From 4d7e69247de348bca3be5d34eb6fcff8b5df7823 Mon Sep 17 00:00:00 2001 From: admin Date: Fri, 3 Oct 2025 16:14:09 +0700 Subject: [PATCH] 251003 frontend NPM --- 7.conf | 257 +++++++++++++++++++++++++++++++++++ docker-compose.yml | 11 +- frontend/api/health/route.js | 2 +- ng.oonf | 67 +++++++++ 4 files changed, 334 insertions(+), 3 deletions(-) create mode 100644 7.conf create mode 100644 ng.oonf diff --git a/7.conf b/7.conf new file mode 100644 index 00000000..207a4c24 --- /dev/null +++ b/7.conf @@ -0,0 +1,257 @@ +# ------------------------------------------------------------ +# lcbp3.np-dms.work +# ------------------------------------------------------------ + + + +map $scheme $hsts_header { + https "max-age=63072000; preload"; +} + +server { + set $forward_scheme http; + set $server "dms_frontend"; + set $port 3000; + + listen 80; +listen [::]:80; + +listen 443 ssl; +listen [::]:443 ssl; + + + server_name lcbp3.np-dms.work; + + http2 on; + + + # Let's Encrypt SSL + include conf.d/include/letsencrypt-acme-challenge.conf; + include conf.d/include/ssl-cache.conf; + include conf.d/include/ssl-ciphers.conf; + ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem; + + + + + + + + + # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) + add_header Strict-Transport-Security $hsts_header always; + + + + + + # Force SSL + include conf.d/include/force-ssl.conf; + + + + +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $http_connection; +proxy_http_version 1.1; + + + access_log /data/logs/proxy-host-7_access.log proxy; + error_log /data/logs/proxy-host-7_error.log warn; + +# ===== ขนาดไฟล์/timeout ระดับ Host ===== +client_max_body_size 200m; +client_body_timeout 60s; +send_timeout 60s; + +# ===== Proxy headers พื้นฐาน (ส่งให้ backend ทุกตัว) ===== +# ที่นี่จะเป็นที่กำหนด header หลักเพียงแห่งเดียว +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; + +# ===== WebSocket/SSE header ระดับ Host ===== +# พร้อมสำหรับทุก location ที่อาจต้องใช้ WebSocket +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; # ใช้ "upgrade" โดยตรงจะเสถียรกว่า + +# ===== สำคัญสำหรับคุกกี้ HttpOnly (ให้ทุก backend) ===== +proxy_pass_header Set-Cookie; + +# ===== Security headers ระดับ Host (ยอดเยี่ยมมากครับ) ===== +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + + location /health { + proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto https; +proxy_read_timeout 15s; +proxy_send_timeout 15s; + + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://dms_frontend:3000; + + + + + + + # Force SSL + include conf.d/include/force-ssl.conf; + + + + + # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) + add_header Strict-Transport-Security $hsts_header always; + + + + + + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; + + } + + location /_next/static/ { + proxy_set_header Host $host; +add_header Cache-Control "public, max-age=31536000, immutable"; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://dms_frontend:3000; + + + + + + + # Force SSL + include conf.d/include/force-ssl.conf; + + + + + # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) + add_header Strict-Transport-Security $hsts_header always; + + + + + + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; + + } + + location /api/ { + # ===== CORS Configuration ===== +set $cors_allow_origin ""; +if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") { + set $cors_allow_origin $http_origin; +} + +add_header Vary "Origin" always; +add_header Access-Control-Allow-Credentials "true" always; +add_header Access-Control-Allow-Origin $cors_allow_origin always; +add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always; +add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; +add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always; + +# ===== OPTIONS preflight ===== +if ($request_method = OPTIONS) { + add_header Content-Length 0; + add_header Content-Type text/plain; + add_header Access-Control-Allow-Origin $cors_allow_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always; + return 204; +} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://dms_backend:3001; + + + + + + + # Force