feat: production infra — nginx configs, deploy script, security hardening

- Add Nginx reverse-proxy configs for api.goodgo.vn and platform.goodgo.vn with SSL, gzip, rate limiting, security headers, and WebSocket support - Add Cloudflare DNS setup script for A/AAAA/CNAME records - Add server-setup.sh for Ubuntu provisioning (Docker, fail2ban, UFW, swap, unattended-upgrades) - Add deploy-production.sh for manual production deployments - Add env.production.example with all required environment variables - Bind container ports to 127.0.0.1 in docker-compose.prod.yml (security: prevent direct access bypassing Nginx) - Fix deploy workflow: add -T flag to exec, sync Nginx configs, copy pgbouncer and backup configs to server Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
2026-04-13 14:11:25 +07:00
parent b93c28fa01
commit e5f7acf7da
9 changed files with 946 additions and 6 deletions
--- a/infra/nginx/redirect.conf
+++ b/infra/nginx/redirect.conf
@@ -0,0 +1,28 @@
+# ==============================================================================
+# HTTP → HTTPS redirect for all GoodGo domains
+# Cloudflare also enforces this, but this catches direct-IP access.
+# ==============================================================================
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name platform.goodgo.vn api.goodgo.vn grafana.goodgo.vn;
+
+    # Redirect all HTTP to HTTPS
+    return 301 https://$host$request_uri;
+}
+
+# Catch-all for direct IP access — return 444 (drop connection)
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name _;
+
+    ssl_certificate     /etc/ssl/goodgo/origin.pem;
+    ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;
+
+    # Drop connections that don't match any server_name
+    return 444;
+}