add /robots.txt

config\nginx.exposed.conf: disable csp
nginx.exposed: fix invalid upstream
2024-07-31 08:48:03 +03:00 · 2024-07-23 10:49:14 +03:00 · 2024-07-14 21:54:19 +03:00 · 2024-07-14 21:47:48 +03:00 · 2024-07-14 21:26:29 +03:00 · 2024-06-06 22:10:25 +03:00
13 changed files with 176 additions and 29 deletions
--- a/.env
+++ b/.env
@ -7,3 +7,4 @@ WEB_HOST=
 APPLICATION=
 AUTH_MODE=ldap
 # AUTH_MODE=account
 REFRESH_TOKEN=0
--- a/config/http/nginx.conf
+++ b/config/http/nginx.conf
@ -0,0 +1,48 @@
 user                          nginx;
 worker_processes              auto;
 error_log                     /var/log/nginx/error.log notice;
 pid                           /var/run/nginx.pid;
 events {
    worker_connections         1024;
    use                        epoll;
 }
 http {
    include                    /etc/nginx/mime.types;
    default_type               application/octet-stream;
    log_format                 main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status                   $body_bytes_sent "$http_referer" '
    '"$http_user_agent"        "$http_x_forwarded_for"';
    access_log                 off;
    sendfile                   on;
    #tcp_nopush                on;
    keepalive_timeout          60s;
    #gzip                      on;
    include                    /etc/nginx/conf.d/*.conf;
    #                          Compression
    gzip                       on;
    gzip_min_length            1000;
    gzip_proxied               any;
    gzip_comp_level            1;
    gzip_types                 text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary                  on;
    gzip_disable               "msie6";
    resolver                   127.0.0.11 ipv6=off;
    client_body_timeout        20s;
    client_header_timeout      20s;
 }
--- a/config/include/csp.conf
+++ b/config/include/csp.conf
@ -0,0 +1,10 @@
 set $CSP_UPGRADE_INSECURE_REQUESTS "upgrade-insecure-requests;";
 set $CSP_DEFAULT_SRC "default-src https: wss: data: blob: 'self';";
 set $CSP_BASE_URI "base-uri 'self';";
 set $CSP_CONNECT_SRC "connect-src 'self' *.evoleasing.ru wss:;";
 set $CSP_WORKER_SRC "worker-src 'self' blob:;";
 set $CSP_FONT_SRC "font-src 'self' fonts.gstatic.com fonts.googleapis.com;";
 set $CSP_SCRIPT_SRC "script-src 'self';";
 set $CSP_STYLE_SRC "style-src 'self' 'unsafe-inline' fonts.googleapis.com;";
 set $CSP_OBJECT_SRC "object-src 'none';";
 set $CSP_FRAME_ANCESTORS "frame-ancestors 'none';";
--- a/config/include/headers.conf
+++ b/config/include/headers.conf
@ -0,0 +1,5 @@
 proxy_http_version 1.1;
 proxy_set_header   Upgrade $http_upgrade;
 proxy_set_header   Connection 'upgrade';
 proxy_set_header   Host $host;
 proxy_cache_bypass $http_upgrade;
--- a/config/include/robots.conf
+++ b/config/include/robots.conf
@ -0,0 +1,4 @@
 location /robots.txt {
    default_type  text/plain;
    return        200 "User-agent: *\nDisallow: /";
 }
--- a/config/include/security-headers.conf
+++ b/config/include/security-headers.conf
@ -0,0 +1,5 @@
 add_header Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
 add_header Referrer-Policy no-referrer-when-downgrade;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
--- a/config/nginx.auth.conf
+++ b/config/nginx.auth.conf
@ -21,17 +21,11 @@ upstream app {
 server {
    listen                       80;
    include                      /etc/nginx/mime.types;
    include                      /etc/nginx/include/csp.conf;
    proxy_set_header             auth-mode $AUTH_MODE;
    proxy_set_header             refresh-token $REFRESH_TOKEN;
-    gzip                         on;
+    error_page                   401 /login/$AUTH_MODE;
