evo/Evo.Gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: evo:main
Branches Tags
evo:main
evo:dev
evo:feature/anti-ddos
evo:feature/refresh-token
..
compare: evo:feature/refresh-token
Branches Tags
evo:dev
evo:main
evo:feature/anti-ddos
evo:feature/refresh-token

2 Commits
main ... feature/re

Author SHA1 Message Date
vchikalkin
c6ea0cb49d remove: config/include/ auth-refresh-token.conf 2024-01-16 13:10:50 +03:00
vchikalkin
6ea46a1165 add refresh-token header to auth_request 2024-01-16 12:57:05 +03:00
12 changed files with 30 additions and 173 deletions
Show Stats Expand all files Collapse all files

48
config/http/nginx.conf
View File

@ -1,48 +0,0 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
sendfile on;
#tcp_nopush on;
keepalive_timeout 60s;
#gzip on;
include /etc/nginx/conf.d/*.conf;
# Compression
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_comp_level 1;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_disable "msie6";
resolver 127.0.0.11 ipv6=off;
client_body_timeout 20s;
client_header_timeout 20s;
}

10
config/include/csp.conf
View File

@ -1,10 +0,0 @@
set $CSP_UPGRADE_INSECURE_REQUESTS "upgrade-insecure-requests;";
set $CSP_DEFAULT_SRC "default-src https: wss: data: blob: 'self';";
set $CSP_BASE_URI "base-uri 'self';";
set $CSP_CONNECT_SRC "connect-src 'self' *.evoleasing.ru wss:;";
set $CSP_WORKER_SRC "worker-src 'self' blob:;";
set $CSP_FONT_SRC "font-src 'self' fonts.gstatic.com fonts.googleapis.com;";
set $CSP_SCRIPT_SRC "script-src 'self';";
set $CSP_STYLE_SRC "style-src 'self' 'unsafe-inline' fonts.googleapis.com;";
set $CSP_OBJECT_SRC "object-src 'none';";
set $CSP_FRAME_ANCESTORS "frame-ancestors 'none';";

5
config/include/headers.conf
View File

@ -1,5 +0,0 @@
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;

4
config/include/robots.conf
View File

@ -1,4 +0,0 @@
location /robots.txt {
default_type text/plain;
return 200 "User-agent: *\nDisallow: /";
}

5
config/include/security-headers.conf
View File

@ -1,5 +0,0 @@
add_header Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy no-referrer-when-downgrade;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";

41
config/nginx.auth.conf
View File

@ -21,11 +21,17 @@ upstream app {
server {
listen 80;
include /etc/nginx/mime.types;
include /etc/nginx/include/csp.conf;
proxy_set_header auth-mode $AUTH_MODE;
proxy_set_header refresh-token $REFRESH_TOKEN;
error_page 401 /login/$AUTH_MODE;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_comp_level 1;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_disable "msie6";
error_page 401 /login;
location = /auth {
@ -35,39 +41,30 @@ server {
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header refresh-token $refresh_token;
proxy_intercept_errors on;
proxy_set_header auth-mode $AUTH_MODE;
proxy_set_header refresh-token $REFRESH_TOKEN;
}
location /login {
proxy_pass $login_proxy;
include /etc/nginx/include/security-headers.conf;
}
location ~ ^/(logout|get-user|login-telegram|login-confirm|refresh-token)$ {
location ~ ^/(logout|get-user)$ {
proxy_pass http://auth_api/$AUTH_MODE/$1;
proxy_set_header auth-mode $AUTH_MODE;
proxy_set_header refresh-token $REFRESH_TOKEN;
}
location / {
set $refresh_token $REFRESH_TOKEN;
proxy_pass http://app;
include /etc/nginx/include/headers.conf;
include /etc/nginx/include/auth.conf;
include /etc/nginx/include/security-headers.conf;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
location /socket.io/ {
proxy_pass http://auth_api/socket.io/;
include /etc/nginx/include/headers.conf;
include /etc/nginx/include/auth.conf;
include /etc/nginx/include/security-headers.conf;
}
location = /health {

26
config/nginx.exposed.conf
View File

@ -1,26 +0,0 @@
include /etc/nginx/include/upstream.conf;
server {
listen 80;
include /etc/nginx/mime.types;
location / {
proxy_pass $APPLICATION;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location = /health {
access_log off;
add_header 'Content-Type' 'application/json';
return 200 'UP';
}
include /etc/nginx/include/location.conf;
include /etc/nginx/include/robots.conf;
}

12
config/nginx.off.conf
View File

@ -8,7 +8,15 @@ upstream app {
server {
listen 80;
include /etc/nginx/mime.types;
include /etc/nginx/include/csp.conf;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_comp_level 1;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_disable "msie6";
location / {
proxy_pass http://app;
@ -18,8 +26,6 @@ server {
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
include /etc/nginx/include/security-headers.conf;
}
location = /health {

27
docker-compose.auth.expose.yml
View File

@ -1,27 +0,0 @@
version: '3'
services:
server:
ports:
- '${PORT_EXPOSE}:80'
image: nginx:alpine
environment:
- APPLICATION=${APPLICATION}
- AUTH_MODE=${AUTH_MODE}
- REFRESH_TOKEN=${REFRESH_TOKEN}
volumes:
- ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
- ./config/include:/etc/nginx/include
- ./config/http/nginx.conf:/etc/nginx/nginx.conf
restart: always
networks:
- auth_network
- app_network
networks:
auth_network:
external:
name: auth_network
app_network:
external:
name: ${NETWORK_NAME}

5
docker-compose.auth.yml
View File

@ -13,7 +13,6 @@ services:
volumes:
- ./config/nginx.auth.conf:/etc/nginx/templates/default.conf.template
- ./config/include:/etc/nginx/include
- ./config/http/nginx.conf:/etc/nginx/nginx.conf
restart: always
networks:
- auth_network
@ -24,7 +23,7 @@ networks:
external:
name: auth_network
app_network:
external:
name: ${NETWORK_NAME}
external: true
name: ${NETWORK_NAME}
web:
external: true

19
docker-compose.exposed.yml
View File

@ -1,19 +0,0 @@
version: '3'
services:
server:
extends:
file: docker-compose.traefik.yml
service: server
image: nginx:alpine
environment:
- APPLICATION=${APPLICATION}
volumes:
- ./config/nginx.exposed.conf:/etc/nginx/templates/default.conf.template
- ./config/include:/etc/nginx/include
- ./config/http/nginx.conf:/etc/nginx/nginx.conf
restart: always
networks:
web:
external: true

1
docker-compose.off.yml
View File

@ -11,7 +11,6 @@ services:
volumes:
- ./config/nginx.off.conf:/etc/nginx/templates/default.conf.template
- ./config/include:/etc/nginx/include
- ./config/http/nginx.conf:/etc/nginx/nginx.conf
restart: always
networks:
- app_network