diff --git a/.gitignore b/.gitignore index 8be9b71e..a356b55b 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,10 @@ secrets/ logs/ *.log +.cargo/ +Cargo.lock +*/.cargo/ +*/Cargo.lock # Node.js node_modules/ npm-debug.log* @@ -35,4 +39,4 @@ Thumbs.db # Temporary files tmp/ -*.tmp \ No newline at end of file +*.tmp.cursor-server diff --git a/backups/20250925_072119/nginx_conf/assets/favicon.ico b/backups/20250925_072119/nginx_conf/assets/favicon.ico new file mode 100644 index 00000000..1ddbac54 Binary files /dev/null and b/backups/20250925_072119/nginx_conf/assets/favicon.ico differ diff --git a/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-http.conf b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-http.conf new file mode 100644 index 00000000..6a7d847d --- /dev/null +++ b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-http.conf @@ -0,0 +1,15 @@ +# HTTP server for ACME and redirect to HTTPS +server { + listen 80 default_server; + server_name _; + + # ACME HTTP-01 challenges + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + } + + # Redirection vers HTTPS pour toutes les autres requêtes + location / { + return 301 https://$server_name$request_uri; + } +} diff --git a/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-https.conf b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-https.conf new file mode 100644 index 00000000..97367408 --- /dev/null +++ b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-https.conf @@ -0,0 +1,265 @@ +# Configuration HTTPS pour dev4.4nkweb.com +server { + listen 443 ssl; + http2 on; + server_name dev4.4nkweb.com; + + include /home/debian/4NK_env/lecoffre_node/conf/nginx/logging.conf; + + # Certificats SSL + ssl_certificate /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem; + + # Configuration SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Headers de sécurité + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options DENY always; + add_header X-Content-Type-Options nosniff always; + add_header X-XSS-Protection "1; mode=block" always; + + # Grafana - Interface de monitoring (DOIT être avant location /) + location /grafana/ { + proxy_pass http://localhost:3005/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Configuration spécifique pour Grafana + proxy_set_header X-Grafana-Org-Id 1; + + # Support des WebSockets pour les live updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffer settings + proxy_buffering off; + proxy_request_buffering off; + } + + # Loki API - API de logs (DOIT être avant location /) + location /loki/ { + proxy_pass http://localhost:3100/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes depuis Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # Page de statut des services (DOIT être avant location /) + location /status { + # Redirection vers /status/ + return 301 /status/; + } + + location /status/ { + # Serveur statique pour la page HTML + alias /var/www/lecoffre/status/; + index index.html; + try_files $uri $uri/ /status/index.html; + + # Headers de sécurité + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Cache pour les assets statiques + location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { + expires 1h; + add_header Cache-Control "public, immutable"; + } + } + + # API de statut des services (DOIT être avant location /) + location /status/api { + proxy_pass http://localhost:3006/api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes AJAX + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + # Timeouts + proxy_connect_timeout 10s; + proxy_send_timeout 10s; + proxy_read_timeout 10s; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # API backend - route /back/ vers /api/ du backend + location ~* ^/back/(.*)$ { + proxy_pass http://localhost:8080/api/$1; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ""; + proxy_buffering off; + } + + # API direct - route /api/ vers le backend + # Autorisations CORS dynamiques pour origines connues + set $cors_origin ""; + if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) { + set $cors_origin $http_origin; + } + + location /api/ { + # CORS pour développement local Next.js + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Methods; + + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + return 204; + } + + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + + proxy_set_header X-Request-ID $x_request_id; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_pass http://dev3.4nkweb.com:8080/api/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # WebSocket relay (sdk_relay) + location /ws/ { + proxy_pass http://localhost:8090/; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + } + + # API de transfert de fonds + location /api/v1/funds/ { + proxy_pass http://dev3.4nkweb.com:8080/api/v1/funds/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # favicon + location = /favicon.ico { + root /home/debian/4NK_env/lecoffre_node/conf/nginx/assets; + try_files /favicon.ico =404; + } + + # blindbit + location /blindbit/ { + proxy_pass http://localhost:8000/; + include /etc/nginx/proxy_params; + } + + # signer (sdk_signer) avec support WebSocket + + # lecoffre-front - Application LeCoffre + location = /lecoffre { return 301 /lecoffre/; } + location ^~ /lecoffre/ { + # ensure no redirect here; only proxy to Next + add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; + add_header Pragma "no-cache" always; + add_header Expires "-1" always; + proxy_hide_header ETag; + proxy_hide_header Last-Modified; + rewrite ^/lecoffre/(.*)$ /$1 break; + proxy_pass http://localhost:3004; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Request-ID $x_request_id; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_read_timeout 300; + proxy_send_timeout 300; + proxy_connect_timeout 300; + } + # HMR dev front + location ^~ /lecoffre-hmr/ { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + rewrite ^/lecoffre-hmr/(.