diff --git a/docker/docker-compose.prod.yml b/docker/docker-compose.prod.yml index ee2c7d7..3f9b7db 100644 --- a/docker/docker-compose.prod.yml +++ b/docker/docker-compose.prod.yml @@ -4,10 +4,9 @@ include: - ./volumes.yml - ./networks.yml - ./front/compose.yml - - ./proxy/compose.yml + - ./proxy/compose.prod.yml - ./monitoring/compose.yml - ./api-base/compose.yml - # - ./front/compose.yml - ./ELK/compose.yml services: diff --git a/docker/proxy/Dockerfile.prod b/docker/proxy/Dockerfile.prod new file mode 100644 index 0000000..5c83136 --- /dev/null +++ b/docker/proxy/Dockerfile.prod @@ -0,0 +1,35 @@ +FROM node:lts-alpine AS builder + +RUN npm install -g pnpm + +WORKDIR /app + +COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./ + +RUN pnpm install --frozen-lockfile + +COPY vite.config.js tailwind.config.js ./ +COPY src ./src + +RUN pnpm vite build + +FROM owasp/modsecurity-crs:nginx-alpine + +RUN mkdir -p /etc/nginx/modsecurity.d \ + && cp /etc/modsecurity.d/unicode.mapping /etc/nginx/modsecurity.d/unicode.mapping + +COPY docker/proxy/config/default.prod.conf.template \ + /etc/nginx/templates/conf.d/default.conf.template + +COPY --chmod=755 docker/proxy/entry/ssl-cert.sh /docker-entrypoint.d/ssl-cert.sh + +COPY --from=builder /app/dist /usr/share/nginx/html + +USER root +RUN mkdir -p /var/log/front +RUN touch /var/log/front/err.log /var/log/front/log.log +RUN chmod -R 777 /var/log/front +USER nginx + +EXPOSE 80 443 +STOPSIGNAL SIGINT diff --git a/docker/proxy/compose.prod.yml b/docker/proxy/compose.prod.yml new file mode 100644 index 0000000..188b89f --- /dev/null +++ b/docker/proxy/compose.prod.yml @@ -0,0 +1,20 @@ +services: + front: + container_name: transcendence-front + build: + dockerfile: docker/front/Dockerfile.prod + context: ../../ + ports: + - ${OUT_PORT}:443 + volumes: + - log-nginx:/var/log/front + environment: + - TZ=Europe/Paris + depends_on: + user-api: + condition: service_started + auth-api: + condition: service_started + networks: + - front + restart: unless-stopped diff --git a/docker/proxy/config/default.conf.template b/docker/proxy/config/default.conf.template index 5640b84..4135638 100644 --- a/docker/proxy/config/default.conf.template +++ b/docker/proxy/config/default.conf.template @@ -2,7 +2,7 @@ server { error_log /var/log/front/err.log warn; access_log /var/log/front/log.log; - listen 80; + listen 443 ssl; modsecurity on; diff --git a/docker/proxy/config/default.prod.conf.template b/docker/proxy/config/default.prod.conf.template new file mode 100644 index 0000000..5640b84 --- /dev/null +++ b/docker/proxy/config/default.prod.conf.template @@ -0,0 +1,48 @@ +server { + error_log /var/log/front/err.log warn; + access_log /var/log/front/log.log; + + listen 80; + + modsecurity on; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + location / { + proxy_pass http://transcendence-webserv:80/; + proxy_http_version 1.1; + } + + location /api/v1/user/ { + proxy_pass http://transcendence-api-user:3000/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + location /api/v1/user/metrics { + return 403; + } + + location /api/v1/auth/ { + proxy_pass http://transcendence-api-auth:3000/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + location /api/v1/auth/metrics { + return 403; + } +} + +server { + listen 8080; + location /nginx_status { + stub_status; + } +}