chore(nginx): backup active host confs into conf/nginx_backups_host; cleanup archives on host

conf/nginx/nginx.conf

@@ -288,6 +288,10 @@ http {
         }
 
         # LeCoffre Front - Application principale
+        # Redirige /lecoffre -> /lecoffre/
+        location = /lecoffre {
+            return 301 /lecoffre/;
+        }
         location /lecoffre/ {
             proxy_pass http://lecoffre_frontend/;
             proxy_set_header Host $host;
@@ -428,6 +432,10 @@ http {
         }
 
         # LeCoffre Front - Application principale
+        # Redirige /lecoffre -> /lecoffre/
+        location = /lecoffre {
+            return 301 /lecoffre/;
+        }
         location /lecoffre/ {
             proxy_pass http://lecoffre_frontend/;
             proxy_set_header Host $host;

conf/nginx_backups_host/dev4.4nkweb.com-http.conf

@@ -0,0 +1,15 @@
+# HTTP server for ACME and redirect to HTTPS
+server {
+    listen 80;
+    server_name dev4.4nkweb.com;
+
+    # ACME HTTP-01 challenges
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+    }
+
+    # Redirection vers HTTPS pour toutes les autres requêtes
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}

conf/nginx_backups_host/dev4.4nkweb.com-https.conf

@@ -0,0 +1,228 @@
+# Configuration HTTPS pour dev4.4nkweb.com
+server {
+    listen 443 ssl http2;
+    server_name dev4.4nkweb.com;
+
+    # Certificats SSL
+    ssl_certificate     /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem;
+
+    # Configuration SSL
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Headers de sécurité
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Grafana - Interface de monitoring (DOIT être avant location /)
+    location /grafana/ {
+        proxy_pass http://localhost:3005/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Configuration spécifique pour Grafana
+        proxy_set_header X-Grafana-Org-Id 1;
+
+        # Support des WebSockets pour les live updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # Buffer settings
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
+
+    # Loki API - API de logs (DOIT être avant location /)
+    location /loki/ {
+        proxy_pass http://localhost:3100/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # CORS pour les requêtes depuis Grafana
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+    }
+
+    # Page de statut des services (DOIT être avant location /)
+    location /status {
+        # Redirection vers /status/
+        return 301 /status/;
+    }
+
+    location /status/ {
+        # Serveur statique pour la page HTML
+        alias /var/www/lecoffre/status/;
+        index index.html;
+        try_files $uri $uri/ /status/index.html;
+
+        # Headers de sécurité
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+
+        # Cache pour les assets statiques
+        location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ {
+            expires 1h;
+            add_header Cache-Control "public, immutable";
+        }
+    }
+
+    # API de statut des services (DOIT être avant location /)
+    location /status/api {
+        proxy_pass http://localhost:3006/api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # CORS pour les requêtes AJAX
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
+
+        # Timeouts
+        proxy_connect_timeout 10s;
+        proxy_send_timeout 10s;
+        proxy_read_timeout 10s;
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+    }
+
+    # API backend - route /back/ vers /api/ du backend
+    location ~* ^/back/(.*)$ {
+        proxy_pass http://localhost:8080/api/$1;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Connection "";
+        proxy_buffering off;
+    }
+
+    # API direct - route /api/ vers le backend
+    # Autorisations CORS dynamiques pour origines connues
+    set $cors_origin "";
+    if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) {
+        set $cors_origin $http_origin;
+    }
+
+    location /api/ {
+        # CORS pour développement local Next.js
+        proxy_hide_header Access-Control-Allow-Origin;
+        proxy_hide_header Access-Control-Allow-Credentials;
+        proxy_hide_header Access-Control-Allow-Headers;
+        proxy_hide_header Access-Control-Allow-Methods;
+
+        if ($request_method = OPTIONS) {
+            add_header Access-Control-Allow-Origin $cors_origin always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+            return 204;
+        }
+
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
+        add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+
+        proxy_pass http://dev3.4nkweb.com:8080/api/;
+        include /etc/nginx/proxy_params;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+
+    # WebSocket relay (sdk_relay)
+    location /ws/ {
+        proxy_pass http://localhost:8090/;
+        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
+        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
+        proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol;
+        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 86400;
+    }
+
+    # API de transfert de fonds
+    location /api/v1/funds/ {
+        proxy_pass http://dev3.4nkweb.com:8080/api/v1/funds/;
+        include /etc/nginx/proxy_params;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+
+    # favicon
+    location = /favicon.ico {
+        root /home/debian/4NK_env/lecoffre_node/conf/nginx/assets;
+        try_files /favicon.ico =404;
+    }
+
+    # blindbit
+    location /blindbit/ {
+        proxy_pass http://localhost:8000/;
+        include /etc/nginx/proxy_params;
+    }
+
+    # signer (sdk_signer) avec support WebSocket
+
+    # lecoffre-front - Application LeCoffre
+    location = /lecoffre { return 301 /lecoffre/; }
+    location ^~ /lecoffre/ {
+        # ensure no redirect here; only proxy to Next
+        add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
+        add_header Pragma "no-cache" always;
+        add_header Expires "-1" always;
+        proxy_hide_header ETag;
+        proxy_hide_header Last-Modified;
+        proxy_pass http://localhost:3004;
+        include /etc/nginx/proxy_params;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 300;
+        proxy_send_timeout 300;
+        proxy_connect_timeout 300;
+    }
+
+    # ihm_client (root) - DOIT être en dernier
+    location / {
+        proxy_pass http://localhost:3003;
+        include /etc/nginx/proxy_params;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 300;
+    }
+}