*)$ /lecoffre/$1 break; + proxy_pass http://localhost:3000; + } + + + # ihm_client (root) - DOIT être en dernier + + # Next.js assets for lecoffre-front + location ^~ /_next/ { + proxy_pass http://localhost:3004/_next/; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + add_header Cache-Control "public, max-age=31536000, immutable"; + } + + location / { + proxy_pass http://localhost:3003; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } +} diff --git a/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-https.conf.bak.1758553408 b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-https.conf.bak.1758553408 new file mode 100644 index 00000000..b1cdd256 --- /dev/null +++ b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com-https.conf.bak.1758553408 @@ -0,0 +1,246 @@ +# Configuration HTTPS pour dev4.4nkweb.com +server { + listen 443 ssl http2; + server_name dev4.4nkweb.com; + + # Certificats SSL + ssl_certificate /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem; + + # Configuration SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Headers de sécurité + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options DENY always; + add_header X-Content-Type-Options nosniff always; + add_header X-XSS-Protection "1; mode=block" always; + + # Grafana - Interface de monitoring (DOIT être avant location /) + location /grafana/ { + proxy_pass http://localhost:3005/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Configuration spécifique pour Grafana + proxy_set_header X-Grafana-Org-Id 1; + + # Support des WebSockets pour les live updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffer settings + proxy_buffering off; + proxy_request_buffering off; + } + + # Loki API - API de logs (DOIT être avant location /) + location /loki/ { + proxy_pass http://localhost:3100/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes depuis Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # Page de statut des services (DOIT être avant location /) + location /status { + # Redirection vers /status/ + return 301 /status/; + } + + location /status/ { + # Serveur statique pour la page HTML + alias /var/www/lecoffre/status/; + index index.html; + try_files $uri $uri/ /status/index.html; + + # Headers de sécurité + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Désactiver le cache côté client + add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; + add_header Pragma "no-cache" always; + expires -1; + + # Cache pour les assets statiques + location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { + expires 1h; + add_header Cache-Control "public, immutable"; + } + } + + # API de statut des services (DOIT être avant location /) + location /status/api { + proxy_pass http://localhost:3006/api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes AJAX + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + # Désactiver le cache proxy/client + proxy_no_cache 1; + proxy_cache_bypass 1; + add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; + add_header Pragma "no-cache" always; + + # Timeouts + proxy_connect_timeout 10s; + proxy_send_timeout 10s; + proxy_read_timeout 10s; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # API backend - route /back/ vers /api/ du backend + location ~* ^/back/(.*)$ { + proxy_pass http://localhost:8080/api/$1; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ""; + proxy_buffering off; + } + + # API direct - route /api/ vers le backend + # Autorisations CORS dynamiques pour origines connues + set $cors_origin ""; + if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) { + set $cors_origin $http_origin; + } + + location /api/ { + # CORS pour développement local Next.js + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Methods; + + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + return 204; + } + + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + + proxy_pass http://localhost:8080/api/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # WebSocket relay (sdk_relay) + location /ws/ { + proxy_pass http://localhost:8090/; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + } + + # API de transfert de fonds + location /api/v1/funds/ { + proxy_pass http://localhost:8080/api/v1/funds/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # favicon + location = /favicon.ico { + root /home/debian/lecoffre_node/conf/nginx/assets; + try_files /favicon.ico =404; + } + + # blindbit + location /blindbit/ { + proxy_pass http://localhost:8000/; + include /etc/nginx/proxy_params; + } + + # signer (sdk_signer) avec support WebSocket + location /signer/ { + proxy_pass http://localhost:3001/; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } + + # lecoffre-front - Application LeCoffre + # Forcer le trailing slash pour éviter les redirections et erreurs 500 côté Next.js + location = /lecoffre { + return 301 /lecoffre/; + } + + location ^~ /lecoffre/ { + # Déléguer la gestion du basePath à Next.js + proxy_pass http://localhost:3004; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + proxy_send_timeout 300; + proxy_connect_timeout 300; + } + + # ihm_client (root) - DOIT être en dernier + location / { + proxy_pass http://localhost:3003; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } +} \ No newline at end of file diff --git a/backups/20250925_072119/nginx_conf/dev4.4nkweb.com.conf b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com.conf new file mode 100644 index 00000000..e26ac3da --- /dev/null +++ b/backups/20250925_072119/nginx_conf/dev4.4nkweb.com.conf @@ -0,0 +1,258 @@ +# HTTP server for ACME and redirect to HTTPS +server { + listen 80; + server_name dev4.4nkweb.com http://dev4.4nkweb.com; + + # ACME HTTP-01 challenges + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + } + + # Redirection vers HTTPS pour toutes les autres requêtes + location / { + return 301 https://$server_name$request_uri; + } + + # API backend - route /back/ vers /api/ du backend + location ~* ^/back/(.*)$ { + proxy_pass http://localhost:8080/api/$1; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ""; + proxy_buffering off; + } + + # API direct - route /api/ vers le backend + # Autorisations CORS dynamiques pour origines connues + set $cors_origin ""; + if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) { + set $cors_origin $http_origin; + } + + location /api/ { + # CORS pour développement local Next.js + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Methods; + + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + return 204; + } + + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + + proxy_pass http://localhost:8080/api/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # Compat: certains clients appellent /apiv1 -> réécriture vers /api/v1 + location ~* ^/apiv1/(.