diff --git a/conf/nginx/nginx.conf b/conf/nginx/nginx.conf index 7376ee0..726a64b 100644 --- a/conf/nginx/nginx.conf +++ b/conf/nginx/nginx.conf @@ -288,6 +288,10 @@ http { } # LeCoffre Front - Application principale + # Redirige /lecoffre -> /lecoffre/ + location = /lecoffre { + return 301 /lecoffre/; + } location /lecoffre/ { proxy_pass http://lecoffre_frontend/; proxy_set_header Host $host; @@ -428,6 +432,10 @@ http { } # LeCoffre Front - Application principale + # Redirige /lecoffre -> /lecoffre/ + location = /lecoffre { + return 301 /lecoffre/; + } location /lecoffre/ { proxy_pass http://lecoffre_frontend/; proxy_set_header Host $host; diff --git a/conf/nginx_backups_host/dev4.4nkweb.com-http.conf b/conf/nginx_backups_host/dev4.4nkweb.com-http.conf new file mode 100755 index 0000000..804d8a0 --- /dev/null +++ b/conf/nginx_backups_host/dev4.4nkweb.com-http.conf @@ -0,0 +1,15 @@ +# HTTP server for ACME and redirect to HTTPS +server { + listen 80; + server_name dev4.4nkweb.com; + + # ACME HTTP-01 challenges + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + } + + # Redirection vers HTTPS pour toutes les autres requêtes + location / { + return 301 https://$server_name$request_uri; + } +} diff --git a/conf/nginx_backups_host/dev4.4nkweb.com-https.conf b/conf/nginx_backups_host/dev4.4nkweb.com-https.conf new file mode 100644 index 0000000..e1e0dc9 --- /dev/null +++ b/conf/nginx_backups_host/dev4.4nkweb.com-https.conf @@ -0,0 +1,228 @@ +# Configuration HTTPS pour dev4.4nkweb.com +server { + listen 443 ssl http2; + server_name dev4.4nkweb.com; + + # Certificats SSL + ssl_certificate /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem; + + # Configuration SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Headers de sécurité + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options DENY always; + add_header X-Content-Type-Options nosniff always; + add_header X-XSS-Protection "1; mode=block" always; + + # Grafana - Interface de monitoring (DOIT être avant location /) + location /grafana/ { + proxy_pass http://localhost:3005/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Configuration spécifique pour Grafana + proxy_set_header X-Grafana-Org-Id 1; + + # Support des WebSockets pour les live updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffer settings + proxy_buffering off; + proxy_request_buffering off; + } + + # Loki API - API de logs (DOIT être avant location /) + location /loki/ { + proxy_pass http://localhost:3100/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes depuis Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # Page de statut des services (DOIT être avant location /) + location /status { + # Redirection vers /status/ + return 301 /status/; + } + + location /status/ { + # Serveur statique pour la page HTML + alias /var/www/lecoffre/status/; + index index.html; + try_files $uri $uri/ /status/index.html; + + # Headers de sécurité + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Cache pour les assets statiques + location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { + expires 1h; + add_header Cache-Control "public, immutable"; + } + } + + # API de statut des services (DOIT être avant location /) + location /status/api { + proxy_pass http://localhost:3006/api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes AJAX + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + # Timeouts + proxy_connect_timeout 10s; + proxy_send_timeout 10s; + proxy_read_timeout 10s; + + if ($request_method = 'OPTIONS') { + return 204; + } + } + + # API backend - route /back/ vers /api/ du backend + location ~* ^/back/(.*)$ { + proxy_pass http://localhost:8080/api/$1; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ""; + proxy_buffering off; + } + + # API direct - route /api/ vers le backend + # Autorisations CORS dynamiques pour origines connues + set $cors_origin ""; + if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) { + set $cors_origin $http_origin; + } + + location /api/ { + # CORS pour développement local Next.js + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Methods; + + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + return 204; + } + + add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + + proxy_pass http://dev3.4nkweb.com:8080/api/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # WebSocket relay (sdk_relay) + location /ws/ { + proxy_pass http://localhost:8090/; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + } + + # API de transfert de fonds + location /api/v1/funds/ { + proxy_pass http://dev3.4nkweb.com:8080/api/v1/funds/; + include /etc/nginx/proxy_params; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + } + + # favicon + location = /favicon.ico { + root /home/debian/4NK_env/lecoffre_node/conf/nginx/assets; + try_files /favicon.ico =404; + } + + # blindbit + location /blindbit/ { + proxy_pass http://localhost:8000/; + include /etc/nginx/proxy_params; + } + + # signer (sdk_signer) avec support WebSocket + + # lecoffre-front - Application LeCoffre + location = /lecoffre { return 301 /lecoffre/; } + location ^~ /lecoffre/ { + # ensure no redirect here; only proxy to Next + add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; + add_header Pragma "no-cache" always; + add_header Expires "-1" always; + proxy_hide_header ETag; + proxy_hide_header Last-Modified; + proxy_pass http://localhost:3004; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + proxy_send_timeout 300; + proxy_connect_timeout 300; + } + + # ihm_client (root) - DOIT être en dernier + location / { + proxy_pass http://localhost:3003; + include /etc/nginx/proxy_params; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300; + } +} diff --git a/conf/nginx_backups_host/grafana.conf b/conf/nginx_backups_host/grafana.conf new file mode 100755 index 0000000..c3753bb --- /dev/null +++ b/conf/nginx_backups_host/grafana.conf @@ -0,0 +1,49 @@ +# Configuration Nginx pour Grafana +server { + listen 80; + server_name dev4.4nkweb.com; + + # Proxy pour Grafana + location /grafana/ { + proxy_pass http://127.0.0.1:3005/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Configuration spécifique pour Grafana + proxy_set_header X-Grafana-Org-Id 1; + + # Support des WebSockets pour les live updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffer settings + proxy_buffering off; + proxy_request_buffering off; + } + + # Proxy pour Loki (API) + location /loki/ { + proxy_pass http://127.0.0.1:3100/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # CORS pour les requêtes depuis Grafana + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization"; + + if ($request_method = 'OPTIONS') { + return 204; + } + } +} diff --git a/conf/nginx_backups_host/local.4nkweb.com-3000.conf b/conf/nginx_backups_host/local.4nkweb.com-3000.conf new file mode 100755 index 0000000..a4ea511 --- /dev/null +++ b/conf/nginx_backups_host/local.4nkweb.com-3000.conf @@ -0,0 +1,64 @@ +server { + listen 0.0.0.0:3000; + listen [::]:3000; + server_name local.4nkweb.com; + + # HTTP pur: pas de HTTPS ni HSTS + + # Favicon + location = /favicon.ico { + root /home/debian/lecoffre_node/conf/nginx/assets; + } + + # Compat: callback ID.not sans basePath (toutes variantes et querystring) + location /authorized-client { + proxy_pass http://127.0.0.2:3004/lecoffre/authorized-client; + include /etc/nginx/proxy_params; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-Prefix /lecoffre; + proxy_read_timeout 300; + } + + # Entrée sans slash + location = /lecoffre { + proxy_pass http://127.0.0.2:3004; + include /etc/nginx/proxy_params; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-Prefix /lecoffre; + proxy_read_timeout 300; + } + + # BasePath /lecoffre + location /lecoffre/ { + proxy_pass http://127.0.0.2:3004; + include /etc/nginx/proxy_params; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-Prefix /lecoffre; + proxy_read_timeout 300; + } + + # HMR (si utilisé en local) + location /lecoffre/_next/webpack-hmr { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + proxy_buffering off; + proxy_pass http://127.0.0.2:3004/lecoffre/_next/webpack-hmr; + proxy_read_timeout 600s; + } + + # Assets Next.js + location ~* ^(/_next/static/|/lecoffre/_next/static/|/.+\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))$ { + expires 7d; + add_header Cache-Control "public, max-age=604800, immutable" always; + proxy_pass http://127.0.0.2:3004$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto http; + proxy_read_timeout 300; + } +} diff --git a/conf/nginx_backups_host/local.4nkweb.com.conf b/conf/nginx_backups_host/local.4nkweb.com.conf new file mode 100755 index 0000000..fb6b90b --- /dev/null +++ b/conf/nginx_backups_host/local.4nkweb.com.conf @@ -0,0 +1,9 @@ +server { + listen 80; + server_name local.4nkweb.com; + + # HTTP only: pas de redirection HTTPS, pas d'HSTS + location / { + return 302 http://local.4nkweb.com:3000$request_uri; + } +} diff --git a/conf/nginx_backups_host/nginx.conf b/conf/nginx_backups_host/nginx.conf new file mode 100755 index 0000000..68a8fd4 --- /dev/null +++ b/conf/nginx_backups_host/nginx.conf @@ -0,0 +1,84 @@ +user www-data; +worker_processes auto; +worker_cpu_affinity auto; +pid /run/nginx.pid; +error_log /var/log/nginx/error.log; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + server_tokens off; # Recommended practice is to turn this off + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3 (POODLE), TLS 1.0, 1.1 + ssl_prefer_server_ciphers off; # Don't force server cipher order. + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#}