add /robots.txt

config\nginx.exposed.conf: disable csp
nginx.exposed: fix invalid upstream
2024-07-31 08:48:03 +03:00 · 2024-07-23 10:49:14 +03:00 · 2024-07-14 21:54:19 +03:00 · 2024-07-14 21:47:48 +03:00 · 2024-07-14 21:26:29 +03:00 · 2024-06-06 22:10:25 +03:00
12 changed files with 171 additions and 28 deletions
--- a/config/http/nginx.conf
+++ b/config/http/nginx.conf
@ -0,0 +1,48 @@
+ user                          nginx;
+ worker_processes              auto;
+
+ error_log                     /var/log/nginx/error.log notice;
+ pid                           /var/run/nginx.pid;
+
+
+events {
+    worker_connections         1024;
+    use                        epoll;
+}
+
+
+http {
+    include                    /etc/nginx/mime.types;
+    default_type               application/octet-stream;
+
+    log_format                 main '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status                   $body_bytes_sent "$http_referer" '
+    '"$http_user_agent"        "$http_x_forwarded_for"';
+
+    access_log                 off;
+
+    sendfile                   on;
+    #tcp_nopush                on;
+
+    keepalive_timeout          60s;
+
+    #gzip                      on;
+
+    include                    /etc/nginx/conf.d/*.conf;
+
+    #                          Compression
+    gzip                       on;
+    gzip_min_length            1000;
+    gzip_proxied               any;
+    gzip_comp_level            1;
+    gzip_types                 text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
+    gzip_vary                  on;
+    gzip_disable               "msie6";
+
+
+    resolver                   127.0.0.11 ipv6=off;
+
+    client_body_timeout        20s;
+    client_header_timeout      20s;
+
+}
--- a/config/include/csp.conf
+++ b/config/include/csp.conf
@ -0,0 +1,10 @@
+set $CSP_UPGRADE_INSECURE_REQUESTS "upgrade-insecure-requests;";
+set $CSP_DEFAULT_SRC "default-src https: wss: data: blob: 'self';";
+set $CSP_BASE_URI "base-uri 'self';";
+set $CSP_CONNECT_SRC "connect-src 'self' *.evoleasing.ru wss:;";
+set $CSP_WORKER_SRC "worker-src 'self' blob:;";
+set $CSP_FONT_SRC "font-src 'self' fonts.gstatic.com fonts.googleapis.com;";
+set $CSP_SCRIPT_SRC "script-src 'self';";
+set $CSP_STYLE_SRC "style-src 'self' 'unsafe-inline' fonts.googleapis.com;";
+set $CSP_OBJECT_SRC "object-src 'none';";
+set $CSP_FRAME_ANCESTORS "frame-ancestors 'none';";
--- a/config/include/headers.conf
+++ b/config/include/headers.conf
@ -0,0 +1,5 @@
+ proxy_http_version 1.1;
+ proxy_set_header   Upgrade $http_upgrade;
+ proxy_set_header   Connection 'upgrade';
+ proxy_set_header   Host $host;
+ proxy_cache_bypass $http_upgrade;
--- a/config/include/robots.conf
+++ b/config/include/robots.conf
@ -0,0 +1,4 @@
+location /robots.txt {
+    default_type  text/plain;
+    return        200 "User-agent: *\nDisallow: /";
+}
--- a/config/include/security-headers.conf
+++ b/config/include/security-headers.conf
@ -0,0 +1,5 @@
+ add_header Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
+ add_header X-Frame-Options SAMEORIGIN;
+ add_header X-Content-Type-Options nosniff;
+ add_header Referrer-Policy no-referrer-when-downgrade;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
--- a/config/nginx.auth.conf
+++ b/config/nginx.auth.conf
@ -21,17 +21,11 @@ upstream app {
 server {
    listen                       80;
    include                      /etc/nginx/mime.types;
+    include                      /etc/nginx/include/csp.conf;
+    proxy_set_header             auth-mode $AUTH_MODE;
+    proxy_set_header             refresh-token $REFRESH_TOKEN;

