「🏗️」 wip: nginx and modsec working

2025-08-14 12:32:54 +02:00 · 2025-07-16 13:46:39 +02:00
parent 86c740b284
commit a92100b7c0
8 changed files with 141 additions and 24 deletions
--- a/docker/front/Dockerfile
+++ b/docker/front/Dockerfile
@ -0,0 +1,29 @@
+FROM		node:lts-alpine AS builder
+
+RUN			npm install -g pnpm
+
+WORKDIR		/app
+
+COPY		package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+
+RUN			pnpm install --frozen-lockfile
+
+COPY		vite.config.js tailwind.config.js ./
+COPY		src ./src
+
+RUN			pnpm vite build
+
+FROM		owasp/modsecurity-crs:nginx-alpine
+
+RUN			mkdir -p /etc/nginx/modsecurity.d \
+			&& cp /etc/modsecurity.d/unicode.mapping /etc/nginx/modsecurity.d/unicode.mapping
+
+COPY		docker/front/config/default.conf.template \
+			/etc/nginx/templates/conf.d/default.conf.template
+
+COPY		--chmod=755 docker/front/entry/ssl-cert.sh /docker-entrypoint.d/ssl-cert.sh
+
+COPY		--from=builder /app/dist /usr/share/nginx/html
+
+EXPOSE		80 443
+STOPSIGNAL	SIGINT
--- a/docker/front/config/default.conf.template
+++ b/docker/front/config/default.conf.template
@ -0,0 +1,42 @@
+server {
+    listen 443 ssl;
+    server_name example.com;  # Replace with your domain or handle env vars externally
+
+    ssl_certificate     /etc/nginx/certs/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    modsecurity on;
+#    modsecurity_rules_file /etc/nginx/modsecurity.d/modsecurity.conf;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location /api/v1/user/ {
+        proxy_pass http://transcendence-api-user:3000/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /api/v1/auth/ {
+        proxy_pass http://transcendence-api-auth:3000/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 80;
+    server_name example.com;
+    return 301 https://$host$request_uri;
+}
--- a/docker/front/entry/ssl-cert.sh
+++ b/docker/front/entry/ssl-cert.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [ ! -f /etc/nginx/certs/fullchain.pem ] || [ ! -f /etc/nginx/certs/privkey.pem ]; then
+  echo "Generating self-signed certs..."
+  mkdir -p /etc/nginx/certs
+  openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -keyout /etc/nginx/certs/privkey.pem \
+    -out /etc/nginx/certs/fullchain.pem \
+    -subj "/C=FR/ST=IDF/L=Angouleme/O=42/OU=42/CN=trans.kanel.ovh/UID=adjoly"
+fi