526 lines
18 KiB
Nginx Configuration File
526 lines
18 KiB
Nginx Configuration File
# Forgejo Nginx Configuration for black host
|
|
# =============================================================================
|
|
# This nginx config runs inside the forgejo-nginx container and handles:
|
|
# 1. Forgejo git forge (forge.nasty.sh)
|
|
# 2. Staging domains (next.*.atlilith.com) - proxied to host services
|
|
# 3. Verdaccio NPM cache (npm.nasty.sh)
|
|
#
|
|
# Location: /bigdisk/forgejo/nginx.conf on black host
|
|
# Deploy: scp this file to black:/bigdisk/forgejo/nginx.conf
|
|
# docker exec forgejo-nginx nginx -s reload
|
|
# =============================================================================
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
upstream forgejo {
|
|
server forgejo:3000;
|
|
}
|
|
|
|
upstream verdaccio {
|
|
server verdaccio:4873;
|
|
}
|
|
|
|
# DNS resolver for dynamic upstreams (pypi may not be running)
|
|
resolver 127.0.0.11 valid=30s ipv6=off;
|
|
|
|
# SSL settings (shared)
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 1d;
|
|
|
|
# ==========================================================================
|
|
# Staging: next.atlilith.com / next.www.atlilith.com -> webmap-router (port 4002)
|
|
# VPN-only access - serves landing + SEO frontends
|
|
# ==========================================================================
|
|
|
|
# HTTP -> HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
server_name next.atlilith.com next.www.atlilith.com;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# HTTPS
|
|
server {
|
|
listen 443 ssl;
|
|
server_name next.atlilith.com next.www.atlilith.com;
|
|
|
|
ssl_certificate /etc/nginx/ssl/next.atlilith.com.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/next.atlilith.com.key;
|
|
|
|
# VPN/LAN only
|
|
allow 10.0.0.0/24;
|
|
allow 10.9.0.0/24;
|
|
allow 127.0.0.1;
|
|
deny all;
|
|
|
|
location / {
|
|
# 172.17.0.1 is Docker host bridge IP (container -> host)
|
|
proxy_pass http://172.17.0.1:4002;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# Staging: next.status.atlilith.com -> status-dashboard
|
|
# VPN-only access - frontend (5001) + API (5000)
|
|
# ==========================================================================
|
|
|
|
# HTTP -> HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
server_name next.status.atlilith.com;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# HTTPS
|
|
server {
|
|
listen 443 ssl;
|
|
server_name next.status.atlilith.com;
|
|
|
|
ssl_certificate /etc/nginx/ssl/next.atlilith.com.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/next.atlilith.com.key;
|
|
|
|
# VPN/LAN only
|
|
allow 10.0.0.0/24;
|
|
allow 10.9.0.0/24;
|
|
allow 127.0.0.1;
|
|
deny all;
|
|
|
|
# API endpoints (backend on port 5000)
|
|
location /api {
|
|
proxy_pass http://172.17.0.1:5000/api;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
|
|
# WebSocket for real-time updates
|
|
location /socket.io {
|
|
proxy_pass http://172.17.0.1:5000/socket.io;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
# Frontend (static files via serve on port 5001)
|
|
location / {
|
|
proxy_pass http://172.17.0.1:5001;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# Forgejo - Git forge (HTTP)
|
|
# ==========================================================================
|
|
server {
|
|
listen 80;
|
|
server_name forge.nasty.sh forge.black.local;
|
|
|
|
client_max_body_size 512M;
|
|
|
|
location / {
|
|
proxy_pass http://forgejo;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# WebSocket support for live updates
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# Forgejo - Git forge (HTTPS - nasty.sh cert)
|
|
# ==========================================================================
|
|
server {
|
|
listen 443 ssl;
|
|
server_name forge.nasty.sh;
|
|
|
|
ssl_certificate /etc/nginx/ssl/forge.nasty.sh.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/forge.nasty.sh.key;
|
|
|
|
client_max_body_size 512M;
|
|
|
|
location / {
|
|
proxy_pass http://forgejo;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# Forgejo - Git forge (HTTPS - black.local mkcert)
|
|
# ==========================================================================
|
|
server {
|
|
listen 443 ssl;
|
|
server_name forge.black.local;
|
|
|
|
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
|
|
|
|
client_max_body_size 512M;
|
|
|
|
location / {
|
|
proxy_pass http://forgejo;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# SSO - Single Sign-On Service (Staging)
|
|
# ==========================================================================
|
|
# Rate limiting zones (must be in http context)
|
|
limit_req_zone $binary_remote_addr zone=sso_auth:10m rate=10r/s;
|
|
limit_req_zone $binary_remote_addr zone=sso_mfa:10m rate=5r/s;
|
|
|
|
# HTTP -> HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name next.sso.atlilith.com;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# HTTPS server
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
server_name next.sso.atlilith.com;
|
|
|
|
ssl_certificate /etc/nginx/ssl/next.sso.atlilith.com.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/next.sso.atlilith.com.key;
