From 57d47815f99f669b60a80b58cb052f3a48988b57 Mon Sep 17 00:00:00 2001 From: 4NK Dev Date: Tue, 30 Sep 2025 10:03:49 +0000 Subject: [PATCH] =?UTF-8?q?ci:=20docker=5Ftag=3Ddev-test=20chore(nginx):?= =?UTF-8?q?=20d=C3=A9coupe=20par=20routes=20de=20ngnix=5Fdev4.4nkweb.com-h?= =?UTF-8?q?ttps.conf=20avec=20includes;=20ajout=20exceptions=20.gitignore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .cursorignore | 6 +- .gitignore | 2 + .../dev/nginx/ngnix_dev4.4nkweb.com-http.conf | 15 +++++ .../nginx/ngnix_dev4.4nkweb.com-https.conf | 56 +++++++++++++++++++ storage/dev/nginx/route_blindbit.conf | 8 +++ storage/dev/nginx/route_favicon.conf | 4 ++ storage/dev/nginx/route_grafana.conf | 24 ++++++++ storage/dev/nginx/route_ihm_client.conf | 11 ++++ storage/dev/nginx/route_lecoffre.conf | 24 ++++++++ storage/dev/nginx/route_lecoffre_hmr.conf | 11 ++++ .../dev/nginx/route_lecoffre_redirect.conf | 1 + storage/dev/nginx/route_loki.conf | 15 +++++ storage/dev/nginx/route_next_assets.conf | 12 ++++ storage/dev/nginx/route_status.conf | 21 +++++++ storage/dev/nginx/route_status_api.conf | 21 +++++++ storage/dev/nginx/route_status_redirect.conf | 4 ++ storage/dev/nginx/route_ws.conf | 15 +++++ 17 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 storage/dev/nginx/ngnix_dev4.4nkweb.com-http.conf create mode 100644 storage/dev/nginx/ngnix_dev4.4nkweb.com-https.conf create mode 100644 storage/dev/nginx/route_blindbit.conf create mode 100644 storage/dev/nginx/route_favicon.conf create mode 100644 storage/dev/nginx/route_grafana.conf create mode 100644 storage/dev/nginx/route_ihm_client.conf create mode 100644 storage/dev/nginx/route_lecoffre.conf create mode 100644 storage/dev/nginx/route_lecoffre_hmr.conf create mode 100644 storage/dev/nginx/route_lecoffre_redirect.conf create mode 100644 storage/dev/nginx/route_loki.conf create mode 100644 storage/dev/nginx/route_next_assets.conf create mode 100644 storage/dev/nginx/route_status.conf create mode 100644 storage/dev/nginx/route_status_api.conf create mode 100644 storage/dev/nginx/route_status_redirect.conf create mode 100644 storage/dev/nginx/route_ws.conf diff --git a/.cursorignore b/.cursorignore index eb48127..f65aade 100644 --- a/.cursorignore +++ b/.cursorignore @@ -1,13 +1,13 @@ # PROTECTION COMPLÈTE - Empêcher l'accès Cursor à storage/ -storage/ +# storage/ # Variables d'environnement (protection renforcée) */.env */.env* */.toml */.toml* -*/.conf -*/.conf* +# */.conf +# */.conf* # Clés utilisateur et données sensibles **/_keys/ diff --git a/.gitignore b/.gitignore index 0f5c0cc..0ae35c8 100644 --- a/.gitignore +++ b/.gitignore @@ -76,6 +76,8 @@ storage/ !storage/*/README.md !storage/*/bitcoin/ !storage/*/bitcoin/*.conf +!storage/*/nginx/ +!storage/*/nginx/*.conf # Clés utilisateur (double protection) storage/*/_keys/ diff --git a/storage/dev/nginx/ngnix_dev4.4nkweb.com-http.conf b/storage/dev/nginx/ngnix_dev4.4nkweb.com-http.conf new file mode 100644 index 0000000..6a7d847 --- /dev/null +++ b/storage/dev/nginx/ngnix_dev4.4nkweb.com-http.conf @@ -0,0 +1,15 @@ +# HTTP server for ACME and redirect to HTTPS +server { + listen 80 default_server; + server_name _; + + # ACME HTTP-01 challenges + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + } + + # Redirection vers HTTPS pour toutes les autres requêtes + location / { + return 301 https://$server_name$request_uri; + } +} diff --git a/storage/dev/nginx/ngnix_dev4.4nkweb.com-https.conf b/storage/dev/nginx/ngnix_dev4.4nkweb.com-https.conf new file mode 100644 index 0000000..442245c --- /dev/null +++ b/storage/dev/nginx/ngnix_dev4.4nkweb.com-https.conf @@ -0,0 +1,56 @@ +# Configuration HTTPS pour $HOST +server { + listen 443 ssl; + http2 on; + server_name $HOST; + + # Certificats SSL + ssl_certificate $CERT_PATH/fullchain.pem; + ssl_certificate_key $CERT_PATH/privkey.pem; + + # Configuration SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Headers de sécurité + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options DENY always; + add_header X-Content-Type-Options nosniff always; + add_header X-XSS-Protection "1; mode=block" always; + + # Grafana - Interface de monitoring (DOIT être avant location /) + include $NGINX_CONF_DIR/route_grafana.conf; + + # Loki API - API de logs (DOIT être avant location /) + include $NGINX_CONF_DIR/route_loki.conf; + + # Page de statut des services (DOIT être avant location /) + include $NGINX_CONF_DIR/route_status.conf; + include $NGINX_CONF_DIR/route_status_redirect.conf; + include $NGINX_CONF_DIR/route_status_api.conf; + + # API backend - route /back/ vers /api/ du backend + include $NGINX_CONF_DIR/route_back_proxy.conf; + + # WebSocket relay (sdk_relay) + include $NGINX_CONF_DIR/route_ws.conf; + + # favicon + include $NGINX_CONF_DIR/route_favicon.conf; + + # blindbit + include $NGINX_CONF_DIR/route_blindbit.conf; + + # lecoffre-front - Application LeCoffre + include $NGINX_CONF_DIR/route_lecoffre_redirect.conf; + include $NGINX_CONF_DIR/route_lecoffre.conf; + include $NGINX_CONF_DIR/route_lecoffre_hmr.conf; + include $NGINX_CONF_DIR/route_next_assets.conf; + + # ihm_client (root) - DOIT être en dernier + + include $NGINX_CONF_DIR/route_ihm_client.conf; +} diff --git a/storage/dev/nginx/route_blindbit.conf b/storage/dev/nginx/route_blindbit.conf new file mode 100644 index 0000000..0def95c --- /dev/null +++ b/storage/dev/nginx/route_blindbit.conf @@ -0,0 +1,8 @@ + location $URL_ROUTE_BLINDBIT/ { + proxy_pass http://localhost:$BLINDBIT_PORT/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + } diff --git a/storage/dev/nginx/route_favicon.conf b/storage/dev/nginx/route_favicon.conf new file mode 100644 index 0000000..2a7538b --- /dev/null +++ b/storage/dev/nginx/route_favicon.conf @@ -0,0 +1,4 @@ + location = /favicon.ico { + root $NGINX_CONF_DIR/assets; + try_files /favicon.ico =404; + } diff --git a/storage/dev/nginx/route_grafana.conf b/storage/dev/nginx/route_grafana.conf new file mode 100644 index 0000000..6e23f38 --- /dev/null +++ b/storage/dev/nginx/route_grafana.conf @@ -0,0 +1,24 @@ + location $URL_ROUTE_GRAFAN/ { + proxy_pass http://localhost:$GRAFANA_PORT/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Configuration spécifique pour Grafana + proxy_set_header X-Grafana-Org-Id 1; + + # Support des WebSockets pour les live updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffer settings + proxy_buffering off; + proxy_request_buffering off; + } diff --git a/storage/dev/nginx/route_ihm_client.conf b/storage/dev/nginx/route_ihm_client.conf new file mode 100644 index 0000000..6f54631 --- /dev/null +++ b/storage/dev/nginx/route_ihm_client.conf @@ -0,0 +1,11 @@ + location $URL_ROUTE_IHM_CLIENT { + proxy_pass http://localhost:$IHM_CLIENT_PORT; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } diff --git a/storage/dev/nginx/route_lecoffre.conf b/storage/dev/nginx/route_lecoffre.conf new file mode 100644 index 0000000..b9025d2 --- /dev/null +++ b/storage/dev/nginx/route_lecoffre.conf @@ -0,0 +1,24 @@ + location ^~ $URL_ROUTE_LECOFFRE_FRONT/ { + # ensure no redirect here; only proxy to Next + add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; + add_header Pragma "no-cache" always; + add_header Expires "-1" always; + proxy_hide_header ETag; + proxy_hide_header Last-Modified; + rewrite ^$URL_ROUTE_LECOFFRE_FRONT/(.