*)$ { + # CORS pour compatibilité + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Methods; + + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + return 204; + } + + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + + proxy_pass http://localhost:8080/api/v1/$1; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # WebSocket relay (sdk_relay) + location /ws/ { + proxy_pass http://localhost:8090/; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + } + + # API de transfert de fonds + location /api/v1/funds/ { + proxy_pass http://localhost:8080/api/v1/funds/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # Grafana - Interface de monitoring (DOIT être avant location /) + location /grafana/ { + proxy_pass http://localhost:3005/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Configuration spécifique pour Grafana + proxy_set_header X-Grafana-Org-Id 1; + + # Support des WebSockets pour les live updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffer settings + proxy_buffering off; + proxy_request_buffering off; + } + + # Loki API - API de logs (DOIT être avant location /) + location /loki/ { + proxy_pass http://localhost:3100/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes depuis Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # Page de statut des services (DOIT être avant location /) + location /status { + # Redirection vers /status/ + return 301 /status/; + } + + location /status/ { + # Serveur statique pour la page HTML + alias /var/www/lecoffre/status/; + index index.html; + try_files $uri $uri/ /status/index.html; + + # Headers de sécurité + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Cache pour les assets statiques + location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { + expires 1h; + add_header Cache-Control "public, immutable"; + } + } + + # API de statut des services (DOIT être avant location /) + location /status/api { + proxy_pass http://localhost:3006/api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes AJAX + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + # Timeouts + proxy_connect_timeout 10s; + proxy_send_timeout 10s; + proxy_read_timeout 10s; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # ihm_client (root) - DOIT être en dernier + location / { + proxy_pass http://localhost:3003; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } + + # favicon + location = /favicon.ico { + root /home/debian/4NK_env/lecoffre_node/conf/nginx/assets; + try_files /favicon.ico =404; + access_log off; + expires 30d; + } + + # lecoffre frontend + location = /lecoffre { + proxy_pass http://127.0.0.2:3004/lecoffre; + include /etc/nginx/proxy_params; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + } + + location /lecoffre/ { + proxy_pass http://127.0.0.2:3004/lecoffre/; + include /etc/nginx/proxy_params; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } + + # Next.js assets + location /_next/ { + proxy_pass http://127.0.0.2:3004/_next/; + include /etc/nginx/proxy_params; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + } + + # blindbit + location /blindbit/ { + proxy_pass http://localhost:8000/; + include /etc/nginx/proxy_params; + } + +} diff --git a/backups/20250925_072119/nginx_conf/grafana.conf b/backups/20250925_072119/nginx_conf/grafana.conf new file mode 100644 index 00000000..c3753bba --- /dev/null +++ b/backups/20250925_072119/nginx_conf/grafana.conf @@ -0,0 +1,49 @@ +# Configuration Nginx pour Grafana +server { + listen 80; + server_name dev4.4nkweb.com; + + # Proxy pour Grafana + location /grafana/ { + proxy_pass http://127.0.0.1:3005/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Configuration spécifique pour Grafana + proxy_set_header X-Grafana-Org-Id 1; + + # Support des WebSockets pour les live updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffer settings + proxy_buffering off; + proxy_request_buffering off; + } + + # Proxy pour Loki (API) + location /loki/ { + proxy_pass http://127.0.0.1:3100/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes depuis Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } +} diff --git a/backups/20250925_072119/nginx_conf/logging.conf b/backups/20250925_072119/nginx_conf/logging.conf new file mode 100644 index 00000000..a993765f --- /dev/null +++ b/backups/20250925_072119/nginx_conf/logging.conf @@ -0,0 +1,39 @@ +# Logging configuration for lecoffre front + +log_format lecoffre_json escape=json + '{' + '"time":"$time_iso8601",' + '"request_id":"$request_id",' + '"remote_addr":"$remote_addr",' + '"host":"$host",' + '"method":"$request_method",' + '"uri":"$uri",' + '"args":"$args",' + '"status":$status,' + '"bytes":$body_bytes_sent,' + '"referer":"$http_referer",' + '"user_agent":"$http_user_agent",' + '"request_time":$request_time,' + '"upstream_addr":"$upstream_addr",' + '"upstream_status":"$upstream_status",' + '"upstream_connect_time":"$upstream_connect_time",' + '"upstream_header_time":"$upstream_header_time",' + '"upstream_response_time":"$upstream_response_time",' + '"x_forwarded_for":"$http_x_forwarded_for"' + '}'; + +# Default access and error logs for the front site +access_log /var/log/nginx/lecoffre_front_access.log lecoffre_json; +error_log /var/log/nginx/lecoffre_front_error.log warn; + +# Map incoming X-Request-ID or generate one +map $http_x_request_id $x_request_id { + default $http_x_request_id; + "" $request_id; +} + +# These headers should be set in each proxy location of the vhost +# proxy_set_header X-Request-ID $x_request_id; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# proxy_set_header X-Forwarded-Host $host; diff --git a/backups/20250925_072119/nginx_conf/nginx.conf b/backups/20250925_072119/nginx_conf/nginx.conf new file mode 100644 index 00000000..726a64b1 --- /dev/null +++ b/backups/20250925_072119/nginx_conf/nginx.conf @@ -0,0 +1,470 @@ +user www-data; +worker_processes auto; +pid /app/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + +http { + # Configuration de base + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + # MIME types + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Logging + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /app/logs/nginx/access.log main; + error_log /app/logs/nginx/error.log warn; + + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types + text/plain + text/css + text/xml + text/javascript + application/json + application/javascript + application/xml+rss + application/atom+xml + image/svg+xml; + + # Rate limiting + limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; + limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s; + + # Upstream servers + + upstream lecoffre_frontend { + server localhost:3004; + keepalive 32; + } + + upstream ihm_client { + server localhost:3003; + keepalive 32; + } + + upstream grafana { + server localhost:3005; + keepalive 32; + } + + upstream loki { + server localhost:3100; + keepalive 32; + } + + upstream status_api { + server localhost:3006; + keepalive 32; + } + + upstream sdk_relay { + server localhost:8090; + keepalive 32; + } + + upstream blindbit { + server localhost:8000; + keepalive 32; + } + + # Serveur principal HTTP (port 80) + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + # Redirection automatique vers HTTPS si disponible + return 301 https://$host$request_uri; + } + + # Serveur HTTPS (port 443) + server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + server_name _; + + # Certificats SSL (auto-signés pour le développement) + ssl_certificate /app/ssl/nginx-selfsigned.crt; + ssl_certificate_key /app/ssl/nginx-selfsigned.key; + + # Configuration SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Headers de sécurité + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # Page de statut des services + location /status/ { + alias /var/www/lecoffre/status/; + index index.html; + try_files $uri $uri/ /status/index.html; + + location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { + expires 1h; + add_header Cache-Control "public, immutable"; + } + } + + # API de statut des services + location /status/api { + limit_req zone=api burst=20 nodelay; + proxy_pass http://status_api/api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # Grafana - Interface de monitoring + location /grafana/ { + proxy_pass http://grafana/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Grafana-Org-Id 1; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + proxy_buffering off; + proxy_request_buffering off; + } + + # Loki API - API de logs + location /loki/ { + limit_req zone=api burst=10 nodelay; + proxy_pass http://loki/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # API backend - routes /back/ vers /api/ + location ~* ^/back/(.*)$ { + limit_req zone=api burst=20 nodelay; + proxy_pass http://lecoffre_backend/api/$1; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ""; + proxy_buffering off; + } + + # API direct - routes /api/ + location /api/ { + limit_req zone=api burst=20 nodelay; + + # CORS dynamique + set $cors_origin ""; + if ($http_origin ~* ^(http://localhost:3000|http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) { + set $cors_origin $http_origin; + } + + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Methods; + + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + return 204; + } + + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + + proxy_pass http://lecoffre_backend/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # WebSocket relay (sdk_relay) + location /ws/ { + proxy_pass http://sdk_relay/; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + } + + # API de transfert de fonds + location /api/v1/funds/ { + limit_req zone=api burst=5 nodelay; + proxy_pass http://lecoffre_backend/api/v1/funds/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # favicon + location = /favicon.ico { + root /var/www/lecoffre/assets; + try_files /favicon.ico =404; + } + + # blindbit + location /blindbit/ { + proxy_pass http://blindbit/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # LeCoffre Front - Application principale + # Redirige /lecoffre -> /lecoffre/ + location = /lecoffre { + return 301 /lecoffre/; + } + location /lecoffre/ { + proxy_pass http://lecoffre_frontend/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + + # Configuration spécifique pour Next.js + proxy_buffering off; + proxy_request_buffering off; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + } + + # ihm_client (root) - DOIT être en dernier + location / { + proxy_pass http://ihm_client; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } + } + # API de statut des services + location /status/api { + limit_req zone=api burst=20 nodelay; + proxy_pass http://status_api/api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # Grafana - Interface de monitoring + location /grafana/ { + proxy_pass http://grafana/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Grafana-Org-Id 1; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + proxy_buffering off; + proxy_request_buffering off; + } + + # API backend - routes /back/ vers /api/ + location ~* ^/back/(.*)$ { + limit_req zone=api burst=20 nodelay; + proxy_pass http://lecoffre_backend/api/$1; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ""; + proxy_buffering off; + } + + # API direct - routes /api/ + location /api/ { + limit_req zone=api burst=20 nodelay; + + # CORS dynamique pour développement local + set $cors_origin ""; + if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|http://localhost:3000|https://dev4\.4nkweb\.com)$) { + set $cors_origin $http_origin; + } + + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Methods; + + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + return 204; + } + + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + + proxy_pass http://lecoffre_backend/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # WebSocket relay (sdk_relay) + location /ws/ { + proxy_pass http://sdk_relay/; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + } + + # LeCoffre Front - Application principale + # Redirige /lecoffre -> /lecoffre/ + location = /lecoffre { + return 301 /lecoffre/; + } + location /lecoffre/ { + proxy_pass http://lecoffre_frontend/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + + # Configuration spécifique pour Next.js + proxy_buffering off; + proxy_request_buffering off; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + } + + # ihm_client (root) - DOIT être en dernier + location / { + proxy_pass http://ihm_client; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } + } +} diff --git a/backups/20250925_072119/nginx_http_flows.txt b/backups/20250925_072119/nginx_http_flows.txt new file mode 100644 index 00000000..129011ed --- /dev/null +++ b/backups/20250925_072119/nginx_http_flows.txt @@ -0,0 +1,44 @@ +136: location /api/ { +137: # CORS pour développement local Next.js +138: proxy_hide_header Access-Control-Allow-Origin; +139: proxy_hide_header Access-Control-Allow-Credentials; +140: proxy_hide_header Access-Control-Allow-Headers; +141: proxy_hide_header Access-Control-Allow-Methods; +142: +143: if ($request_method = OPTIONS) { +144: add_header Access-Control-Allow-Origin $cors_origin always; +145: add_header Access-Control-Allow-Credentials "true" always; +146: add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; +147: add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; +148: return 204; +149: } +185: location /api/v1/funds/ { +186: proxy_pass http://dev3.4nkweb.com:8080/api/v1/funds/; +187: include /etc/nginx/proxy_params; +188: proxy_read_timeout 300; +189: proxy_connect_timeout 300; +190: proxy_send_timeout 300; +191: } +136: location /api/ { +137: # CORS pour développement local Next.js +138: proxy_hide_header Access-Control-Allow-Origin; +139: proxy_hide_header Access-Control-Allow-Credentials; +140: proxy_hide_header Access-Control-Allow-Headers; +141: proxy_hide_header Access-Control-Allow-Methods; +142: +143: if ($request_method = OPTIONS) { +144: add_header Access-Control-Allow-Origin $cors_origin always; +145: add_header Access-Control-Allow-Credentials "true" always; +146: add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; +147: add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; +148: