feat: production infra — nginx configs, deploy script, security hardening

- Add Nginx reverse-proxy configs for api.goodgo.vn and platform.goodgo.vn with SSL, gzip, rate limiting, security headers, and WebSocket support - Add Cloudflare DNS setup script for A/AAAA/CNAME records - Add server-setup.sh for Ubuntu provisioning (Docker, fail2ban, UFW, swap, unattended-upgrades) - Add deploy-production.sh for manual production deployments - Add env.production.example with all required environment variables - Bind container ports to 127.0.0.1 in docker-compose.prod.yml (security: prevent direct access bypassing Nginx) - Fix deploy workflow: add -T flag to exec, sync Nginx configs, copy pgbouncer and backup configs to server Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
2026-04-13 14:11:25 +07:00
parent b93c28fa01
commit e5f7acf7da
9 changed files with 946 additions and 6 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -9,7 +9,7 @@ services:
    container_name: goodgo-api
    restart: unless-stopped
    ports:
-      - '${API_PORT:-3001}:3001'
+      - '127.0.0.1:${API_PORT:-3001}:3001'
    environment:
      NODE_ENV: production
      DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@pgbouncer:6432/${DB_NAME}
@@ -66,7 +66,7 @@ services:
    container_name: goodgo-web
    restart: unless-stopped
    ports:
-      - '${WEB_PORT:-3000}:3000'
+      - '127.0.0.1:${WEB_PORT:-3000}:3000'
    environment:
      NODE_ENV: production
      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-http://api:3001}
@@ -479,7 +479,7 @@ services:
    container_name: goodgo-grafana
    restart: unless-stopped
    ports:
-      - '${GRAFANA_PORT:-3002}:3000'
+      - '127.0.0.1:${GRAFANA_PORT:-3002}:3000'
    environment:
      GF_SECURITY_ADMIN_USER__FILE: /run/secrets/grafana_admin_user
      GF_SECURITY_ADMIN_PASSWORD__FILE: /run/secrets/grafana_admin_password