SSL + include conf.d/include/force-ssl.conf; + + + + + # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) + add_header Strict-Transport-Security $hsts_header always; + + + + + + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; + + } + + + + + + location / { + + + + + + # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) + add_header Strict-Transport-Security $hsts_header always; + + + + + + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; + + + # Proxy! + include conf.d/include/proxy.conf; + } + + + # Custom + include /data/nginx/custom/server_proxy[.]conf; +} + diff --git a/docker-compose.yml b/docker-compose.yml index 4cb7f569..f994e54b 100755 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -149,7 +149,13 @@ services: backend: condition: service_healthy healthcheck: - test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000/health"] + test: + [ + "CMD", + "wget", + "-qO-", + 'http://127.0.0.1:3000/health | grep -q ''"ok":true''', + ] interval: 15s timeout: 5s retries: 30 @@ -261,12 +267,13 @@ services: NODE_ENV: "production" N8N_PATH: "/n8n/" N8N_PUBLIC_URL: "https://n8n.np-dms.work/" - WEBHOOK_URL: "https://ln8n.np-dms.work/" + WEBHOOK_URL: "https://n8n.np-dms.work/" N8N_EDITOR_BASE_URL: "https://n8n.np-dms.work/" N8N_PROTOCOL: "https" N8N_HOST: "n8n.np-dms.work" N8N_PORT: "5678" N8N_PROXY_HOPS: "1" + # N8N_DIAGNOSTICS_ENABLED: "false" N8N_SECURE_COOKIE: "true" N8N_ENCRYPTION_KEY: "9AAIB7Da9DW1qAhJE5/Bz4SnbQjeAngI" N8N_BASIC_AUTH_ACTIVE: "true" diff --git a/frontend/api/health/route.js b/frontend/api/health/route.js index a81576cd..736b062f 100755 --- a/frontend/api/health/route.js +++ b/frontend/api/health/route.js @@ -1,4 +1,4 @@ -// Simple health endpoint for compose/ops +// File: frontend/api/health/route.js export async function GET() { return new Response(JSON.stringify({ status: 'ok', service: 'frontend', ts: Date.now() }), { headers: { 'content-type': 'application/json' }, diff --git a/ng.oonf b/ng.oonf new file mode 100644 index 00000000..7b7fe1d8 --- /dev/null +++ b/ng.oonf @@ -0,0 +1,67 @@ + +# ===== CORS Configuration ===== +set $cors_allow_origin ""; +if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") { + set $cors_allow_origin $http_origin; +} + +add_header Vary "Origin" always; +add_header Access-Control-Allow-Credentials "true" always; +add_header Access-Control-Allow-Origin $cors_allow_origin always; +add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always; +add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; +add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always; + +# ===== OPTIONS preflight ===== +if ($request_method = OPTIONS) { + add_header Content-Length 0; + add_header Content-Type text/plain; + add_header Access-Control-Allow-Origin $cors_allow_origin always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always; + return 204; +} + +# ============================================================ +# ============================================================ +# ===== ขนาดไฟล์/timeout ระดับ Host ===== +client_max_body_size 200m; +client_body_timeout 60s; +send_timeout 60s; + +# ===== Proxy headers พื้นฐาน (ส่งให้ backend ทุกตัว) ===== +# ที่นี่จะเป็นที่กำหนด header หลักเพียงแห่งเดียว +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; + +# ===== WebSocket/SSE header ระดับ Host ===== +# พร้อมสำหรับทุก location ที่อาจต้องใช้ WebSocket +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "upgrade"; # ใช้ "upgrade" โดยตรงจะเสถียรกว่า + +# ===== สำคัญสำหรับคุกกี้ HttpOnly (ให้ทุก backend) ===== +proxy_pass_header Set-Cookie; + +# ===== Security headers ระดับ Host (ยอดเยี่ยมมากครับ) ===== +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + +docker exec -it dms_npm sh -lc ' +apk add --no-cache curl 2>/dev/null || true +set -e +echo "# upstream checks" +curl -sS -I http://frontend:3000/health || true +curl -sS -I http://backend:3081/health || true +curl -sS -I http://phpmyadmin || true +curl -sS -I http://n8n:5678 || true +curl -sS -I http://pgadmin || true +curl -sS -I http://gitea:3000 || true +echo "# nginx test" +nginx -t +' \ No newline at end of file