251003 frontend NPM
This commit is contained in:
admin
257
7.conf
Normal file
257
7.conf
Normal file
@@ -0,0 +1,257 @@
|
||||
# ------------------------------------------------------------
|
||||
# lcbp3.np-dms.work
|
||||
# ------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=63072000; preload";
|
||||
}
|
||||
|
||||
server {
|
||||
set $forward_scheme http;
|
||||
set $server "dms_frontend";
|
||||
set $port 3000;
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
|
||||
server_name lcbp3.np-dms.work;
|
||||
|
||||
http2 on;
|
||||
|
||||
|
||||
# Let's Encrypt SSL
|
||||
include conf.d/include/letsencrypt-acme-challenge.conf;
|
||||
include conf.d/include/ssl-cache.conf;
|
||||
include conf.d/include/ssl-ciphers.conf;
|
||||
ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Force SSL
|
||||
include conf.d/include/force-ssl.conf;
|
||||
|
||||
|
||||
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
|
||||
access_log /data/logs/proxy-host-7_access.log proxy;
|
||||
error_log /data/logs/proxy-host-7_error.log warn;
|
||||
|
||||
# ===== ขนาดไฟล์/timeout ระดับ Host =====
|
||||
client_max_body_size 200m;
|
||||
client_body_timeout 60s;
|
||||
send_timeout 60s;
|
||||
|
||||
# ===== Proxy headers พื้นฐาน (ส่งให้ backend ทุกตัว) =====
|
||||
# ที่นี่จะเป็นที่กำหนด header หลักเพียงแห่งเดียว
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# ===== WebSocket/SSE header ระดับ Host =====
|
||||
# พร้อมสำหรับทุก location ที่อาจต้องใช้ WebSocket
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade"; # ใช้ "upgrade" โดยตรงจะเสถียรกว่า
|
||||
|
||||
# ===== สำคัญสำหรับคุกกี้ HttpOnly (ให้ทุก backend) =====
|
||||
proxy_pass_header Set-Cookie;
|
||||
|
||||
# ===== Security headers ระดับ Host (ยอดเยี่ยมมากครับ) =====
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
|
||||
location /health {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_read_timeout 15s;
|
||||
proxy_send_timeout 15s;
|
||||
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
proxy_pass http://dms_frontend:3000;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Force SSL
|
||||
include conf.d/include/force-ssl.conf;
|
||||
|
||||
|
||||
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
}
|
||||
|
||||
location /_next/static/ {
|
||||
proxy_set_header Host $host;
|
||||
add_header Cache-Control "public, max-age=31536000, immutable";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
proxy_pass http://dms_frontend:3000;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Force SSL
|
||||
include conf.d/include/force-ssl.conf;
|
||||
|
||||
|
||||
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
# ===== CORS Configuration =====
|
||||
set $cors_allow_origin "";
|
||||
if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") {
|
||||
set $cors_allow_origin $http_origin;
|
||||
}
|
||||
|
||||
add_header Vary "Origin" always;
|
||||
add_header Access-Control-Allow-Credentials "true" always;
|
||||
add_header Access-Control-Allow-Origin $cors_allow_origin always;
|
||||
add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always;
|
||||
add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
|
||||
add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
|
||||
|
||||
# ===== OPTIONS preflight =====
|
||||
if ($request_method = OPTIONS) {
|
||||
add_header Content-Length 0;
|
||||
add_header Content-Type text/plain;
|
||||
add_header Access-Control-Allow-Origin $cors_allow_origin always;
|
||||
add_header Access-Control-Allow-Credentials "true" always;
|
||||
add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
|
||||
add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
|
||||
return 204;
|
||||
}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
proxy_pass http://dms_backend:3001;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Force SSL
|
||||
include conf.d/include/force-ssl.conf;