    gzip_min_length              1000;
    gzip_proxied                 any;
    gzip_comp_level              1;
    gzip_types                   text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary                    on;
    gzip_disable                 "msie6";
    error_page                   401 /login;
    location = /auth {
@ -41,28 +35,39 @@ server {
        proxy_pass_request_body  off;
        proxy_set_header         Content-Length "";
        proxy_set_header         X-Original-URI $request_uri;
        proxy_intercept_errors   on;
        proxy_set_header         auth-mode $AUTH_MODE;
        proxy_set_header         refresh-token $REFRESH_TOKEN;
    }
    location /login {
        proxy_pass               $login_proxy;
        include                  /etc/nginx/include/security-headers.conf;
    }
-    location ~ ^/(logout|get-user)$ {
+    location ~ ^/(logout|get-user|login-telegram|login-confirm|refresh-token)$ {
        proxy_pass               http://auth_api/$AUTH_MODE/$1;
        proxy_set_header         auth-mode $AUTH_MODE;
        proxy_set_header         refresh-token $REFRESH_TOKEN;
    }
    location / {
        proxy_pass               http://app;
-        proxy_http_version       1.1;
+        include                  /etc/nginx/include/headers.conf;
-        proxy_set_header         Upgrade $http_upgrade;
+        include                  /etc/nginx/include/auth.conf;
-        proxy_set_header         Connection 'upgrade';
+        include                  /etc/nginx/include/security-headers.conf;
-        proxy_set_header         Host $host;
+    }
        proxy_cache_bypass       $http_upgrade;
-        include /etc/nginx/include/auth.conf;
+    location /socket.io/ {
        proxy_pass               http://auth_api/socket.io/;
        include                  /etc/nginx/include/headers.conf;
        include                  /etc/nginx/include/auth.conf;
        include                  /etc/nginx/include/security-headers.conf;
    }
    location = /health {
--- a/config/nginx.exposed.conf
+++ b/config/nginx.exposed.conf
@ -0,0 +1,26 @@
 include                    /etc/nginx/include/upstream.conf;
 server {
    listen                  80;
    include                 /etc/nginx/mime.types;
    location / {
        proxy_pass          $APPLICATION;
        proxy_http_version  1.1;
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection 'upgrade';
        proxy_set_header    Host $host;
        proxy_cache_bypass  $http_upgrade;
    }
    location = /health {
        access_log          off;
        add_header          'Content-Type' 'application/json';
        return              200 'UP';
    }
    include /etc/nginx/include/location.conf;
    include /etc/nginx/include/robots.conf;
 }
--- a/config/nginx.off.conf
+++ b/config/nginx.off.conf
@ -8,15 +8,7 @@ upstream app {
 server {
    listen                  80;
    include                 /etc/nginx/mime.types;
-
+    include                 /etc/nginx/include/csp.conf;
    gzip                    on;
    gzip_min_length         1000;
    gzip_proxied            any;
    gzip_comp_level         1;
    gzip_types              text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary               on;
    gzip_disable            "msie6";
    location / {
        proxy_pass          http://app;
@ -26,6 +18,8 @@ server {
        proxy_set_header    Connection 'upgrade';
        proxy_set_header    Host $host;
        proxy_cache_bypass  $http_upgrade;
        include             /etc/nginx/include/security-headers.conf;
    }
    location = /health {
