「🏗️」 wip: nginx and modsec working

.dockerignore

@@ -7,7 +7,7 @@ node_modules/
 
 # useless files in the docker
 *.md
-docker/
+# docker/
 
 # PLEASE NO
 .env

Justfile

@@ -21,13 +21,23 @@
 
 # To build the base of the for the fastify docker images
 @build-node-base:
-	docker build -t node-base -f docker/node-base/Dockerfile .
+	docker build -t node-base -f docker/api-base/Dockerfile .
 
-@docker: build-node-base
+# To launch the docker compose
-	docker compose -f docker/docker-compose.yml up -d user-api --build
+@docker: 
+	docker compose -f docker/docker-compose.yml up -d --build
 
-@clean-docker:
+# To stop the docker compose
+@stop-docker: 
+	docker compose -f docker/docker-compose.yml down
+
+# To rebuild fully the docker (use it with caution)
+@re-docker: clean-docker docker
+
+# To completely docker
+@clean-docker: clean-compose
 	docker system prune -af
 
-@clean-compose:
+# To clean only the container launched by the compose
+@clean-compose: stop-docker
 	docker compose -f docker/docker-compose.yml rm

docker/api-base/Dockerfile

@@ -19,3 +19,6 @@ COPY		--from=builder /app/pnpm-lock.yaml /app/pnpm-lock.yaml
 COPY		--from=builder /app/package.json /app/package.json
 
 ENV			NODE_ENV=production
+EXPOSE		3000
+
+CMD			[ "node", "/app/src/start.js" ]

docker/docker-compose.yml

@@ -1,20 +1,49 @@
 services:
   front:
-    image: owasp/modsecurity-crs:nginx-alpine
+    container_name: transcendence-front
-    ports:
-      - 443:443
-    # environment:
-    #   - euuuh
-  user-api:
     build:
-      dockerfile: docker/user-api/Dockerfile
+      dockerfile: docker/front/Dockerfile
+      context: ..
+    ports:
+      - 8443:443
+    environment:
+      SERVER_NAME: localhost
+    depends_on:
+      user-api:
+        condition: service_started
+      auth-api:
+        condition: service_started
+    networks:
+      - front
+  user-api:
+    container_name: transcendence-api-user
+    build:
+      dockerfile: docker/api-base/Dockerfile
+      context: ..
+      tags:
+        - api-base
+    networks:
+      - front
+      - back
+    environment:
+      - API_TARGET=user
+  auth-api:
+    container_name: transcendence-api-auth
+    build:
+      dockerfile: docker/api-base/Dockerfile
       context: ..
     networks:
-      - transcendence
+      - front
-    ports:
+      - back
-      - 3000:3000
+    environment:
+      - API_TARGET=auth
+  
+  
 
 networks:
-  transcendence:
+  front:
     external: false
-    name: transcendence
+    name: front-backend
+  back:
+    external: false
+    name: trans-backend

docker/front/Dockerfile

@@ -0,0 +1,29 @@
+FROM		node:lts-alpine AS builder
+
+RUN			npm install -g pnpm
+
+WORKDIR		/app
+
+COPY		package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+
+RUN			pnpm install --frozen-lockfile
+
+COPY		vite.config.js tailwind.config.js ./
+COPY		src ./src
+
+RUN			pnpm vite build
+
+FROM		owasp/modsecurity-crs:nginx-alpine
+
+RUN			mkdir -p /etc/nginx/modsecurity.d \
+			&& cp /etc/modsecurity.d/unicode.mapping /etc/nginx/modsecurity.d/unicode.mapping
+
+COPY		docker/front/config/default.conf.template \
+			/etc/nginx/templates/conf.d/default.conf.template
+
+COPY		--chmod=755 docker/front/entry/ssl-cert.sh /docker-entrypoint.d/ssl-cert.sh
+
+COPY		--from=builder /app/dist /usr/share/nginx/html
+
+EXPOSE		80 443
+STOPSIGNAL	SIGINT

docker/front/config/default.conf.template

@@ -0,0 +1,42 @@
+server {
+    listen 443 ssl;
+    server_name example.com;  # Replace with your domain or handle env vars externally
+
+    ssl_certificate     /etc/nginx/certs/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    modsecurity on;
+#    modsecurity_rules_file /etc/nginx/modsecurity.d/modsecurity.conf;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location /api/v1/user/ {
+        proxy_pass http://transcendence-api-user:3000/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /api/v1/auth/ {
+        proxy_pass http://transcendence-api-auth:3000/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 80;
+    server_name example.com;
+    return 301 https://$host$request_uri;
+}

docker/front/entry/ssl-cert.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [ ! -f /etc/nginx/certs/fullchain.pem ] || [ ! -f /etc/nginx/certs/privkey.pem ]; then
+  echo "Generating self-signed certs..."
+  mkdir -p /etc/nginx/certs
+  openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -keyout /etc/nginx/certs/privkey.pem \
+    -out /etc/nginx/certs/fullchain.pem \
+    -subj "/C=FR/ST=IDF/L=Angouleme/O=42/OU=42/CN=trans.kanel.ovh/UID=adjoly"
+fi

docker/user-api/Dockerfile

@@ -1,6 +0,0 @@
-FROM		node-base
-
-EXPOSE		3000
-
-ENV			API_TARGET="user"
-CMD			[ "node", "/app/src/start.js" ]