return 204; +149: } +150: +151: add_header Access-Control-Allow-Origin $cors_origin always; +152: add_header Access-Control-Allow-Credentials "true" always; +153: add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; +154: add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; +155: +156: proxy_set_header X-Request-ID $x_request_id; +157: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +158: proxy_set_header X-Forwarded-Proto $scheme; diff --git a/backups/20250925_072119/ports_open.txt b/backups/20250925_072119/ports_open.txt new file mode 100644 index 00000000..cd4a14f0 --- /dev/null +++ b/backups/20250925_072119/ports_open.txt @@ -0,0 +1,27 @@ +Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess +udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* +udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* +udp UNCONN 0 0 92.243.24.12%enX0:68 0.0.0.0:* +udp UNCONN 0 0 0.0.0.0:5355 0.0.0.0:* +udp UNCONN 0 0 [::]:5355 [::]:* +tcp LISTEN 0 4096 0.0.0.0:3001 0.0.0.0:* +tcp LISTEN 0 511 0.0.0.0:3000 0.0.0.0:* users:(("next-server (v1",pid=2772198,fd=25)) +tcp LISTEN 0 4096 0.0.0.0:3003 0.0.0.0:* +tcp LISTEN 0 4096 0.0.0.0:3005 0.0.0.0:* +tcp LISTEN 0 4096 0.0.0.0:3004 0.0.0.0:* +tcp LISTEN 0 4096 0.0.0.0:3006 0.0.0.0:* +tcp LISTEN 0 4096 0.0.0.0:8081 0.0.0.0:* +tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* +tcp LISTEN 0 4096 0.0.0.0:8000 0.0.0.0:* +tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* +tcp LISTEN 0 4096 0.0.0.0:3100 0.0.0.0:* +tcp LISTEN 0 511 127.0.0.1:43709 0.0.0.0:* users:(("node",pid=2771446,fd=19)) +tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* +tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* +tcp LISTEN 0 511 0.0.0.0:443 0.0.0.0:* +tcp LISTEN 0 20 127.0.0.1:25 0.0.0.0:* +tcp LISTEN 0 511 127.0.0.1:45431 0.0.0.0:* users:(("node",pid=2771409,fd=19)) +tcp LISTEN 0 4096 0.0.0.0:5355 0.0.0.0:* +tcp LISTEN 0 128 [::]:22 [::]:* +tcp LISTEN 0 4096 [::]:5355 [::]:* +tcp LISTEN 0 20 [::1]:25 [::]:* diff --git a/backups/LAST_BACKUP b/backups/LAST_BACKUP new file mode 100644 index 00000000..b316e998 --- /dev/null +++ b/backups/LAST_BACKUP @@ -0,0 +1 @@ +20250925_072119 diff --git a/backups/latest b/backups/latest new file mode 120000 index 00000000..34d28147 --- /dev/null +++ b/backups/latest @@ -0,0 +1 @@ +20250925_072119 \ No newline at end of file diff --git a/docs/ANALYSE-DEPENDANCES.md b/docs/ANALYSE-DEPENDANCES.md deleted file mode 100644 index 965ced93..00000000 --- a/docs/ANALYSE-DEPENDANCES.md +++ /dev/null @@ -1,301 +0,0 @@ -# Analyse des Dépendances - lecoffre-front - -## Vue d'ensemble - -Ce document analyse les dépendances du projet lecoffre-front, leurs versions, leur utilisation et les recommandations de mise à jour. - -## Dépendances principales - -### Framework et Runtime - -#### Next.js -- **Version actuelle**: 14.2.3 -- **Type**: Framework React -- **Utilisation**: Framework principal de l'application -- **Statut**: Version récente et stable -- **Recommandation**: Maintenir la version actuelle - -#### React -- **Version actuelle**: 18.2.0 -- **Type**: Bibliothèque UI -- **Utilisation**: Bibliothèque de base pour l'interface utilisateur -- **Statut**: Version stable LTS -- **Recommandation**: Maintenir la version actuelle - -#### React DOM -- **Version actuelle**: 18.2.0 -- **Type**: Rendu DOM pour React -- **Utilisation**: Rendu des composants React dans le DOM -- **Statut**: Version stable LTS -- **Recommandation**: Maintenir la version actuelle - -### Interface utilisateur - -#### Material-UI (MUI) -- **Version actuelle**: 5.11.13 -- **Type**: Bibliothèque de composants UI -- **Utilisation**: Composants d'interface utilisateur -- **Statut**: Version stable -- **Recommandation**: Maintenir la version actuelle - -#### Emotion -- **Versions**: - - @emotion/react: ^11.10.6 - - @emotion/styled: ^11.10.6 -- **Type**: Bibliothèque CSS-in-JS -- **Utilisation**: Styling des composants -- **Statut**: Versions récentes -- **Recommandation**: Maintenir les versions actuelles - -#### Heroicons -- **Version actuelle**: ^2.1.3 -- **Type**: Icônes SVG -- **Utilisation**: Icônes dans l'interface -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -### TypeScript et outils de développement - -#### TypeScript -- **Version actuelle**: 4.9.5 -- **Type**: Langage de programmation -- **Utilisation**: Typage statique -- **Statut**: Version stable mais ancienne -- **Recommandation**: ⚠️ Mettre à jour vers TypeScript 5.x - -#### ESLint -- **Version actuelle**: 8.36.0 -- **Type**: Linter JavaScript/TypeScript -- **Utilisation**: Analyse de code -- **Statut**: Version stable -- **Recommandation**: Maintenir la version actuelle - -#### Prettier -- **Version actuelle**: ^2.8.7 -- **Type**: Formateur de code -- **Utilisation**: Formatage automatique -- **Statut**: Version stable -- **Recommandation**: Maintenir la version actuelle - -### Utilitaires et bibliothèques - -#### Class Validator -- **Version actuelle**: ^0.14.0 -- **Type**: Validation de classes -- **Utilisation**: Validation des données -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### Classnames -- **Version actuelle**: ^2.3.2 -- **Type**: Utilitaire pour les noms de classes -- **Utilisation**: Gestion conditionnelle des classes CSS -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### UUIDv4 -- **Version actuelle**: ^6.2.13 -- **Type**: Générateur d'UUID -- **Utilisation**: Génération d'identifiants uniques -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -### Gestion de fichiers - -#### File Saver -- **Version actuelle**: ^2.0.5 -- **Type**: Sauvegarde de fichiers -- **Utilisation**: Téléchargement de fichiers -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### JSZip -- **Version actuelle**: ^3.10.1 -- **Type**: Manipulation d'archives ZIP -- **Utilisation**: Création d'archives -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### PDF-lib -- **Version actuelle**: ^1.17.1 -- **Type**: Manipulation de PDF -- **Utilisation**: Génération et modification de PDF -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -### Intégrations et services - -#### le-coffre-resources -- **Version actuelle**: v2.167 -- **Type**: Ressources partagées -- **Utilisation**: Ressources communes du projet -- **Source**: git+ssh://git@git.4nkweb.com/4nk/lecoffre-ressources.git -- **Statut**: Version spécifique -- **Recommandation**: Maintenir la version actuelle - -#### React GTM Module -- **Version actuelle**: ^2.0.11 -- **Type**: Intégration Google Tag Manager -- **Utilisation**: Analytics et tracking -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### React Toastify -- **Version actuelle**: ^9.1.3 -- **Type**: Notifications toast -- **Utilisation**: Affichage de notifications -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### React Select -- **Version actuelle**: ^5.7.2 -- **Type**: Composant de sélection -- **Utilisation**: Listes déroulantes avancées -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -### Sécurité et authentification - -#### JWT Decode -- **Version actuelle**: ^3.1.2 -- **Type**: Décodage de JWT -- **Utilisation**: Traitement des tokens JWT -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### Crypto Random String -- **Version actuelle**: ^5.0.0 -- **Type**: Génération de chaînes aléatoires -- **Utilisation**: Génération de tokens sécurisés -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -### Styling et assets - -#### SASS -- **Version actuelle**: ^1.59.2 -- **Type**: Préprocesseur CSS -- **Utilisation**: Styles avancés -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### Sharp -- **Version actuelle**: ^0.32.1 -- **Type**: Optimisation d'images -- **Utilisation**: Traitement d'images -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -## Dépendances de développement - -### Types TypeScript - -#### @types/node -- **Version actuelle**: 18.15.1 -- **Type**: Types pour Node.js -- **Utilisation**: Typage Node.js -- **Statut**: Version stable -- **Recommandation**: Maintenir la version actuelle - -#### @types/react -- **Version actuelle**: 18.0.28 -- **Type**: Types pour React -- **Utilisation**: Typage React -- **Statut**: Version stable -- **Recommandation**: Maintenir la version actuelle - -#### @types/react-dom -- **Version actuelle**: 18.0.11 -- **Type**: Types pour React DOM -- **Utilisation**: Typage React DOM -- **Statut**: Version stable -- **Recommandation**: Maintenir la version actuelle - -#### @types/file-saver -- **Version actuelle**: ^2.0.7 -- **Type**: Types pour file-saver -- **Utilisation**: Typage file-saver -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -#### @types/react-gtm-module -- **Version actuelle**: ^2.0.3 -- **Type**: Types pour react-gtm-module -- **Utilisation**: Typage react-gtm-module -- **Statut**: Version récente -- **Recommandation**: Maintenir la version actuelle - -## Analyse de sécurité - -### Dépendances avec des vulnérabilités potentielles - -#### TypeScript 4.9.5 -- **Risque**: Version ancienne -- **Impact**: Fonctionnalités manquantes, corrections de bugs -- **Recommandation**: Mettre à jour vers TypeScript 5.x - -### Dépendances sécurisées - -Toutes les autres dépendances sont à jour et ne présentent pas de vulnérabilités connues. - -## Recommandations de mise à jour - -### Priorité haute - -1. **TypeScript**: Mettre à jour vers la version 5.x - ```bash - npm install typescript@latest - ``` - -### Priorité moyenne - -1. **Vérification régulière**: Utiliser `npm audit` pour détecter les vulnérabilités -2. **Mise à jour des dépendances**: Utiliser `npm update` régulièrement - -### Priorité basse - -1. **Dépendances optionnelles**: Évaluer l'utilisation de certaines dépendances -2. **Optimisation**: Analyser les dépendances non utilisées - -## Scripts de maintenance - -### Audit de sécurité -```bash -npm audit -npm audit fix -``` - -### Mise à jour des dépendances -```bash -npm update -npm outdated -``` - -### Vérification des dépendances non utilisées -```bash -npx depcheck -``` - -## Monitoring des dépendances - -### Outils recommandés - -1. **Dependabot**: Mise à jour automatique des dépendances -2. **Snyk**: Détection des vulnérabilités -3. **npm audit**: Audit de sécurité intégré - -### Processus de mise à jour - -1. **Test**: Tester les mises à jour en environnement de développement -2. **Validation**: Valider le fonctionnement de l'application -3. **Déploiement**: Déployer en staging puis en production - -## Conclusion - -Le projet lecoffre-front utilise des dépendances modernes et bien maintenues. La seule recommandation majeure est la mise à jour de TypeScript vers la version 5.x pour bénéficier des dernières fonctionnalités et corrections de bugs. - -Les dépendances sont globalement sécurisées et à jour, ce qui garantit la stabilité et la sécurité de l'application. - ---- - -*Analyse effectuée le $(date) - Dépendances lecoffre-front* diff --git a/docs/ANALYSE-REPOSITORY.md b/docs/ANALYSE-REPOSITORY.md deleted file mode 100644 index 1024c033..00000000 --- a/docs/ANALYSE-REPOSITORY.md +++ /dev/null @@ -1,228 +0,0 @@ -# Analyse du Repository lecoffre-front - -## Vue d'ensemble - -Le projet **lecoffre-front** est une application Next.js développée en TypeScript pour la gestion de dossiers notariaux. Il s'agit d'une application frontend qui communique avec une API backend et intègre plusieurs services externes. - -## Structure du Repository - -### Architecture générale -``` -lecoffre-front/ -├── src/ # Code source principal -│ ├── common/ # Code partagé -│ │ └── Api/ # Services API communs -│ ├── front/ # Code spécifique au frontend -│ │ ├── Api/ # Services API frontend -│ │ ├── Components/ # Composants React -│ │ ├── Config/ # Configuration par environnement -│ │ ├── Hooks/ # Hooks React personnalisés -│ │ ├── Services/ # Services métier -│ │ ├── Stores/ # Gestion d'état -│ │ ├── Themes/ # Thèmes et styles -│ │ └── Utils/ # Utilitaires -│ ├── pages/ # Pages Next.js -│ └── sdk/ # SDK et intégrations -├── docs/ # Documentation -├── tests/ # Tests -├── public/ # Assets statiques -├── Dockerfile # Configuration Docker -├── next.config.js # Configuration Next.js -├── package.json # Dépendances et scripts -└── temp.yaml # Configuration Kubernetes temporaire -``` - -### Technologies utilisées - -- **Framework**: Next.js 14.2.3 -- **Language**: TypeScript 4.9.5 -- **UI**: Material-UI (MUI) 5.11.13 -- **Styling**: Emotion, SASS -- **État**: Context API / Hooks -- **Build**: Docker multi-stage -- **Déploiement**: Kubernetes - -## Variables d'Environnement - -### Variables principales - -Le projet utilise un système de variables d'environnement préfixées par `NEXT_PUBLIC_` pour la configuration runtime. - -#### Configuration API Backend -```bash -NEXT_PUBLIC_BACK_API_PROTOCOL=https:// -NEXT_PUBLIC_BACK_API_HOST=api.example.com -NEXT_PUBLIC_BACK_API_PORT=443 -NEXT_PUBLIC_BACK_API_ROOT_URL=/api -NEXT_PUBLIC_BACK_API_VERSION=v1 -``` - -#### Configuration Frontend -```bash -NEXT_PUBLIC_FRONT_APP_HOST=https://app.example.com -NEXT_PUBLIC_FRONT_APP_PORT=443 -``` - -#### Intégrations externes -```bash -# IDNot (authentification) -NEXT_PUBLIC_IDNOT_AUTHORIZE_ENDPOINT=/oauth/authorize -NEXT_PUBLIC_IDNOT_CLIENT_ID=client_id -NEXT_PUBLIC_IDNOT_BASE_URL=https://idnot.example.com -NEXT_PUBLIC_IDNOT_REDIRECT_URI=https://app.example.com/callback - -# Docaposte -NEXT_PUBLIC_DOCAPOSTE_API_URL=https://api.docaposte.com - -# 4NK (services