conf/nginx_backups_host/grafana.conf

@@ -0,0 +1,49 @@
+# Configuration Nginx pour Grafana
+server {
+    listen 80;
+    server_name dev4.4nkweb.com;
+
+    # Proxy pour Grafana
+    location /grafana/ {
+        proxy_pass http://127.0.0.1:3005/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Configuration spécifique pour Grafana
+        proxy_set_header X-Grafana-Org-Id 1;
+
+        # Support des WebSockets pour les live updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # Buffer settings
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
+
+    # Proxy pour Loki (API)
+    location /loki/ {
+        proxy_pass http://127.0.0.1:3100/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # CORS pour les requêtes depuis Grafana
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+    }
+}

conf/nginx_backups_host/local.4nkweb.com-3000.conf

@@ -0,0 +1,64 @@
+server {
+    listen 0.0.0.0:3000;
+    listen [::]:3000;
+    server_name local.4nkweb.com;
+
+    # HTTP pur: pas de HTTPS ni HSTS
+
+    # Favicon
+    location = /favicon.ico {
+        root /home/debian/lecoffre_node/conf/nginx/assets;
+    }
+
+    # Compat: callback ID.not sans basePath (toutes variantes et querystring)
+    location /authorized-client {
+        proxy_pass http://127.0.0.2:3004/lecoffre/authorized-client;
+        include /etc/nginx/proxy_params;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto http;
+        proxy_set_header X-Forwarded-Prefix /lecoffre;
+        proxy_read_timeout 300;
+    }
+
+    # Entrée sans slash
+    location = /lecoffre {
+        proxy_pass http://127.0.0.2:3004;
+        include /etc/nginx/proxy_params;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto http;
+        proxy_set_header X-Forwarded-Prefix /lecoffre;
+        proxy_read_timeout 300;
+    }
+
+    # BasePath /lecoffre
+    location /lecoffre/ {
+        proxy_pass http://127.0.0.2:3004;
+        include /etc/nginx/proxy_params;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto http;
+        proxy_set_header X-Forwarded-Prefix /lecoffre;
+        proxy_read_timeout 300;
+    }
+
+    # HMR (si utilisé en local)
+    location /lecoffre/_next/webpack-hmr {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto http;
+        proxy_buffering off;
+        proxy_pass http://127.0.0.2:3004/lecoffre/_next/webpack-hmr;
+        proxy_read_timeout 600s;
+    }
+
+    # Assets Next.js
+    location ~* ^(/_next/static/|/lecoffre/_next/static/|/.+\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))$ {
+        expires 7d;
+        add_header Cache-Control "public, max-age=604800, immutable" always;
+        proxy_pass http://127.0.0.2:3004$request_uri;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto http;
+        proxy_read_timeout 300;
+    }
+}

conf/nginx_backups_host/local.4nkweb.com.conf

@@ -0,0 +1,9 @@
+server {
+    listen 80;
+    server_name local.4nkweb.com;
+
+    # HTTP only: pas de redirection HTTPS, pas d'HSTS
+    location / {
+        return 302 http://local.4nkweb.com:3000$request_uri;
+    }
+}

conf/nginx_backups_host/nginx.conf

@@ -0,0 +1,84 @@
+user www-data;
+worker_processes auto;
+worker_cpu_affinity auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	server_tokens off; # Recommended practice is to turn this off
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3 (POODLE), TLS 1.0, 1.1
+	ssl_prefer_server_ciphers off; # Don't force server cipher order.
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}