arifal/CKB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix nginx proxy for server

Browse Source
This commit is contained in:
arifal
2025-06-12 23:19:50 +07:00
parent bba37c1720
commit e64cf43390
2 changed files with 51 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docker-compose.prod.yml
View File

@@ -35,6 +35,7 @@ services:
MYSQL_USER: ${DB_USERNAME:-laravel} MYSQL_USER: ${DB_USERNAME:-laravel}
volumes: volumes:
- mysql_data:/var/lib/mysql - mysql_data:/var/lib/mysql
- ./ckb.sql:/docker-entrypoint-initdb.d/01-init.sql:ro
- ./docker/mysql.cnf:/etc/mysql/conf.d/mysql.cnf:ro - ./docker/mysql.cnf:/etc/mysql/conf.d/mysql.cnf:ro
expose: expose:
- "3306" - "3306"
@@ -59,8 +60,8 @@ services:
container_name: ckb-nginx-proxy container_name: ckb-nginx-proxy
restart: unless-stopped restart: unless-stopped
ports: ports:
- "8081:80" - "8082:80"
- "443:443" - "8444:443"
volumes: volumes:
- ./docker/nginx-proxy.conf:/etc/nginx/nginx.conf:ro - ./docker/nginx-proxy.conf:/etc/nginx/nginx.conf:ro
- ssl_certificates:/etc/nginx/ssl:ro - ssl_certificates:/etc/nginx/ssl:ro

57
docker/nginx-proxy.conf
View File

@@ -46,26 +46,69 @@ http {
server app:80; server app:80;
} }
# HTTP to HTTPS redirect # HTTP server configuration
server { server {
listen 80; listen 80;
server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz; server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz _;
# Let's Encrypt challenge # Let's Encrypt challenge
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /var/www/certbot; root /var/www/certbot;
} }
# Redirect all other traffic to HTTPS # Main application for HTTP
location / { location / {
return 301 https://$server_name$request_uri; proxy_pass http://app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Port $server_port;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
# Handle static files
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://app;
expires 1y;
add_header Cache-Control "public, immutable";
}
# Rate limiting for login endpoints
location ~ ^/(login|register|password) {
limit_req zone=login burst=5 nodelay;
proxy_pass http://app;
}
# Rate limiting for API endpoints
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://app;
}
# Health check endpoint
location /health {
access_log off;
proxy_pass http://app;
}
# Block access to sensitive files
location ~ /\. {
deny all;
}
location ~ ^/(storage|bootstrap/cache) {
deny all;
} }
} }
# HTTPS server configuration # HTTPS server configuration
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz; server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz _;
# SSL configuration # SSL configuration
ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate /etc/nginx/ssl/fullchain.pem;
@@ -85,10 +128,6 @@ http {
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Root directory
root /var/www/html/public;
index index.php index.html;
# Proxy settings # Proxy settings
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;