251003 frontend NPM

7.conf

@@ -0,0 +1,257 @@
+# ------------------------------------------------------------
+# lcbp3.np-dms.work
+# ------------------------------------------------------------
+
+
+
+map $scheme $hsts_header {
+    https   "max-age=63072000; preload";
+}
+
+server {
+  set $forward_scheme http;
+  set $server         "dms_frontend";
+  set $port           3000;
+
+  listen 80;
+listen [::]:80;
+
+listen 443 ssl;
+listen [::]:443 ssl;
+
+
+  server_name lcbp3.np-dms.work;
+
+  http2 on;
+
+
+  # Let's Encrypt SSL
+  include conf.d/include/letsencrypt-acme-challenge.conf;
+  include conf.d/include/ssl-cache.conf;
+  include conf.d/include/ssl-ciphers.conf;
+  ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem;
+
+
+
+
+
+
+
+
+  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
+  add_header Strict-Transport-Security $hsts_header always;
+
+
+
+
+
+    # Force SSL
+    include conf.d/include/force-ssl.conf;
+
+
+
+
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $http_connection;
+proxy_http_version 1.1;
+
+
+  access_log /data/logs/proxy-host-7_access.log proxy;
+  error_log /data/logs/proxy-host-7_error.log warn;
+
+# ===== ขนาดไฟล์/timeout ระดับ Host =====
+client_max_body_size 200m;
+client_body_timeout  60s;
+send_timeout         60s;
+
+# ===== Proxy headers พื้นฐาน (ส่งให้ backend ทุกตัว) =====
+# ที่นี่จะเป็นที่กำหนด header หลักเพียงแห่งเดียว
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+
+# ===== WebSocket/SSE header ระดับ Host =====
+# พร้อมสำหรับทุก location ที่อาจต้องใช้ WebSocket
+proxy_set_header Upgrade           $http_upgrade;
+proxy_set_header Connection        "upgrade"; # ใช้ "upgrade" โดยตรงจะเสถียรกว่า
+
+# ===== สำคัญสำหรับคุกกี้ HttpOnly (ให้ทุก backend) =====
+proxy_pass_header Set-Cookie;
+
+# ===== Security headers ระดับ Host (ยอดเยี่ยมมากครับ) =====
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header Referrer-Policy "no-referrer-when-downgrade" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+
+  location /health {
+    proxy_set_header Host  $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto https;
+proxy_read_timeout 15s;
+proxy_send_timeout 15s;
+
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    proxy_set_header X-Forwarded-For    $remote_addr;
+    proxy_set_header X-Real-IP		$remote_addr;
+
+    proxy_pass       http://dms_frontend:3000;
+
+    
+
+    
+    
+    
+    # Force SSL
+    include conf.d/include/force-ssl.conf;
+
+
+    
+
+  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
+  add_header Strict-Transport-Security $hsts_header always;
+
+
+
+
+
+    
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $http_connection;
+    proxy_http_version 1.1;
+    
+  }
+
+  location /_next/static/ {
+    proxy_set_header Host $host;
+add_header Cache-Control "public, max-age=31536000, immutable";
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    proxy_set_header X-Forwarded-For    $remote_addr;
+    proxy_set_header X-Real-IP		$remote_addr;
+
+    proxy_pass       http://dms_frontend:3000;
+
+    
+
+    
+    
+    
+    # Force SSL
+    include conf.d/include/force-ssl.conf;
+
+
+    
+
+  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
+  add_header Strict-Transport-Security $hsts_header always;
+
+
+
+
+
+    
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $http_connection;
+    proxy_http_version 1.1;
+    
+  }
+
+  location /api/ {
+    # ===== CORS Configuration =====
+set $cors_allow_origin "";
+if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") {
+    set $cors_allow_origin $http_origin;
+}
+
+add_header Vary "Origin" always;
+add_header Access-Control-Allow-Credentials "true" always;
+add_header Access-Control-Allow-Origin $cors_allow_origin always;
+add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always;
+add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
+add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
+
+# ===== OPTIONS preflight =====
+if ($request_method = OPTIONS) {
+    add_header Content-Length 0;
+    add_header Content-Type text/plain;
+    add_header Access-Control-Allow-Origin $cors_allow_origin always;
+    add_header Access-Control-Allow-Credentials "true" always;
+    add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
+    return 204;
+}
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    proxy_set_header X-Forwarded-For    $remote_addr;
+    proxy_set_header X-Real-IP		$remote_addr;
+
+    proxy_pass       http://dms_backend:3001;
+
+    
+
+    
+    
+    
+    # Force SSL
+    include conf.d/include/force-ssl.conf;
+
+
+    
+
+  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
+  add_header Strict-Transport-Security $hsts_header always;
+
+
+
+
+
+    
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $http_connection;
+    proxy_http_version 1.1;
+    
+  }
+
+
+
+
+
+  location / {
+
+
+
+
+
+  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
+  add_header Strict-Transport-Security $hsts_header always;
+
+
+
+
+
+    
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $http_connection;
+    proxy_http_version 1.1;
+    
+
+    # Proxy!
+    include conf.d/include/proxy.conf;
+  }
+
+
+  # Custom
+  include /data/nginx/custom/server_proxy[.]conf;
+}
+

