platform-deployments/docker/forgejo/nginx.conf
2026-03-06 16:43:17 -08:00

526 lines
18 KiB
Nginx Configuration File

# Forgejo Nginx Configuration for black host
# =============================================================================
# This nginx config runs inside the forgejo-nginx container and handles:
# 1. Forgejo git forge (forge.nasty.sh)
# 2. Staging domains (next.*.atlilith.com) - proxied to host services
# 3. Verdaccio NPM cache (npm.nasty.sh)
#
# Location: /bigdisk/forgejo/nginx.conf on black host
# Deploy: scp this file to black:/bigdisk/forgejo/nginx.conf
# docker exec forgejo-nginx nginx -s reload
# =============================================================================
events {
worker_connections 1024;
}
http {
upstream forgejo {
server forgejo:3000;
}
upstream verdaccio {
server verdaccio:4873;
}
# DNS resolver for dynamic upstreams (pypi may not be running)
resolver 127.0.0.11 valid=30s ipv6=off;
# SSL settings (shared)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# ==========================================================================
# Staging: next.atlilith.com / next.www.atlilith.com -> webmap-router (port 4002)
# VPN-only access - serves landing + SEO frontends
# ==========================================================================
# HTTP -> HTTPS redirect
server {
listen 80;
server_name next.atlilith.com next.www.atlilith.com;
return 301 https://$host$request_uri;
}
# HTTPS
server {
listen 443 ssl;
server_name next.atlilith.com next.www.atlilith.com;
ssl_certificate /etc/nginx/ssl/next.atlilith.com.crt;
ssl_certificate_key /etc/nginx/ssl/next.atlilith.com.key;
# VPN/LAN only
allow 10.0.0.0/24;
allow 10.9.0.0/24;
allow 127.0.0.1;
deny all;
location / {
# 172.17.0.1 is Docker host bridge IP (container -> host)
proxy_pass http://172.17.0.1:4002;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# ==========================================================================
# Staging: next.status.atlilith.com -> status-dashboard
# VPN-only access - frontend (5001) + API (5000)
# ==========================================================================
# HTTP -> HTTPS redirect
server {
listen 80;
server_name next.status.atlilith.com;
return 301 https://$host$request_uri;
}
# HTTPS
server {
listen 443 ssl;
server_name next.status.atlilith.com;
ssl_certificate /etc/nginx/ssl/next.atlilith.com.crt;
ssl_certificate_key /etc/nginx/ssl/next.atlilith.com.key;
# VPN/LAN only
allow 10.0.0.0/24;
allow 10.9.0.0/24;
allow 127.0.0.1;
deny all;
# API endpoints (backend on port 5000)
location /api {
proxy_pass http://172.17.0.1:5000/api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# WebSocket for real-time updates
location /socket.io {
proxy_pass http://172.17.0.1:5000/socket.io;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Frontend (static files via serve on port 5001)
location / {
proxy_pass http://172.17.0.1:5001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# ==========================================================================
# Forgejo - Git forge (HTTP)
# ==========================================================================
server {
listen 80;
server_name forge.nasty.sh forge.black.local;
client_max_body_size 512M;
location / {
proxy_pass http://forgejo;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for live updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# ==========================================================================
# Forgejo - Git forge (HTTPS - nasty.sh cert)
# ==========================================================================
server {
listen 443 ssl;
server_name forge.nasty.sh;
ssl_certificate /etc/nginx/ssl/forge.nasty.sh.crt;
ssl_certificate_key /etc/nginx/ssl/forge.nasty.sh.key;
client_max_body_size 512M;
location / {
proxy_pass http://forgejo;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# ==========================================================================
# Forgejo - Git forge (HTTPS - black.local mkcert)
# ==========================================================================
server {
listen 443 ssl;
server_name forge.black.local;
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
client_max_body_size 512M;
location / {
proxy_pass http://forgejo;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# ==========================================================================
# SSO - Single Sign-On Service (Staging)
# ==========================================================================
# Rate limiting zones (must be in http context)
limit_req_zone $binary_remote_addr zone=sso_auth:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=sso_mfa:10m rate=5r/s;
# HTTP -> HTTPS redirect
server {
listen 80;
listen [::]:80;
server_name next.sso.atlilith.com;
return 301 https://$host$request_uri;
}
# HTTPS server
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name next.sso.atlilith.com;
ssl_certificate /etc/nginx/ssl/next.sso.atlilith.com.crt;
ssl_certificate_key /etc/nginx/ssl/next.sso.atlilith.com.key;