|
||||
|
||||
|
||||
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
location / {
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
|
||||
# Proxy!
|
||||
include conf.d/include/proxy.conf;
|
||||
}
|
||||
|
||||
|
||||
# Custom
|
||||
include /data/nginx/custom/server_proxy[.]conf;
|
||||
}
|
||||
|
||||
@@ -149,7 +149,13 @@ services:
|
||||
backend:
|
||||
condition: service_healthy
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000/health"]
|
||||
test:
|
||||
[
|
||||
"CMD",
|
||||
"wget",
|
||||
"-qO-",
|
||||
'http://127.0.0.1:3000/health | grep -q ''"ok":true''',
|
||||
]
|
||||
interval: 15s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
@@ -261,12 +267,13 @@ services:
|
||||
NODE_ENV: "production"
|
||||
N8N_PATH: "/n8n/"
|
||||
N8N_PUBLIC_URL: "https://n8n.np-dms.work/"
|
||||
WEBHOOK_URL: "https://ln8n.np-dms.work/"
|
||||
WEBHOOK_URL: "https://n8n.np-dms.work/"
|
||||
N8N_EDITOR_BASE_URL: "https://n8n.np-dms.work/"
|
||||
N8N_PROTOCOL: "https"
|
||||
N8N_HOST: "n8n.np-dms.work"
|
||||
N8N_PORT: "5678"
|
||||
N8N_PROXY_HOPS: "1"
|
||||
# N8N_DIAGNOSTICS_ENABLED: "false"
|
||||
N8N_SECURE_COOKIE: "true"
|
||||
N8N_ENCRYPTION_KEY: "9AAIB7Da9DW1qAhJE5/Bz4SnbQjeAngI"
|
||||
N8N_BASIC_AUTH_ACTIVE: "true"
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
// Simple health endpoint for compose/ops
|
||||
// File: frontend/api/health/route.js
|
||||
export async function GET() {
|
||||
return new Response(JSON.stringify({ status: 'ok', service: 'frontend', ts: Date.now() }), {
|
||||
headers: { 'content-type': 'application/json' },
|
||||
|
||||
67
ng.oonf
Normal file
67
ng.oonf
Normal file
@@ -0,0 +1,67 @@
|
||||
|
||||
# ===== CORS Configuration =====
|
||||
set $cors_allow_origin "";
|
||||
if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") {
|
||||
set $cors_allow_origin $http_origin;
|
||||
}
|
||||
|
||||
add_header Vary "Origin" always;
|
||||
add_header Access-Control-Allow-Credentials "true" always;
|
||||
add_header Access-Control-Allow-Origin $cors_allow_origin always;
|
||||
add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always;
|
||||
add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
|
||||
add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
|
||||
|
||||
# ===== OPTIONS preflight =====
|
||||
if ($request_method = OPTIONS) {
|
||||
add_header Content-Length 0;
|
||||
add_header Content-Type text/plain;
|
||||
add_header Access-Control-Allow-Origin $cors_allow_origin always;
|
||||
add_header Access-Control-Allow-Credentials "true" always;
|
||||
add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
|
||||
add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
|
||||
return 204;
|
||||
}
|
||||
|
||||
# ============================================================
|
||||
# ============================================================
|
||||
# ===== ขนาดไฟล์/timeout ระดับ Host =====
|
||||
client_max_body_size 200m;
|
||||
client_body_timeout 60s;
|
||||
send_timeout 60s;
|
||||
|
||||
# ===== Proxy headers พื้นฐาน (ส่งให้ backend ทุกตัว) =====
|
||||
# ที่นี่จะเป็นที่กำหนด header หลักเพียงแห่งเดียว
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# ===== WebSocket/SSE header ระดับ Host =====
|
||||
# พร้อมสำหรับทุก location ที่อาจต้องใช้ WebSocket
|
||||
# proxy_set_header Upgrade $http_upgrade;
|
||||
# proxy_set_header Connection "upgrade"; # ใช้ "upgrade" โดยตรงจะเสถียรกว่า
|
||||
|
||||
# ===== สำคัญสำหรับคุกกี้ HttpOnly (ให้ทุก backend) =====
|
||||
proxy_pass_header Set-Cookie;
|
||||
|
||||
# ===== Security headers ระดับ Host (ยอดเยี่ยมมากครับ) =====
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
|
||||
docker exec -it dms_npm sh -lc '
|
||||
apk add --no-cache curl 2>/dev/null || true
|
||||
set -e
|
||||
echo "# upstream checks"
|
||||
curl -sS -I http://frontend:3000/health || true
|
||||
curl -sS -I http://backend:3081/health || true
|
||||
curl -sS -I http://phpmyadmin || true
|
||||
curl -sS -I http://n8n:5678 || true
|
||||
curl -sS -I http://pgadmin || true
|
||||
curl -sS -I http://gitea:3000 || true
|
||||
echo "# nginx test"
|
||||
nginx -t
|
||||
'
|
||||
Reference in New Issue
Block a user