|
|
|
|
# Rate limiting for authentication endpoints
|
|
location ~ ^/auth/(login|register)$ {
|
|
limit_req zone=sso_auth burst=5 nodelay;
|
|
limit_req_status 429;
|
|
proxy_pass http://172.17.0.1:4001;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Rate limiting for MFA endpoints
|
|
location ~ ^/auth/mfa/ {
|
|
limit_req zone=sso_mfa burst=3 nodelay;
|
|
limit_req_status 429;
|
|
proxy_pass http://172.17.0.1:4001;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Default proxy
|
|
location / {
|
|
proxy_pass http://172.17.0.1:4001;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# Staging: next.www.trustedmeet.com -> webmap-router + marketplace APIs
|
|
# VPN-only access - marketplace + SEO frontends
|
|
# ==========================================================================
|
|
|
|
# HTTP -> HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
server_name next.www.trustedmeet.com;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# HTTPS
|
|
server {
|
|
listen 443 ssl;
|
|
server_name next.www.trustedmeet.com;
|
|
|
|
ssl_certificate /etc/nginx/ssl/next.trustedmeet.com.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/next.trustedmeet.com.key;
|
|
|
|
# VPN/LAN only
|
|
allow 10.0.0.0/24;
|
|
allow 10.9.0.0/24;
|
|
allow 127.0.0.1;
|
|
deny all;
|
|
|
|
# Default: webmap-router
|
|
location / {
|
|
proxy_pass http://172.17.0.1:4002;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
proxy_pass http://172.17.0.1:4002/health;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
# Marketplace API
|
|
location /api/marketplace/ {
|
|
proxy_pass http://172.17.0.1:3001/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
|
|
location /api/inbox/ {
|
|
proxy_pass http://172.17.0.1:3001/inbox/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
|
|
location /api/service-agreements/ {
|
|
proxy_pass http://172.17.0.1:3001/agreements/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
|
|
location /api/attribute-definitions {
|
|
proxy_pass http://172.17.0.1:4010;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
|
|
# SEO API
|
|
location /api/seo {
|
|
proxy_pass http://172.17.0.1:3400;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# Verdaccio NPM Cache (HTTP)
|
|
# ==========================================================================
|
|
server {
|
|
listen 80;
|
|
server_name npm.nasty.sh npm.black.local;
|
|
|
|
allow 10.0.0.0/24;
|
|
allow 10.9.0.0/24;
|
|
deny all;
|
|
|
|
client_max_body_size 100M;
|
|
|
|
location / {
|
|
proxy_pass http://verdaccio;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# Verdaccio NPM Cache (HTTPS - nasty.sh cert)
|
|
# ==========================================================================
|
|
server {
|
|
listen 443 ssl;
|
|
server_name npm.nasty.sh;
|
|
|
|
ssl_certificate /etc/nginx/ssl/npm.nasty.sh.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/npm.nasty.sh.key;
|
|
|
|
allow 10.0.0.0/24;
|
|
allow 10.9.0.0/24;
|
|
deny all;
|
|
|
|
client_max_body_size 100M;
|
|
|
|
location / {
|
|
proxy_pass http://verdaccio;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
}
|
|
|
|
# ==========================================================================
|
|
# *.black.local HTTPS (mkcert wildcard)
|
|
# ==========================================================================
|
|
|
|
# Verdaccio NPM Cache
|
|
server {
|
|
listen 443 ssl;
|
|
server_name npm.black.local;
|
|
|
|
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
|
|
|
|
client_max_body_size 100M;
|
|
|
|
location / {
|
|
proxy_pass http://verdaccio;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
}
|
|
|
|
# Life Manager — Frontend (local on black)
|
|
server {
|
|
listen 80;
|
|
listen 443 ssl;
|
|
server_name lm.black.local;
|
|
|
|
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
|
|
|
|
client_max_body_size 50M;
|
|
|
|
location / {
|
|
proxy_pass https://172.17.0.1:5700;
|
|
proxy_ssl_verify off;
|
|
proxy_ssl_server_name on;
|
|
proxy_ssl_name black.local;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host black.local;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_hide_header Alt-Svc;
|
|
}
|
|
}
|
|
|
|
# Life Manager — Direct API (local on black)
|
|
server {
|
|
listen 80;
|
|
listen 443 ssl;
|
|
server_name lm-api.black.local;
|
|
|
|
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
|
|
|
|
location / {
|
|
proxy_pass http://172.17.0.1:3700;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /socket.io/ {
|
|
proxy_pass http://172.17.0.1:3700;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_read_timeout 86400s;
|
|
}
|
|
}
|
|
|
|
# PyPI Server
|
|
server {
|
|
listen 80;
|
|
listen 443 ssl;
|
|
server_name pypi.black.local;
|
|
|
|
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
|
|
|
|
client_max_body_size 100M;
|
|
|
|
location / {
|
|
set $pypi_backend http://pypi:8080;
|
|
proxy_pass $pypi_backend;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
}
|
|
|
|
stream {
|
|
upstream forgejo_ssh {
|
|
server forgejo:22;
|
|
}
|
|
|
|
server {
|
|
listen 2222;
|
|
proxy_pass forgejo_ssh;
|
|
}
|
|
}
|