.conf
+++ b/storage/dev/nginx/route_ws.conf
@ -0,0 +1,15 @@
+    location /ws/ {
+        proxy_pass http://localhost:$SIGNER_PORT/;
+        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
+        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
+        proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol;
+        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 86400;
+    }
				`@ -0,0 +1 @@`
				`location = $URL_ROUTE_LECOFFRE_FRONT { return 301 $URL_ROUTE_LECOFFRE_FRONT/; }`