-    gzip                         on;
-    gzip_min_length              1000;
-    gzip_proxied                 any;
-    gzip_comp_level              1;
-    gzip_types                   text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
-    gzip_vary                    on;
-    gzip_disable                 "msie6";
-
-
-    error_page                   401 /login;
+    error_page                   401 /login/$AUTH_MODE;


    location = /auth {
@ -41,30 +35,39 @@ server {

        proxy_pass_request_body  off;
        proxy_set_header         Content-Length "";
-        proxy_set_header         refresh-token $REFRESH_TOKEN;
-        proxy_set_header         auth-mode $AUTH_MODE;
+        proxy_set_header         X-Original-URI $request_uri;
        proxy_intercept_errors   on;
+
+        proxy_set_header         auth-mode $AUTH_MODE;
+        proxy_set_header         refresh-token $REFRESH_TOKEN;
    }

    location /login {
        proxy_pass               $login_proxy;
+
+        include                  /etc/nginx/include/security-headers.conf;
    }

-    location ~ ^/(logout|get-user)$ {
+    location ~ ^/(logout|get-user|login-telegram|login-confirm|refresh-token)$ {
        proxy_pass               http://auth_api/$AUTH_MODE/$1;
+        proxy_set_header         auth-mode $AUTH_MODE;
+        proxy_set_header         refresh-token $REFRESH_TOKEN;
    }

    location / {
        proxy_pass               http://app;

-        proxy_http_version       1.1;
-        proxy_set_header         Upgrade $http_upgrade;
-        proxy_set_header         Connection 'upgrade';
-        proxy_set_header         Host $host;
-        proxy_cache_bypass       $http_upgrade;
-
+        include                  /etc/nginx/include/headers.conf;
        include                  /etc/nginx/include/auth.conf;
+        include                  /etc/nginx/include/security-headers.conf;
+    }

+    location /socket.io/ {
+        proxy_pass               http://auth_api/socket.io/;
+
+        include                  /etc/nginx/include/headers.conf;
+        include                  /etc/nginx/include/auth.conf;
+        include                  /etc/nginx/include/security-headers.conf;
    }

    location = /health {
--- a/config/nginx.exposed.conf
+++ b/config/nginx.exposed.conf
@ -0,0 +1,26 @@
+ include                    /etc/nginx/include/upstream.conf;
+
+
+server {
+    listen                  80;
+    include                 /etc/nginx/mime.types;
+    
+    location / {
+        proxy_pass          $APPLICATION;
+
+        proxy_http_version  1.1;
+        proxy_set_header    Upgrade $http_upgrade;
+        proxy_set_header    Connection 'upgrade';
+        proxy_set_header    Host $host;
+        proxy_cache_bypass  $http_upgrade;
+    }
+
+    location = /health {
+        access_log          off;
+        add_header          'Content-Type' 'application/json';
+        return              200 'UP';
+    }
+
+    include /etc/nginx/include/location.conf;
+    include /etc/nginx/include/robots.conf;
+}
--- a/config/nginx.off.conf
+++ b/config/nginx.off.conf
@ -8,15 +8,7 @@ upstream app {
 server {
    listen                  80;
    include                 /etc/nginx/mime.types;
-
-    gzip                    on;
-    gzip_min_length         1000;
-    gzip_proxied            any;
-    gzip_comp_level         1;
-    gzip_types              text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
-    gzip_vary               on;
-    gzip_disable            "msie6";
-
+    include                 /etc/nginx/include/csp.conf;

    location / {
        proxy_pass          http://app;
@ -26,6 +18,8 @@ server {
        proxy_set_header    Connection 'upgrade';
        proxy_set_header    Host $host;
        proxy_cache_bypass  $http_upgrade;
+
+        include             /etc/nginx/include/security-headers.conf;
    }

