Idra-Informatica/PecHub
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

ProdLaunch

Browse Source
This commit is contained in:
Matteo Giustini
2026-06-18 15:14:10 +02:00
parent d8f58640e5
commit 4c90a7c1a3
12 changed files with 1412 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infra/nginx/conf.d/pecflow.prod.conf
+99
View File
@@ -0,0 +1,99 @@
server {
listen 80;
server_name _;
# ── Rate limiting zones (definite in nginx.conf) ──────────────────────────
# In produzione si usa lo stesso nginx.conf che definisce le zone
# ── Sicurezza headers ─────────────────────────────────────────────────────
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# ── Resolver Docker interno ───────────────────────────────────────────────
resolver 127.0.0.11 valid=30s ipv6=off;
# ── API Backend ───────────────────────────────────────────────────────────
location /api/ {
limit_req zone=api burst=20 nodelay;
set $backend_upstream http://backend:8000;
proxy_pass $backend_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_connect_timeout 30s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
# Upload allegati fino a 50MB
client_max_body_size 50m;
}
# ── Auth endpoint con rate limiting piu' stretto ──────────────────────────
location /api/v1/auth/login {
limit_req zone=auth burst=5 nodelay;
set $backend_upstream http://backend:8000;
proxy_pass $backend_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# ── Health check (accesso solo interno) ───────────────────────────────────
location /health {
# In produzione, limitare a rete interna o monitoraggio
# allow 10.0.0.0/8;
# allow 172.16.0.0/12;
# deny all;
set $backend_upstream http://backend:8000;
proxy_pass $backend_upstream;
access_log off;
}
# ── PRODUZIONE: Swagger UI disabilitato ───────────────────────────────────
location /docs {
return 404;
}
location /redoc {
return 404;
}
location /openapi.json {
return 404;
}
# ── WebSocket ─────────────────────────────────────────────────────────────
location /ws/ {
set $backend_upstream http://backend:8000;
proxy_pass $backend_upstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 3600s;
}
# ── Frontend React (build statica) ────────────────────────────────────────
# In produzione il frontend e' servito come file statici da un secondo
# container nginx o dallo stesso container con volume condiviso.
# Qui usiamo il container frontend che si occupa di servire i file.
location / {
set $frontend_upstream http://frontend:3000;
proxy_pass $frontend_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Cache aggressiva per asset statici (Vite aggiunge hash al filename)
proxy_cache_bypass $http_upgrade;
}
}