fix nginx proxy for server

2025-06-12 23:19:50 +07:00
parent bba37c1720
commit e64cf43390
2 changed files with 51 additions and 11 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -35,6 +35,7 @@ services:
      MYSQL_USER: ${DB_USERNAME:-laravel}
    volumes:
      - mysql_data:/var/lib/mysql
+      - ./ckb.sql:/docker-entrypoint-initdb.d/01-init.sql:ro
      - ./docker/mysql.cnf:/etc/mysql/conf.d/mysql.cnf:ro
    expose:
      - "3306"
@@ -59,8 +60,8 @@ services:
    container_name: ckb-nginx-proxy
    restart: unless-stopped
    ports:
-      - "8081:80"
-      - "443:443"
+      - "8082:80"
+      - "8444:443"
    volumes:
      - ./docker/nginx-proxy.conf:/etc/nginx/nginx.conf:ro
      - ssl_certificates:/etc/nginx/ssl:ro
--- a/docker/nginx-proxy.conf
+++ b/docker/nginx-proxy.conf
@@ -46,26 +46,69 @@ http {
        server app:80;
    }

-    # HTTP to HTTPS redirect
+    # HTTP server configuration
    server {
        listen 80;
-        server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz;
+        server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz _;
        
        # Let's Encrypt challenge
        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }
        
-        # Redirect all other traffic to HTTPS
+        # Main application for HTTP
        location / {
-            return 301 https://$server_name$request_uri;
+            proxy_pass http://app;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $server_name;
+            proxy_set_header X-Forwarded-Port $server_port;
+            proxy_read_timeout 300;
+            proxy_connect_timeout 300;
+            proxy_send_timeout 300;
+        }
+
+        # Handle static files
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            proxy_pass http://app;
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+
+        # Rate limiting for login endpoints
+        location ~ ^/(login|register|password) {
+            limit_req zone=login burst=5 nodelay;
+            proxy_pass http://app;
+        }
+
+        # Rate limiting for API endpoints
+        location /api/ {
+            limit_req zone=api burst=20 nodelay;
+            proxy_pass http://app;
+        }
+
+        # Health check endpoint
+        location /health {
+            access_log off;
+            proxy_pass http://app;
+        }
+
+        # Block access to sensitive files
+        location ~ /\. {
+            deny all;
+        }
+
+        location ~ ^/(storage|bootstrap/cache) {
+            deny all;
        }
    }

    # HTTPS server configuration
    server {
        listen 443 ssl http2;
-        server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz;
+        server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz _;

        # SSL configuration
        ssl_certificate /etc/nginx/ssl/fullchain.pem;
@@ -85,10 +128,6 @@ http {
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;

-        # Root directory
-        root /var/www/html/public;
-        index index.php index.html;
-
        # Proxy settings
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;