    location = /health {
--- a/docker-compose.auth.expose.yml
+++ b/docker-compose.auth.expose.yml
@ -0,0 +1,27 @@
+version: '3'
+
+services:
+  server:
+    ports:
+      - '${PORT_EXPOSE}:80'
+    image: nginx:alpine
+    environment:
+      - APPLICATION=${APPLICATION}
+      - AUTH_MODE=${AUTH_MODE}
+      - REFRESH_TOKEN=${REFRESH_TOKEN}
+    volumes:
+      - ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
+      - ./config/include:/etc/nginx/include
+      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
+    restart: always
+    networks:
+      - auth_network
+      - app_network
+
+networks:
+  auth_network:
+    external:
+      name: auth_network
+  app_network:
+    external:
+      name: ${NETWORK_NAME}
--- a/docker-compose.auth.yml
+++ b/docker-compose.auth.yml
@ -13,6 +13,7 @@ services:
    volumes:
      - ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
+      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
    networks:
      - auth_network
--- a/docker-compose.exposed.yml
+++ b/docker-compose.exposed.yml
@ -0,0 +1,19 @@
+version: '3'
+
+services:
+  server:
+    extends:
+      file: docker-compose.traefik.yml
+      service: server
+    image: nginx:alpine
+    environment:
+      - APPLICATION=${APPLICATION}
+    volumes:
+      - ./config/nginx.exposed.conf:/etc/nginx/templates/default.conf.template
+      - ./config/include:/etc/nginx/include
+      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
+    restart: always
+
+networks:
+  web:
+    external: true
--- a/docker-compose.off.yml
+++ b/docker-compose.off.yml
@ -11,6 +11,7 @@ services:
    volumes:
      - ./config/nginx.off.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
+      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
    networks:
      - app_network
Author	SHA1	Message	Date
vchikalkin	8ada0928b0	add /robots.txt	2024-07-31 08:48:03 +03:00
vchikalkin	92cc200af6	config\nginx.exposed.conf: disable csp	2024-07-23 10:49:14 +03:00
vchikalkin	6b8b8cb502	nginx.exposed: fix invalid upstream	2024-07-14 21:54:19 +03:00
vchikalkin	2f681931ba	add docker-compose.exposed.yml	2024-07-14 21:47:48 +03:00
vchikalkin	3c1a186c31	add docker-compose.auth.expose.yml	2024-07-14 21:26:29 +03:00
vchikalkin	784ee606cc	fix build	2024-06-06 22:10:25 +03:00
vchikalkin	f95cea4540	nginx.auth.conf: include auth-params add /refresh-token location	2024-06-06 22:00:38 +03:00
vchikalkin	87bcead3c7	rename proxy-location.conf -> headers.conf	2024-06-06 21:52:21 +03:00
vchikalkin	742bead105	nginx.auth.conf: update for tfa	2024-06-05 12:45:35 +03:00
vchikalkin	f1f241bc7d	add security-headers.conf	2024-04-27 14:31:47 +03:00
vchikalkin	f533098276	nginx.auth.conf: add csp header to /login	2024-04-27 14:02:58 +03:00
vchikalkin	1406a95ed0	nginx.conf: add csp header	2024-04-27 13:46:16 +03:00
vchikalkin	7ca6fe3eac	nginx.auth.conf: remove location = /	2024-02-17 21:17:51 +03:00
vchikalkin	eb63185daa	nginx: remove limits	2024-02-17 17:21:50 +03:00
vchikalkin	a067039351	nginx.conf: increase limit_req_zone to 30r/s	2024-02-15 23:38:02 +03:00
vchikalkin	7f20ab3bee	nginx.auth.conf: remove burst nginx.conf: increase limit_req_zone to 15r/s	2024-02-15 22:23:27 +03:00
vchikalkin	2005544190	merge branch feature/anti-ddos	2024-02-15 21:41:42 +03:00