「🏗️」 wip: should be ready to prod

docker/proxy/Dockerfile

@@ -0,0 +1,35 @@
+FROM		node:lts-alpine AS builder
+
+RUN			npm install -g pnpm
+
+WORKDIR		/app
+
+COPY		package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+
+RUN			pnpm install --frozen-lockfile
+
+COPY		vite.config.js tailwind.config.js ./
+COPY		src ./src
+
+RUN			pnpm vite build
+
+FROM		owasp/modsecurity-crs:nginx-alpine
+
+RUN			mkdir -p /etc/nginx/modsecurity.d \
+			&& cp /etc/modsecurity.d/unicode.mapping /etc/nginx/modsecurity.d/unicode.mapping
+
+COPY		docker/proxy/config/default.conf.template \
+			/etc/nginx/templates/conf.d/default.conf.template
+
+COPY		--chmod=755 docker/proxy/entry/ssl-cert.sh /docker-entrypoint.d/ssl-cert.sh
+
+COPY		--from=builder /app/dist /usr/share/nginx/html
+
+USER		root
+RUN			mkdir -p /var/log/front
+RUN			touch /var/log/front/err.log /var/log/front/log.log
+RUN			chmod -R 777 /var/log/front
+USER		nginx
+
+EXPOSE		80 443
+STOPSIGNAL	SIGINT

docker/proxy/compose.yml

@@ -0,0 +1,20 @@
+services:
+  front:
+    container_name: transcendence-front
+    build:
+      dockerfile: docker/front/Dockerfile
+      context: ../../
+    ports:
+      - ${OUT_PORT}:443
+    volumes:
+      - log-nginx:/var/log/front
+    environment:
+      - TZ=Europe/Paris
+    depends_on:
+      user-api:
+        condition: service_started
+      auth-api:
+        condition: service_started
+    networks:
+      - front
+    restart: unless-stopped

docker/proxy/config/default.conf.template

@@ -0,0 +1,48 @@
+server {
+	error_log /var/log/front/err.log warn;
+	access_log /var/log/front/log.log;
+
+    listen 80;
+
+    modsecurity on;
+
+	add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+	location / {
+		proxy_pass http://transcendence-webserv:80/;
+		proxy_http_version 1.1;
+	}
+
+    location /api/v1/user/ {
+        proxy_pass http://transcendence-api-user:3000/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+	location /api/v1/user/metrics {
+		return 403;
+	}
+
+    location /api/v1/auth/ {
+        proxy_pass http://transcendence-api-auth:3000/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+	location /api/v1/auth/metrics {
+		return 403;
+	}
+}
+
+server {
+    listen 8080;
+    location /nginx_status {
+        stub_status;
+    }
+}

docker/proxy/entry/ssl-cert.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [ ! -f /etc/nginx/certs/fullchain.pem ] || [ ! -f /etc/nginx/certs/privkey.pem ]; then
+  echo "Generating self-signed certs..."
+  mkdir -p /etc/nginx/certs
+  openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -keyout /etc/nginx/certs/privkey.pem \
+    -out /etc/nginx/certs/fullchain.pem \
+    -subj "/C=FR/ST=IDF/L=Angouleme/O=42/OU=42/CN=trans.kanel.ovh/UID=adjoly"
+fi