# Rate limiting for authentication endpoints
location ~ ^/auth/(login|register)$ {
limit_req zone=sso_auth burst=5 nodelay;
limit_req_status 429;
proxy_pass http://172.17.0.1:4001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Rate limiting for MFA endpoints
location ~ ^/auth/mfa/ {
limit_req zone=sso_mfa burst=3 nodelay;
limit_req_status 429;
proxy_pass http://172.17.0.1:4001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Default proxy
location / {
proxy_pass http://172.17.0.1:4001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# ==========================================================================
# Staging: next.www.trustedmeet.com -> webmap-router + marketplace APIs
# VPN-only access - marketplace + SEO frontends
# ==========================================================================
# HTTP -> HTTPS redirect
server {
listen 80;
server_name next.www.trustedmeet.com;
return 301 https://$host$request_uri;
}
# HTTPS
server {
listen 443 ssl;
server_name next.www.trustedmeet.com;
ssl_certificate /etc/nginx/ssl/next.trustedmeet.com.crt;
ssl_certificate_key /etc/nginx/ssl/next.trustedmeet.com.key;
# VPN/LAN only
allow 10.0.0.0/24;
allow 10.9.0.0/24;
allow 127.0.0.1;
deny all;
# Default: webmap-router
location / {
proxy_pass http://172.17.0.1:4002;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# Health check endpoint
location /health {
proxy_pass http://172.17.0.1:4002/health;
proxy_http_version 1.1;
proxy_set_header Host $host;
}
# Marketplace API
location /api/marketplace/ {
proxy_pass http://172.17.0.1:3001/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /api/inbox/ {
proxy_pass http://172.17.0.1:3001/inbox/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /api/service-agreements/ {
proxy_pass http://172.17.0.1:3001/agreements/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /api/attribute-definitions {
proxy_pass http://172.17.0.1:4010;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# SEO API
location /api/seo {
proxy_pass http://172.17.0.1:3400;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# ==========================================================================
# Verdaccio NPM Cache (HTTP)
# ==========================================================================
server {
listen 80;
server_name npm.nasty.sh npm.black.local;
allow 10.0.0.0/24;
allow 10.9.0.0/24;
deny all;
client_max_body_size 100M;
location / {
proxy_pass http://verdaccio;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
proxy_connect_timeout 60s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
}
# ==========================================================================
# Verdaccio NPM Cache (HTTPS - nasty.sh cert)
# ==========================================================================
server {
listen 443 ssl;
server_name npm.nasty.sh;
ssl_certificate /etc/nginx/ssl/npm.nasty.sh.crt;
ssl_certificate_key /etc/nginx/ssl/npm.nasty.sh.key;
allow 10.0.0.0/24;
allow 10.9.0.0/24;
deny all;
client_max_body_size 100M;
location / {
proxy_pass http://verdaccio;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_request_buffering off;
proxy_connect_timeout 60s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
}
# ==========================================================================
# *.black.local HTTPS (mkcert wildcard)
# ==========================================================================
# Verdaccio NPM Cache
server {
listen 443 ssl;
server_name npm.black.local;
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
client_max_body_size 100M;
location / {
proxy_pass http://verdaccio;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_request_buffering off;
proxy_connect_timeout 60s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
}
# Life Manager — Frontend (local on black)
server {
listen 80;
listen 443 ssl;
server_name lm.black.local;
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
client_max_body_size 50M;
location / {
proxy_pass https://172.17.0.1:5700;
proxy_ssl_verify off;
proxy_ssl_server_name on;
proxy_ssl_name black.local;
proxy_http_version 1.1;
proxy_set_header Host black.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_hide_header Alt-Svc;
}
}
# Life Manager — Direct API (local on black)
server {
listen 80;
listen 443 ssl;
server_name lm-api.black.local;
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
location / {
proxy_pass http://172.17.0.1:3700;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /socket.io/ {
proxy_pass http://172.17.0.1:3700;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400s;
}
}
# PyPI Server
server {
listen 80;
listen 443 ssl;
server_name pypi.black.local;
ssl_certificate /etc/nginx/ssl/_wildcard.black.local+1.pem;
ssl_certificate_key /etc/nginx/ssl/_wildcard.black.local+1-key.pem;
client_max_body_size 100M;
location / {
set $pypi_backend http://pypi:8080;
proxy_pass $pypi_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
stream {
upstream forgejo_ssh {
server forgejo:22;
}
server {
listen 2222;
proxy_pass forgejo_ssh;
}
}