docker-compose.yml

@@ -149,7 +149,13 @@ services:
       backend:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000/health"]
+      test:
+        [
+          "CMD",
+          "wget",
+          "-qO-",
+          'http://127.0.0.1:3000/health | grep -q ''"ok":true''',
+        ]
       interval: 15s
       timeout: 5s
       retries: 30
@@ -261,12 +267,13 @@ services:
       NODE_ENV: "production"
       N8N_PATH: "/n8n/"
       N8N_PUBLIC_URL: "https://n8n.np-dms.work/"
-      WEBHOOK_URL: "https://ln8n.np-dms.work/"
+      WEBHOOK_URL: "https://n8n.np-dms.work/"
       N8N_EDITOR_BASE_URL: "https://n8n.np-dms.work/"
       N8N_PROTOCOL: "https"
       N8N_HOST: "n8n.np-dms.work"
       N8N_PORT: "5678"
       N8N_PROXY_HOPS: "1"
+      # N8N_DIAGNOSTICS_ENABLED: "false"
       N8N_SECURE_COOKIE: "true"
       N8N_ENCRYPTION_KEY: "9AAIB7Da9DW1qAhJE5/Bz4SnbQjeAngI"
       N8N_BASIC_AUTH_ACTIVE: "true"

frontend/api/health/route.js

@@ -1,4 +1,4 @@
-// Simple health endpoint for compose/ops
+// File: frontend/api/health/route.js
 export async function GET() {
   return new Response(JSON.stringify({ status: 'ok', service: 'frontend', ts: Date.now() }), {
     headers: { 'content-type': 'application/json' },

ng.oonf

@@ -0,0 +1,67 @@
+
+# ===== CORS Configuration =====
+set $cors_allow_origin "";
+if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") {
+    set $cors_allow_origin $http_origin;
+}
+
+add_header Vary "Origin" always;
+add_header Access-Control-Allow-Credentials "true" always;
+add_header Access-Control-Allow-Origin $cors_allow_origin always;
+add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always;
+add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
+add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
+
+# ===== OPTIONS preflight =====
+if ($request_method = OPTIONS) {
+    add_header Content-Length 0;
+    add_header Content-Type text/plain;
+    add_header Access-Control-Allow-Origin $cors_allow_origin always;
+    add_header Access-Control-Allow-Credentials "true" always;
+    add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
+    return 204;
+}
+
+# ============================================================ 
+# ============================================================ 
+# ===== ขนาดไฟล์/timeout ระดับ Host =====
+client_max_body_size 200m;
+client_body_timeout  60s;
+send_timeout         60s;
+
+# ===== Proxy headers พื้นฐาน (ส่งให้ backend ทุกตัว) =====
+# ที่นี่จะเป็นที่กำหนด header หลักเพียงแห่งเดียว
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+
+# ===== WebSocket/SSE header ระดับ Host =====
+# พร้อมสำหรับทุก location ที่อาจต้องใช้ WebSocket
+# proxy_set_header Upgrade           $http_upgrade;
+# proxy_set_header Connection        "upgrade"; # ใช้ "upgrade" โดยตรงจะเสถียรกว่า
+
+# ===== สำคัญสำหรับคุกกี้ HttpOnly (ให้ทุก backend) =====
+proxy_pass_header Set-Cookie;
+
+# ===== Security headers ระดับ Host (ยอดเยี่ยมมากครับ) =====
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header Referrer-Policy "no-referrer-when-downgrade" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+
+docker exec -it dms_npm sh -lc '
+apk add --no-cache curl 2>/dev/null || true
+set -e
+echo "# upstream checks"
+curl -sS -I http://frontend:3000/health || true
+curl -sS -I http://backend:3081/health  || true
+curl -sS -I http://phpmyadmin          || true
+curl -sS -I http://n8n:5678            || true
+curl -sS -I http://pgadmin             || true
+curl -sS -I http://gitea:3000          || true
+echo "# nginx test"
+nginx -t
+'