*)$ /$1 break; + proxy_pass http://localhost:$LECOFFRE_FRONT_PORT; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Request-ID $x_request_id; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_read_timeout 300; + proxy_send_timeout 300; + proxy_connect_timeout 300; + } diff --git a/storage/dev/nginx/route_lecoffre_hmr.conf b/storage/dev/nginx/route_lecoffre_hmr.conf new file mode 100644 index 0000000..b1d5c94 --- /dev/null +++ b/storage/dev/nginx/route_lecoffre_hmr.conf @@ -0,0 +1,11 @@ + location ^~ $URL_ROUTE_LECOFFRE_FRONT_HMR/ { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + rewrite ^$URL_ROUTE_LECOFFRE_FRONT_HMR/(.*)$ $URL_ROUTE_LECOFFRE_FRONT/$1 break; + proxy_pass http://localhost:$LECOFFRE_FRONT_PORT; + } diff --git a/storage/dev/nginx/route_lecoffre_redirect.conf b/storage/dev/nginx/route_lecoffre_redirect.conf new file mode 100644 index 0000000..7f71c51 --- /dev/null +++ b/storage/dev/nginx/route_lecoffre_redirect.conf @@ -0,0 +1 @@ + location = $URL_ROUTE_LECOFFRE_FRONT { return 301 $URL_ROUTE_LECOFFRE_FRONT/; } diff --git a/storage/dev/nginx/route_loki.conf b/storage/dev/nginx/route_loki.conf new file mode 100644 index 0000000..f834c43 --- /dev/null +++ b/storage/dev/nginx/route_loki.conf @@ -0,0 +1,15 @@ + location /loki/ { + proxy_pass http://localhost:$LOKI_PORT/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes depuis Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } diff --git a/storage/dev/nginx/route_next_assets.conf b/storage/dev/nginx/route_next_assets.conf new file mode 100644 index 0000000..38e91da --- /dev/null +++ b/storage/dev/nginx/route_next_assets.conf @@ -0,0 +1,12 @@ + location ^~ $URL_ROUTE_NEXT/ { + proxy_pass http://localhost:$LECOFFRE_FRONT_PORT$URL_ROUTE_NEXT/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + add_header Cache-Control "public, max-age=31536000, immutable"; + } diff --git a/storage/dev/nginx/route_status.conf b/storage/dev/nginx/route_status.conf new file mode 100644 index 0000000..30773ad --- /dev/null +++ b/storage/dev/nginx/route_status.conf @@ -0,0 +1,21 @@ + location $URL_ROUTE_STATUS_API/ { + proxy_pass http://localhost:$STATUS_API_PORT; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes AJAX + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + # Timeouts + proxy_connect_timeout 10s; + proxy_send_timeout 10s; + proxy_read_timeout 10s; + + if ($request_method = 'OPTIONS') { + return 204; + } + } \ No newline at end of file diff --git a/storage/dev/nginx/route_status_api.conf b/storage/dev/nginx/route_status_api.conf new file mode 100644 index 0000000..1e41b34 --- /dev/null +++ b/storage/dev/nginx/route_status_api.conf @@ -0,0 +1,21 @@ + location $URL_ROUTE_STATUS { + proxy_pass http://localhost:3006/api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes AJAX + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + # Timeouts + proxy_connect_timeout 10s; + proxy_send_timeout 10s; + proxy_read_timeout 10s; + + if ($request_method = 'OPTIONS') { + return 204; + } + } diff --git a/storage/dev/nginx/route_status_redirect.conf b/storage/dev/nginx/route_status_redirect.conf new file mode 100644 index 0000000..ba449d8 --- /dev/null +++ b/storage/dev/nginx/route_status_redirect.conf @@ -0,0 +1,4 @@ + location $URL_ROUTE_STATUS { + # Redirection vers $URL_ROUTE_STATUS/ + return 301 $URL_ROUTE_STATUS/; + } diff --git a/storage/dev/nginx/route_ws.conf b/storage/dev/nginx/route_ws.conf new file mode 100644 index 0000000..9b0e6ec --- /dev/null +++ b/storage/dev/nginx/route_ws.conf @@ -0,0 +1,15 @@ + location /ws/ { + proxy_pass http://localhost:$SIGNER_PORT/; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + }