admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: production infra — nginx configs, deploy script, security hardening
Some checks failed
CI / Lint → Typecheck → Test → Build (22) (push) Failing after 58s
Details
Deploy / Build Web Image (push) Failing after 14s
Details
Deploy / Rollback Production (push) Has been skipped
Details
CI / E2E Tests (push) Has been skipped
Details
Deploy / Build API Image (push) Failing after 3m8s
Details
Deploy / Build AI Services Image (push) Failing after 10s
Details
E2E Tests / Playwright E2E (push) Failing after 1m21s
Details
Deploy / Deploy to Staging (push) Has been skipped
Details
Deploy / Smoke Test Staging (push) Has been skipped
Details
Deploy / Deploy to Production (push) Has been skipped
Details
Deploy / Smoke Test Production (push) Has been skipped
Details
Deploy / Rollback Staging (push) Has been skipped
Details

Browse Source 
- Add Nginx reverse-proxy configs for api.goodgo.vn and platform.goodgo.vn
  with SSL, gzip, rate limiting, security headers, and WebSocket support
- Add Cloudflare DNS setup script for A/AAAA/CNAME records
- Add server-setup.sh for Ubuntu provisioning (Docker, fail2ban, UFW,
  swap, unattended-upgrades)
- Add deploy-production.sh for manual production deployments
- Add env.production.example with all required environment variables
- Bind container ports to 127.0.0.1 in docker-compose.prod.yml
  (security: prevent direct access bypassing Nginx)
- Fix deploy workflow: add -T flag to exec, sync Nginx configs,
  copy pgbouncer and backup configs to server

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ho Ngoc Hai
2026-04-13 14:11:25 +07:00
parent b93c28fa01
commit e5f7acf7da
9 changed files with 946 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
infra/nginx/api.goodgo.vn.conf Normal file
View File

@@ -0,0 +1,100 @@
# ==============================================================================
# api.goodgo.vn — NestJS API Backend
# Proxied by Cloudflare (Full Strict SSL) → Nginx → Docker (127.0.0.1:3001)
# ==============================================================================
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.goodgo.vn;
# Cloudflare Origin Certificate
ssl_certificate /etc/ssl/goodgo/origin.pem;
ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Security headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Request size limit (file uploads)
client_max_body_size 50m;
# API endpoints
location / {
# Rate limiting (defined in /etc/nginx/conf.d/performance.conf)
limit_req zone=api_limit burst=50 nodelay;
limit_req_status 429;
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
# Standard proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# Disable buffering for streaming responses
proxy_buffering off;
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
}
# WebSocket endpoint for notifications/realtime
location /ws {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Longer timeout for persistent connections
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
# Health check (skip rate limiting + logging)
location /health {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
}
location /ready {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
}
# Metrics endpoint (restrict to Cloudflare IPs or internal)
location /metrics {
# Allow only from localhost (Prometheus scrapes from the same host)
allow 127.0.0.1;
allow ::1;
deny all;
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
}
# Logging
access_log /var/log/nginx/api.goodgo.vn.access.log;
error_log /var/log/nginx/api.goodgo.vn.error.log;
}

85
infra/nginx/platform.goodgo.vn.conf Normal file
View File

@@ -0,0 +1,85 @@
# ==============================================================================
# platform.goodgo.vn — Next.js Web Frontend
# Proxied by Cloudflare (Full Strict SSL) → Nginx → Docker (127.0.0.1:3000)
# ==============================================================================
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name platform.goodgo.vn;
# Cloudflare Origin Certificate
ssl_certificate /etc/ssl/goodgo/origin.pem;
ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Security headers (supplement Cloudflare's)
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Trust Cloudflare's Authenticated Origin Pull
# ssl_client_certificate /etc/ssl/cloudflare/authenticated_origin_pull_ca.pem;
# ssl_verify_client on;
# Next.js application
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
# Standard proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# WebSocket support (Next.js HMR in dev, real-time features)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Next.js specific: disable buffering for streaming/SSR
proxy_buffering off;
proxy_cache off;
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# Next.js static assets — long cache
location /_next/static/ {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
# Aggressive caching for immutable hashed assets
proxy_cache_valid 200 365d;
add_header Cache-Control "public, max-age=31536000, immutable";
}
# Favicon and static public files
location /favicon.ico {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
log_not_found off;
}
# Health check (for Cloudflare/monitoring)
location /api/health {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
}
# Logging
access_log /var/log/nginx/platform.goodgo.vn.access.log;
error_log /var/log/nginx/platform.goodgo.vn.error.log;
}

28
infra/nginx/redirect.conf Normal file
View File

@@ -0,0 +1,28 @@
# ==============================================================================
# HTTP → HTTPS redirect for all GoodGo domains
# Cloudflare also enforces this, but this catches direct-IP access.
# ==============================================================================
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name platform.goodgo.vn api.goodgo.vn grafana.goodgo.vn;
# Redirect all HTTP to HTTPS
return 301 https://$host$request_uri;
}
# Catch-all for direct IP access — return 444 (drop connection)
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
ssl_certificate /etc/ssl/goodgo/origin.pem;
ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;
# Drop connections that don't match any server_name
return 444;
}