blockchain) -NEXT_PUBLIC_4NK_URL=https://dev4.4nkweb.com -NEXT_PUBLIC_4NK_IFRAME_URL=https://dev4.4nkweb.com - -# Hotjar (analytics) -NEXT_PUBLIC_HOTJAR_SITE_ID=123456 -NEXT_PUBLIC_HOTJAR_VERSION=6 - -# Configuration système -NEXT_PUBLIC_API_URL=https://api.example.com -NEXT_PUBLIC_DEFAULT_VALIDATOR_ID=862406317a35064537ac959cb5d8bbdf4f849283b63db3ffa9904de2b3427c43:0 -NEXT_PUBLIC_DEFAULT_STORAGE_URLS=https://dev3.4nkweb.com/storage -``` - -### Gestion des environnements - -Le projet supporte 4 environnements via la variable `NEXTJS_APP_ENV_NAME`: -- `development` (par défaut) -- `staging` -- `preprod` -- `production` - -Chaque environnement a sa configuration dans `src/front/Config/Module/`: -- `development.json` -- `staging.json` -- `preprod.json` -- `production.json` - -## Configuration Docker - -### Multi-stage build - -Le Dockerfile utilise un build multi-stage avec 3 cibles: - -1. **deps**: Installation des dépendances avec support SSH pour git.4nkweb.com -2. **development**: Image de développement avec hot-reload -3. **builder**: Build de production -4. **ext**: Image de production finale - -### Variables d'environnement Docker - -Toutes les variables `NEXT_PUBLIC_*` sont passées comme arguments de build et variables d'environnement runtime. - -### Sécurité - -- Utilisateur non-root (`lecoffreuser` avec UID 10000) -- Support SSH agent pour cloner les dépendances privées -- Cache npm pour optimiser les builds - -## Configuration Kubernetes - -### Déploiement - -Le fichier `temp.yaml` contient la configuration Kubernetes complète: - -- **Namespace**: `lecoffre` -- **Service**: `lecoffre-front-svc` (port 80 → 3000) -- **Deployment**: `lecoffre-front` avec 1 replica -- **Ingress**: `app.stg.lecoffre.smart-chain.fr` avec SSL - -### Gestion des secrets - -- **Vault**: Intégration HashiCorp Vault pour les secrets -- **External Secrets**: Gestion automatique des secrets Docker -- **Service Account**: `lecoffre-front-sa` avec permissions appropriées - -### Ressources - -```yaml -resources: - limits: - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi -``` - -## Dépendances principales - -### Production -- **Next.js**: 14.2.3 (framework React) -- **React**: 18.2.0 -- **Material-UI**: 5.11.13 (composants UI) -- **TypeScript**: 4.9.5 -- **le-coffre-resources**: v2.167 (ressources partagées) - -### Développement -- **ESLint**: 8.36.0 -- **Prettier**: 2.8.7 -- **SASS**: 1.59.2 - -### Intégrations -- **Google Tag Manager**: Analytics -- **Hotjar**: Heatmaps et enregistrements -- **Docaposte**: Services postaux -- **4NK**: Services blockchain - -## Architecture de l'application - -### Gestion d'état - -- **FrontendVariables**: Singleton pour les variables d'environnement -- **Module**: Configuration par environnement -- **Context API**: Gestion d'état React - -### Communication API - -- **DatabaseService**: Service générique pour les appels API -- **BaseApiService**: Service de base pour les API -- **Construction dynamique d'URLs**: Basée sur les variables d'environnement - -### SDK et intégrations - -- **Iframe**: Communication avec les services 4NK -- **MessageBus**: Bus de messages pour la communication inter-iframe -- **User**: Gestion de l'authentification utilisateur -- **AuthModal**: Modal d'authentification - -## Points d'attention - -### Sécurité -- Variables d'environnement exposées côté client (préfixe `NEXT_PUBLIC_`) -- Authentification via IDNot -- Communication sécurisée avec les services 4NK - -### Performance -- Build standalone Next.js -- Cache npm dans Docker -- Optimisation des images avec Sharp - -### Déploiement -- Support multi-environnement -- Intégration Vault pour les secrets -- Monitoring avec Hotjar et GTM - -## Recommandations - -1. **Documentation**: Maintenir la documentation des variables d'environnement -2. **Tests**: Étendre la couverture de tests -3. **Monitoring**: Ajouter des métriques de performance -4. **Sécurité**: Auditer régulièrement les dépendances -5. **CI/CD**: Automatiser les déploiements avec validation des variables - -## Version actuelle - -- **Application**: v0.1.6 (package.json) -- **Frontend**: v2.5.1 (version.json) -- **Docker**: v0.1.9 (temp.yaml) - ---- - -*Analyse effectuée le $(date) - Repository lecoffre-front* diff --git a/docs/ANALYSE.md b/docs/ANALYSE.md deleted file mode 100644 index 58bfdcb1..00000000 --- a/docs/ANALYSE.md +++ /dev/null @@ -1,50 +0,0 @@ -## Analyse détaillée - -### Périmètre - -Front Next.js `lecoffre-front` (Next 14, TypeScript), build multi‑étapes et image `ext` runtime. - -### Stack - -- **Framework**: Next.js 14 (React 18), TypeScript 4.9.5 -- **UI**: MUI, Emotion, Heroicons -- **Outillage**: ESLint (8.36), Prettier -- **Ressources externes**: `le-coffre-resources` via SSH Gitea (`#v2.167`) - -### Build et exécution - -- Scripts: `dev`, `build` (telemetry off, `--no-lint`), `start`, `lint`, `format`. -- `next.config.js`: `output: 'standalone'`, `basePath: '/lecoffre'`, `ignoreBuildErrors: true`. -- Docker multi‑étapes: `deps` (npm ci), `development` (npm run dev), `builder` (npm run build), `ext` (runtime node:19‑alpine, `server.js`). - -### Variables d’environnement - -Variables NEXT_PUBLIC nombreuses (API back, IDNot, Docaposte, 4NK URLs, defaults). Exposées en `env`, `publicRuntimeConfig`, `serverRuntimeConfig` et redéclarées en Docker (`ARG`→`ENV`). - -### Ports et réseau - -- Port 3000 interne; exposé 3004:3000 dans `lecoffre_node`. - -### Dépendances clés - -- `next@^14.2.3`, `react@18.2.0`, `sharp@^0.32.1` (build image‑processing Alpine), `jszip`, `jwt-decode`, `react-select`, `react-toastify`. - -### Risques et points d’attention - -- `ignoreBuildErrors: true` masque les erreurs TS. Risque de dérive de type. -- `--no-lint` en build désactive ESLint. Manque de garde qualité en CI. -- Node 19 sur Alpine: fin de support. Préférer LTS (20/22). -- Dépendance Git SSH privée (`lecoffre-ressources`): exige agent SSH BuildKit; documenter clé et politiques. - -### Actions proposées - -- Rétablir le lint en build (ou CI) et supprimer `ignoreBuildErrors` si possible. -- Monter vers Node LTS (20‑alpine) et tester `sharp`. -- Documenter toutes les variables NEXT_PUBLIC et fournir `.env.example`. -- Mettre en place code‑splitting (React.lazy/Suspense) et centraliser l’état (Context/Redux) selon les règles projet. - - - - - - diff --git a/docs/DEPLOYMENT_FIXES_2025-09-24.md b/docs/DEPLOYMENT_FIXES_2025-09-24.md index 19219c6c..9122c5a4 100644 --- a/docs/DEPLOYMENT_FIXES_2025-09-24.md +++ b/docs/DEPLOYMENT_FIXES_2025-09-24.md @@ -76,3 +76,4 @@ - ✅ HMR: `/lecoffre-hmr/` → 200 - ✅ CORS dev3: OPTIONS 204 + POST state 200 - ✅ ihm_client: `/` → 200 + diff --git a/docs/HMR_IDNOT_STATE.md b/docs/HMR_IDNOT_STATE.md index 