--- a/docker-compose.auth.expose.yml
+++ b/docker-compose.auth.expose.yml
@ -0,0 +1,27 @@
 version: '3'
 services:
  server:
    ports:
      - '${PORT_EXPOSE}:80'
    image: nginx:alpine
    environment:
      - APPLICATION=${APPLICATION}
      - AUTH_MODE=${AUTH_MODE}
      - REFRESH_TOKEN=${REFRESH_TOKEN}
    volumes:
      - ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
    networks:
      - auth_network
      - app_network
 networks:
  auth_network:
    external:
      name: auth_network
  app_network:
    external:
      name: ${NETWORK_NAME}
--- a/docker-compose.auth.yml
+++ b/docker-compose.auth.yml
@ -9,9 +9,11 @@ services:
    environment:
      - APPLICATION=${APPLICATION}
      - AUTH_MODE=${AUTH_MODE}
      - REFRESH_TOKEN=${REFRESH_TOKEN}
    volumes:
      - ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
    networks:
      - auth_network
@ -22,7 +24,7 @@ networks:
    external:
      name: auth_network
  app_network:
-    external: true
+    external:
-    name: ${NETWORK_NAME}
+      name: ${NETWORK_NAME}
  web:
    external: true
--- a/docker-compose.exposed.yml
+++ b/docker-compose.exposed.yml
@ -0,0 +1,19 @@
 version: '3'
 services:
  server:
    extends:
      file: docker-compose.traefik.yml
      service: server
    image: nginx:alpine
    environment:
      - APPLICATION=${APPLICATION}
    volumes:
      - ./config/nginx.exposed.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
 networks:
  web:
    external: true
--- a/docker-compose.off.yml
+++ b/docker-compose.off.yml
@ -11,6 +11,7 @@ services:
    volumes:
      - ./config/nginx.off.conf:/etc/nginx/templates/default.conf.template
      - ./config/include:/etc/nginx/include
      - ./config/http/nginx.conf:/etc/nginx/nginx.conf
    restart: always
    networks:
      - app_network
Author	SHA1	Message	Date
vchikalkin	8ada0928b0	add /robots.txt	2024-07-31 08:48:03 +03:00
vchikalkin	92cc200af6	config\nginx.exposed.conf: disable csp	2024-07-23 10:49:14 +03:00
vchikalkin	6b8b8cb502	nginx.exposed: fix invalid upstream	2024-07-14 21:54:19 +03:00
vchikalkin	2f681931ba	add docker-compose.exposed.yml	2024-07-14 21:47:48 +03:00
vchikalkin	3c1a186c31	add docker-compose.auth.expose.yml	2024-07-14 21:26:29 +03:00
vchikalkin	784ee606cc	fix build	2024-06-06 22:10:25 +03:00
vchikalkin	f95cea4540	nginx.auth.conf: include auth-params add /refresh-token location	2024-06-06 22:00:38 +03:00
vchikalkin	87bcead3c7	rename proxy-location.conf -> headers.conf	2024-06-06 21:52:21 +03:00
vchikalkin	742bead105	nginx.auth.conf: update for tfa	2024-06-05 12:45:35 +03:00
vchikalkin	f1f241bc7d	add security-headers.conf	2024-04-27 14:31:47 +03:00
vchikalkin	f533098276	nginx.auth.conf: add csp header to /login	2024-04-27 14:02:58 +03:00
vchikalkin	1406a95ed0	nginx.conf: add csp header	2024-04-27 13:46:16 +03:00
vchikalkin	7ca6fe3eac	nginx.auth.conf: remove location = /	2024-02-17 21:17:51 +03:00
vchikalkin	eb63185daa	nginx: remove limits	2024-02-17 17:21:50 +03:00
vchikalkin	a067039351	nginx.conf: increase limit_req_zone to 30r/s	2024-02-15 23:38:02 +03:00
vchikalkin	7f20ab3bee	nginx.auth.conf: remove burst nginx.conf: increase limit_req_zone to 15r/s	2024-02-15 22:23:27 +03:00
vchikalkin	2005544190	merge branch feature/anti-ddos	2024-02-15 21:41:42 +03:00
vchikalkin	6273a11b6d	config/nginx.auth.conf: fix pass refresh-token	2024-02-01 10:01:03 +03:00
vchikalkin	92b7526700	config/nginx.auth.conf: add support refresh token	2024-01-16 14:21:18 +03:00
vchikalkin	15894b6043	docker-compose.auth.yml: fix app_network	2024-01-16 13:31:54 +03:00
vchikalkin	89bbe26e55	merge branch feature/refresh-token	2024-01-16 13:13:25 +03:00