4nk/lecoffre_node
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

align for IA agents + grafana

Browse Source
This commit is contained in:
Nicolas Cantu 2025-09-21 15:07:26 +00:00
parent 4f26952088
commit cf187f3ec3
7 changed files with 227 additions and 364 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
IA_agents/flux.md
View File

@ -269,5 +269,70 @@ docker compose up -d
---
## 🌐 **Configuration Nginx - Règles et Routes**
### 📋 **Tableau Récapitulatif des Routes**
| Domaine | Port | Route | Destination | Protocole | Statut |
|---------|------|-------|-------------|-----------|--------|
| **dev4.4nkweb.com** | 80 | `/` | Redirection HTTPS | HTTP | ✅ Actif |
| **dev4.4nkweb.com** | 80 | `/.well-known/acme-challenge/` | Let's Encrypt | HTTP | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/grafana/` | Grafana (3005) | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/loki/` | Loki (3100) | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/status/` | Page statut | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/status/api` | API statut (3006) | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/api/` | Backend (8080) | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/ws/` | SDK Relay (8090) | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/signer/` | SDK Signer (3001) | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/blindbit/` | BlindBit (8000) | HTTPS | ✅ Actif |
| **dev4.4nkweb.com** | 443 | `/` | IHM Client (3003) | HTTPS | ✅ Actif |
| **local.4nkweb.com** | 80 | `/` | Redirection port 3000 | HTTP | ✅ Actif |
| **local.4nkweb.com** | 3000 | `/lecoffre/` | Frontend (3004) | HTTP | ✅ Actif |
| **local.4nkweb.com** | 3000 | `/authorized-client` | Frontend (3004) | HTTP | ✅ Actif |
### 🔧 **Configuration des Certificats SSL**
| Domaine | Certificat | Expiration | Statut |
|---------|------------|------------|--------|
| **dev4.4nkweb.com** | `/etc/letsencrypt/live/dev4.4nkweb.com/` | 15 Déc 2025 | ✅ Valide |
### 📁 **Fichiers de Configuration**
| Fichier | Description | Statut |
|---------|-------------|--------|
| `/etc/nginx/sites-enabled/dev4.4nkweb.com.conf` | HTTP + Redirection | ✅ Actif |
| `/etc/nginx/sites-enabled/dev4.4nkweb.com-https.conf` | HTTPS complet | ✅ Actif |
| `/etc/nginx/sites-enabled/local.4nkweb.com.conf` | Local HTTP | ✅ Actif |
| `/etc/nginx/sites-enabled/local.4nkweb.com-3000.conf` | Local port 3000 | ✅ Actif |
### 🧹 **Configuration Centralisée**
**Toutes les configurations Nginx sont centralisées dans `lecoffre_node/conf/nginx/` :**
- ✅ **Configurations projet** : Supprimées des autres projets
- ✅ **Configuration native** : Conservée dans `/etc/nginx/`
- ✅ **Liens symboliques** : Pointent vers `lecoffre_node/conf/nginx/`
- ✅ **Fichiers supprimés** : `ihm_client/nginx.dev.conf` (obsolète)
### ✅ **Statut Final**
1. **Configuration HTTPS active** : Le port 443 est en écoute ✅
2. **Fichiers nettoyés** : Tous les fichiers de sauvegarde supprimés ✅
3. **Configuration complète** : Tous les services accessibles en HTTPS ✅
4. **Redirection HTTP → HTTPS** : Fonctionnelle ✅
### 🎉 **Services HTTPS Opérationnels**
- ✅ **Grafana** : `https://dev4.4nkweb.com/grafana/`
- ✅ **Page de Statut** : `https://dev4.4nkweb.com/status/`
- ✅ **API de Statut** : `https://dev4.4nkweb.com/status/api`
- ✅ **Loki** : `https://dev4.4nkweb.com/loki/`
- ✅ **IHM Client** : `https://dev4.4nkweb.com/`
- ✅ **API Backend** : `https://dev4.4nkweb.com/api/`
- ✅ **WebSocket Relay** : `https://dev4.4nkweb.com/ws/`
- ✅ **SDK Signer** : `https://dev4.4nkweb.com/signer/`
- ✅ **BlindBit** : `https://dev4.4nkweb.com/blindbit/`
---
**Met à jour ce document si tu détectes des incohérences ou pose des questions pour confirmer.**
**Propose des améliorations dans un document lecoffre_node/IA_agents/todo.md**