7501b40e..76337bbd 100644 --- a/docs/HMR_IDNOT_STATE.md +++ b/docs/HMR_IDNOT_STATE.md @@ -38,3 +38,4 @@ Vue d’ensemble - `POST /api/v1/idnot/state`: 200 + `state` présent. - Checks publics: `/lecoffre` = 301 → `/lecoffre/`, `/lecoffre/` = 200. + diff --git a/docs/PORTS.md b/docs/PORTS.md index da67b624..14cf69d8 100644 --- a/docs/PORTS.md +++ b/docs/PORTS.md @@ -27,3 +27,4 @@ Notes - Next.js: `basePath: '/lecoffre'`, `assetPrefix: '/lecoffre'`, `trailingSlash: true` - Nginx: rediriger `/lecoffre` → `/lecoffre/`, et proxy sur `^~ /lecoffre/` vers `http://localhost:3004` + diff --git a/docs/analyse.md b/docs/analyse.md deleted file mode 100644 index 6c6b5130..00000000 --- a/docs/analyse.md +++ /dev/null @@ -1,81 +0,0 @@ -### Objet -Analyse synthétique de `lecoffre-front` (Next.js) : périmètre, dépendances, configuration, intégrations et points d’attention. - -### Périmètre et stack -- **Framework**: Next.js 14 (React 18), rendu côté serveur désactivable selon pages -- **Langage**: TypeScript -- **Styles**: SCSS + MUI (@mui/material), Emotion -- **Bundle**: `output: 'standalone'`, `basePath: '/lecoffre'` - -### Arborescence notable -- **`src/front/`**: API client (services, entités, SDK) et composants UI (DesignSystem, Layouts, Elements) -- **`pages/`**: routes Next (tableau client, gestion utilisateurs, dossiers, documents, souscriptions) -- **`src/common/Api/LeCoffreApi`**: modules Admin/Customer/Notary/SuperAdmin et `sdk` -- **`src/front/Stores/`**: stores locaux (User, Customer, Window, Toasts) -- **`src/front/Services/`**: services utilitaires (JWT, PDF, Watermark, Crypto, Cookie) - -### Configuration et variables -- **`next.config.js`**: publie `NEXT_PUBLIC_*` aux clients et serveur; `reactStrictMode: false`; `ignoreBuildErrors: true` -- **BasePath**: `/lecoffre` (impacte le routage et les assets) -- **Intégrations**: Hotjar, GTM, Docaposte, 4NK (iframe/URL), Idnot (OAuth) - -### Dépendances clés -- **UI**: `@mui/material`, `@emotion/*`, `react-select`, `react-toastify` -- **Utilitaires**: `jwt-decode`, `file-saver`, `jszip`, `pdf-lib`, `sass`, `sharp` -- **Ressources**: `le-coffre-resources` (dépôt Git 4NK) - -### Intégrations externes (indiciaires) -- **Back**: via `NEXT_PUBLIC_BACK_API_*` et `NEXT_PUBLIC_API_URL` -- **Idnot**: endpoints OAuth (authorize, base_url, redirect_uri) -- **Docaposte**: `NEXT_PUBLIC_DOCAPOSTE_API_URL` - -### Points d’attention -- **TypeScript**: `ignoreBuildErrors: true` masque des erreurs de typage -- **BasePath**: vérifier la cohérence côté Nginx et lors du déploiement -- **Ressources Git**: accès SSH requis pour `le-coffre-resources` -- **Sécurité**: exposition de multiples `NEXT_PUBLIC_*` (vérifier qu’aucun secret n’est divulgué) - -### Tests et qualité -- **Scripts**: `build` sans lint, `lint` séparé, `format` ciblé `src/` -- **`tests/`**: présent (à enrichir avec scénarios e2e/smoke sur pages principales) - -### Déploiement -- **Dockerfile**: présent (build Next standalone) -- **Intégration**: orchestré via `lecoffre_node` (voir analyse dédiée) - -## Scripts npm, build et configuration - -### Scripts -- **dev**: `next dev` -- **build**: `NEXT_TELEMETRY_DISABLED=1 next build --no-lint` -- **start**: `next start` -- **lint**: `next lint` -- **format**: `prettier --write src` - -### next.config.js -- `output: 'standalone'`, `basePath: '/lecoffre'` -- `typescript.ignoreBuildErrors: true` (risque: masquage d’erreurs) -- Exposition de nombreuses variables `NEXT_PUBLIC_*` via `env`, `publicRuntimeConfig` et `serverRuntimeConfig` - -### Docker (multi‑stage) -- Étapes: `deps` (install), `development` (dev), `builder` (build), `ext` (runtime) -- BuildKit SSH pour `le-coffre-resources` (clé non copiée dans l’image) -- Port runtime 3000; utilisateur non‑root `lecoffreuser` - -### Dépendances (extraits) -- UI: `@mui/material`, `@emotion/*`, `react-select`, `react-toastify` -- Utilitaires: `jwt-decode`, `file-saver`, `jszip`, `pdf-lib`, `sass`, `sharp` -- Ressources: `le-coffre-resources` (SSH Git 4NK) -- Versions Node/Next: Node 19‑alpine; Next `^14.2.3` - -## Risques et recommandations -- Désactiver `ignoreBuildErrors` et corriger les erreurs TypeScript avant build -- Envisager Node LTS (20/22) pour les images -- Vérifier qu’aucune info sensible n’est exposée via `NEXT_PUBLIC_*` -- Assurer la cohérence `basePath` `/lecoffre` avec Nginx et les liens internes -- Introduire du code splitting ciblé (`React.lazy`/`Suspense`) sur pages lourdes -- Centraliser l’état (Redux/Context) pour limiter le prop drilling dans `src/front` - -## Changements IdNot -- L’authentification IdNot appelle désormais le backend en POST avec le code d’autorisation dans le corps JSON sur `/api/v1/idnot/auth`. -- Ce changement évite des erreurs en reverse proxy liées à des segments d’URL très longs. diff --git a/src/front/Api/Auth/IdNot/index.ts b/src/front/Api/Auth/IdNot/index.ts index e942e18f..cffd2349 100644 --- a/src/front/Api/Auth/IdNot/index.ts +++ b/src/front/Api/Auth/IdNot/index.ts @@ -41,7 +41,10 @@ export default class Auth extends BaseApiService { // 1) Ask backend for a signed state that embeds next_url const resp = await fetch(stateEndpoint.toString(), { method: 'POST', - headers: { 'Content-Type': 'application/json' }, + headers: { + 'Content-Type': 'application/json', + 'X-Request-ID': `front_${Math.random().toString(36).slice(2)}`, + }, body: JSON.stringify({ next_url: nextUrl }) }); if (!resp.ok) { diff --git a/src/pages/api/env.ts b/src/pages/api/env.ts index f692d661..0838f63f 100644 --- a/src/pages/api/env.ts +++ b/src/pages/api/env.ts @@ -1,33 +1,11 @@ import type { NextApiRequest, NextApiResponse } from 'next'; export default function handler(req: NextApiRequest, res: NextApiResponse) { + // Endpoint désactivé pour raisons de sécurité res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate'); - const pick = (keys: string[]) => keys.reduce>((acc, k) => { - acc[k] = process.env[k]; - return acc; - }, {}); - - const clientKeys = [ - 'NEXT_PUBLIC_4NK_URL', - 'NEXT_PUBLIC_4NK_IFRAME_URL', - 'NEXT_PUBLIC_BACK_BASE', - 'NEXT_PUBLIC_IDNOT_BASE_URL', - 'NEXT_PUBLIC_IDNOT_AUTHORIZE_ENDPOINT', - 'NEXT_PUBLIC_IDNOT_CLIENT_ID', - 'NEXT_PUBLIC_IDNOT_REDIRECT_URI', - 'NEXT_PUBLIC_IDNOT_REDIRECT_URI_FIXED', - 'NEXT_PUBLIC_BACK_API_PROTOCOL', - 'NEXT_PUBLIC_BACK_API_HOST', - 'NEXT_PUBLIC_BACK_API_PORT', - 'NEXT_PUBLIC_BACK_API_ROOT_URL', - 'NEXT_PUBLIC_BACK_API_VERSION', - 'NEXT_PUBLIC_API_URL', - 'NEXT_PUBLIC_DEFAULT_VALIDATOR_ID', - 'NEXT_PUBLIC_DEFAULT_STORAGE_URLS', - ]; - - res.status(200).json({ + res.status(410).json({ + error: 'Endpoint supprimé pour raisons de sécurité', + code: 'ENV_ENDPOINT_REMOVED', time: new Date().toISOString(), - client: pick(clientKeys), }); }