Prod infra: frontend on port 3001, remove certbot from compose
- Frontend container nginx listens on 3001 instead of 80 to avoid conflicts with the host-level reverse proxy - Removed certbot service, volumes, and SSL config from docker-compose.prod.yml — SSL/certbot is managed at the host level - Updated nginx/production.conf: HTTP-only (host handles TLS), upstream frontend points to port 3001 - Updated nginx/ssl.conf frontend upstream to 3001 for consistency Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -4,7 +4,7 @@ upstream backend {
|
||||
}
|
||||
|
||||
upstream frontend {
|
||||
server frontend:80;
|
||||
server frontend:3001;
|
||||
keepalive 16;
|
||||
}
|
||||
|
||||
@@ -22,44 +22,14 @@ proxy_buffer_size 16k;
|
||||
proxy_buffers 8 16k;
|
||||
proxy_busy_buffers_size 32k;
|
||||
|
||||
# Redirect HTTP → HTTPS
|
||||
# Rate limit zone (10 req/s per IP for API)
|
||||
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
||||
|
||||
# HTTP server — SSL termination is handled by the host reverse proxy
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# HTTPS server
|
||||
server {
|
||||
listen 443 ssl;
|
||||
# Replace with your hostname:
|
||||
server_name staging.example.com;
|
||||
|
||||
# --- TLS certificates ---
|
||||
ssl_certificate /etc/letsencrypt/live/staging.example.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/staging.example.com/privkey.pem;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
|
||||
# --- Rate limit zone (10 req/s per IP for API) ---
|
||||
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
||||
|
||||
# --- API routes → backend ---
|
||||
location /api/ {
|
||||
limit_req zone=api_limit burst=30 nodelay;
|
||||
@@ -90,8 +60,6 @@ server {
|
||||
proxy_pass http://frontend;
|
||||
proxy_read_timeout 10s;
|
||||
proxy_connect_timeout 5s;
|
||||
|
||||
# Cache static assets aggressively at the proxy level
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user