15
conf/nginx/dev4.4nkweb.com-http.conf Normal file
View File

@ -0,0 +1,15 @@
# HTTP server for ACME and redirect to HTTPS
server {
listen 80;
server_name dev4.4nkweb.com;
# ACME HTTP-01 challenges
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
# Redirection vers HTTPS pour toutes les autres requêtes
location / {
return 301 https://$server_name$request_uri;
}
}

229
conf/nginx/dev4.4nkweb.com-https.conf
View File

@ -1,115 +1,24 @@
# HTTP server for ACME and initial proxying
# Configuration HTTPS pour dev4.4nkweb.com
server {
listen 80;
listen 443 ssl http2;
server_name dev4.4nkweb.com;
# Forcer l'upgrade des requêtes HTTP en HTTPS pour éviter les contenus mixtes
add_header Content-Security-Policy "upgrade-insecure-requests" always;
# Certificats SSL
ssl_certificate /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem;
# ACME HTTP-01 challenges
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
# Configuration SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# API backend - route /back/ vers /api/ du backend
location ~* ^/back/(.*)$ {
proxy_pass http://127.0.0.1:8080/api/$1;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_buffering off;
}
# API direct - route /api/ vers le backend
# Autorisations CORS dynamiques pour origines connues
set $cors_origin "";
if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) {
set $cors_origin $http_origin;
}
location /api/ {
# CORS pour développement local Next.js
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Headers;
proxy_hide_header Access-Control-Allow-Methods;
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
return 204;
}
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
proxy_pass http://127.0.0.1:8080/api/;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# Compat: certains clients appellent /apiv1 -> réécriture vers /api/v1
location ~* ^/apiv1/(.*)$ {
# CORS pour compatibilité
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Headers;
proxy_hide_header Access-Control-Allow-Methods;
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
return 204;
}
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
proxy_pass http://127.0.0.1:8080/api/v1/$1;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# WebSocket relay (sdk_relay)
location /ws/ {
proxy_pass http://127.0.0.1:8090/;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol;
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
}
# API de transfert de fonds
location /api/v1/funds/ {
proxy_pass http://127.0.0.1:8080/api/v1/funds/;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# Headers de sécurité
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
# Grafana - Interface de monitoring (DOIT être avant location /)
location /grafana/ {
@ -202,49 +111,82 @@ server {
}
}
# ihm_client (root) - DOIT être en dernier
location / {
proxy_pass http://127.0.0.1:3003;
# API backend - route /back/ vers /api/ du backend
location ~* ^/back/(.*)$ {
proxy_pass http://127.0.0.1:8080/api/$1;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_buffering off;
}
# API direct - route /api/ vers le backend
# Autorisations CORS dynamiques pour origines connues
set $cors_origin "";
if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) {
set $cors_origin $http_origin;
}
location /api/ {
# CORS pour développement local Next.js
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Headers;
proxy_hide_header Access-Control-Allow-Methods;
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
return 204;
}
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
proxy_pass http://127.0.0.1:8080/api/;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# WebSocket relay (sdk_relay)
location /ws/ {
proxy_pass http://127.0.0.1:8090/;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol;
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
# API de transfert de fonds
location /api/v1/funds/ {
proxy_pass http://127.0.0.1:8080/api/v1/funds/;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# favicon
location = /favicon.ico {
root /home/debian/lecoffre_node/conf/nginx/assets;
try_files /favicon.ico =404;
access_log off;
expires 30d;
}
# lecoffre frontend
location = /lecoffre {
proxy_pass http://127.0.0.2:3004/lecoffre;
include /etc/nginx/proxy_params;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
}
location /lecoffre/ {
proxy_pass http://127.0.0.2:3004/lecoffre/;
include /etc/nginx/proxy_params;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
}
# Next.js assets
location /_next/ {
proxy_pass http://127.0.0.2:3004/_next/;
include /etc/nginx/proxy_params;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
}
# blindbit
@ -263,4 +205,13 @@ server {
proxy_read_timeout 300;
}
# ihm_client (root) - DOIT être en dernier
location / {
proxy_pass http://127.0.0.1:3003;
include /etc/nginx/proxy_params;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
}
}

