admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
489d61a27b81e76dd979b1988e937f276f08f6cd
goodgo-platform/infra/nginx/api.goodgo.vn.conf
Ho Ngoc Hai e5f7acf7da
Some checks failed
CI / Lint → Typecheck → Test → Build (22) (push) Failing after 58s
Details
Deploy / Build Web Image (push) Failing after 14s
Details
Deploy / Rollback Production (push) Has been skipped
Details
CI / E2E Tests (push) Has been skipped
Details
Deploy / Build API Image (push) Failing after 3m8s
Details
Deploy / Build AI Services Image (push) Failing after 10s
Details
E2E Tests / Playwright E2E (push) Failing after 1m21s
Details
Deploy / Deploy to Staging (push) Has been skipped
Details
Deploy / Smoke Test Staging (push) Has been skipped
Details
Deploy / Deploy to Production (push) Has been skipped
Details
Deploy / Smoke Test Production (push) Has been skipped
Details
Deploy / Rollback Staging (push) Has been skipped
Details
feat: production infra — nginx configs, deploy script, security hardening 
- Add Nginx reverse-proxy configs for api.goodgo.vn and platform.goodgo.vn
  with SSL, gzip, rate limiting, security headers, and WebSocket support
- Add Cloudflare DNS setup script for A/AAAA/CNAME records
- Add server-setup.sh for Ubuntu provisioning (Docker, fail2ban, UFW,
  swap, unattended-upgrades)
- Add deploy-production.sh for manual production deployments
- Add env.production.example with all required environment variables
- Bind container ports to 127.0.0.1 in docker-compose.prod.yml
  (security: prevent direct access bypassing Nginx)
- Fix deploy workflow: add -T flag to exec, sync Nginx configs,
  copy pgbouncer and backup configs to server

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
2026-04-13 14:11:25 +07:00

101 lines
3.2 KiB
Plaintext
Raw Blame History

# ==============================================================================
# api.goodgo.vn — NestJS API Backend
# Proxied by Cloudflare (Full Strict SSL) → Nginx → Docker (127.0.0.1:3001)
# ==============================================================================
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.goodgo.vn;
# Cloudflare Origin Certificate
ssl_certificate /etc/ssl/goodgo/origin.pem;
ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Security headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Request size limit (file uploads)
client_max_body_size 50m;
# API endpoints
location / {
# Rate limiting (defined in /etc/nginx/conf.d/performance.conf)
limit_req zone=api_limit burst=50 nodelay;
limit_req_status 429;
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
# Standard proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# Disable buffering for streaming responses
proxy_buffering off;
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
}
# WebSocket endpoint for notifications/realtime
location /ws {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Longer timeout for persistent connections
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
# Health check (skip rate limiting + logging)
location /health {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
}
location /ready {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
}
# Metrics endpoint (restrict to Cloudflare IPs or internal)
location /metrics {
# Allow only from localhost (Prometheus scrapes from the same host)
allow 127.0.0.1;
allow ::1;
deny all;
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
access_log off;
}
# Logging
access_log /var/log/nginx/api.goodgo.vn.access.log;
error_log /var/log/nginx/api.goodgo.vn.error.log;
}
Reference in New Issue View Git Blame Copy Permalink