10
conf/nginx/dev4.4nkweb.com.conf
View File

@ -1,16 +1,18 @@
# HTTP server for ACME and initial proxying
# HTTP server for ACME and redirect to HTTPS
server {
listen 80;
server_name dev4.4nkweb.com;
# Forcer l'upgrade des requêtes HTTP en HTTPS pour éviter les contenus mixtes
add_header Content-Security-Policy "upgrade-insecure-requests" always;
# ACME HTTP-01 challenges
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
# Redirection vers HTTPS pour toutes les autres requêtes
location / {
return 301 https://$server_name$request_uri;
}
# API backend - route /back/ vers /api/ du backend
location ~* ^/back/(.*)$ {
proxy_pass http://127.0.0.1:8080/api/$1;

170
conf/nginx/dev4.4nkweb.com.conf.backup
View File

@ -1,170 +0,0 @@
# HTTP server for ACME and initial proxying
server {
listen 80;
server_name dev4.4nkweb.com;
# Forcer l'upgrade des requêtes HTTP en HTTPS pour éviter les contenus mixtes
add_header Content-Security-Policy "upgrade-insecure-requests" always;
# ACME HTTP-01 challenges
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
# API backend - route /back/ vers /api/ du backend
location ~* ^/back/(.*)$ {
proxy_pass http://127.0.0.1:8080/api/$1;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_buffering off;
}
# API direct - route /api/ vers le backend
# Autorisations CORS dynamiques pour origines connues
set $cors_origin "";
if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) {
set $cors_origin $http_origin;
}
location /api/ {
# CORS pour développement local Next.js
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Headers;
proxy_hide_header Access-Control-Allow-Methods;
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
return 204;
}
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
proxy_pass http://127.0.0.1:8080/api/;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# Compat: certains clients appellent /apiv1 -> réécriture vers /api/v1
location ~* ^/apiv1/(.*)$ {
# CORS pour compatibilité
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Headers;
proxy_hide_header Access-Control-Allow-Methods;
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
return 204;
}
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
proxy_pass http://127.0.0.1:8080/api/v1/$1;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# WebSocket relay (sdk_relay)
location /ws/ {
proxy_pass http://127.0.0.1:8090/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
}
# API de transfert de fonds
location /api/v1/funds/ {
proxy_pass http://127.0.0.1:8080/api/v1/funds/;
include /etc/nginx/proxy_params;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# ihm_client (root)
location / {
proxy_pass http://127.0.0.1:3003;
include /etc/nginx/proxy_params;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
}
# favicon
location = /favicon.ico {
root /home/debian/lecoffre_node/conf/nginx/assets;
try_files /favicon.ico =404;
access_log off;
expires 30d;
}
# lecoffre frontend
location = /lecoffre {
proxy_pass http://127.0.0.2:3004/lecoffre;
include /etc/nginx/proxy_params;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
}
location /lecoffre/ {
proxy_pass http://127.0.0.2:3004/lecoffre/;
include /etc/nginx/proxy_params;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
}
# Next.js assets
location /_next/ {
proxy_pass http://127.0.0.2:3004/_next/;
include /etc/nginx/proxy_params;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
}
# blindbit
location /blindbit/ {
proxy_pass http://127.0.0.1:8000/;
include /etc/nginx/proxy_params;
}
# signer (sdk_signer) avec support WebSocket
location /signer/ {
proxy_pass http://127.0.0.1:3001/;
include /etc/nginx/proxy_params;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
}
}