valitovgaziz/tp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: CI/CD, per-domain HTTPS, backup, config generator

Browse Source 
- sites.yml — единый источник истины для всех сайтов
- generate-configs.sh — генератор nginx конфигов, certbot domains.txt, .env
- nginx: per-domain HTTPS (вместо all-or-nothing switch-config)
- certbot: единый renew-all.sh, динамический init (без 5 дублирующих скриптов)
- backup: контейнер с pg_dump + rclone (Яндекс.Диск), ежедневно в 3AM
- Gitea + Gitea Runner в docker-compose (self-hosted Git + CI/CD)
- .gitea/workflows/deploy.yml — CI/CD pipeline: push → авто-деплой
- Makefile: generate-configs, reconfig, deploy, backup, restore, gitea, help
This commit is contained in:
valitovgaziz
2026-06-12 12:22:19 +05:00
parent abcb327278
commit 8e766b540e
31 changed files with 1535 additions and 343 deletions
Download Patch File Download Diff File Expand all files Collapse all files
main_dc/nginx/Dockerfile
+10 -21
View File
@@ -1,28 +1,17 @@
FROM nginx:alpine
# Установка зависимостей
RUN apk add --no-cache bash openssl
# Создание директории для сертификатов
RUN mkdir -p /etc/nginx/ssl
# dummy сертификаты для nginx (нужны чтобы nginx стартовал с любым конфигом)
RUN mkdir -p /etc/nginx/ssl && \
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout /etc/nginx/ssl/dummy.key \
-out /etc/nginx/ssl/dummy.crt \
-subj "/C=US/ST=State/L=City/O=Organization/CN=localhost"
# Генерация самоподписанных сертификатов (действительны 365 дней)
RUN openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout /etc/nginx/ssl/dummy.key \
-out /etc/nginx/ssl/dummy.crt \
-subj "/C=US/ST=State/L=City/O=Organization/CN=localhost"
RUN mkdir -p /var/www/certbot /etc/nginx/conf.d /etc/nginx/conf.available
# Копируем обе конфигурации
COPY nginx-http.conf /etc/nginx/nginx-http.conf
COPY nginx-ssl.conf /etc/nginx/nginx-ssl.conf
# Создаем симлинк по умолчанию на HTTP конфиг
RUN ln -sf /etc/nginx/nginx-http.conf /etc/nginx/conf.d/default.conf
# Скрипт для проверки сертификатов и переключения конфига
COPY switch-config.sh /docker-entrypoint.d/switch-config.sh
# per-domain entrypoint для проверки сертификатов
COPY entrypoint.sh /docker-entrypoint.d/switch-config.sh
RUN chmod +x /docker-entrypoint.d/switch-config.sh
# Создаем необходимые директории
RUN mkdir -p /var/www/certbot
main_dc/nginx/conf.available/00-http.conf
+14
View File
@@ -0,0 +1,14 @@
# Автоматически сгенерировано generate-configs.sh
server {
listen 80 default_server;
server_name _;
location / {
root /usr/share/nginx/stub/html;
index index.html;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
main_dc/nginx/conf.available/10-yalarba.http.conf
+38
View File
@@ -0,0 +1,38 @@
# HTTP fallback for yalarba.ru (no SSL cert)
server {
listen 80;
server_name yalarba.ru www.yalarba.ru;
location / {
proxy_pass http://yalarba:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
location /api/v1/ {
proxy_pass http://api_yal:8787;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
main_dc/nginx/conf.available/10-yalarba.ssl.conf
+48
View File
@@ -0,0 +1,48 @@
# CERT_DOMAIN=yalarba.ru
# Автоматически сгенерировано generate-configs.sh
server {
listen 443 ssl;
server_name yalarba.ru www.yalarba.ru;
ssl_certificate /etc/letsencrypt/live/yalarba.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yalarba.ru/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
location / {
proxy_pass http://yalarba:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
location /api/v1/ {
proxy_pass http://api_yal:8787;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
main_dc/nginx/conf.available/20-valitovgaziz.http.conf
+38
View File
@@ -0,0 +1,38 @@
# HTTP fallback for valitovgaziz.ru (no SSL cert)
server {
listen 80;
server_name valitovgaziz.ru www.valitovgaziz.ru;
location / {
proxy_pass http://valitovgaziz/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
location /api/ {
proxy_pass http://analytics:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
main_dc/nginx/conf.available/20-valitovgaziz.ssl.conf
+48
View File
@@ -0,0 +1,48 @@
# CERT_DOMAIN=valitovgaziz.ru
# Автоматически сгенерировано generate-configs.sh
server {
listen 443 ssl;
server_name valitovgaziz.ru www.valitovgaziz.ru;
ssl_certificate /etc/letsencrypt/live/valitovgaziz.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/valitovgaziz.ru/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
location / {
proxy_pass http://valitovgaziz/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
location /api/ {
proxy_pass http://analytics:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
main_dc/nginx/conf.available/30-easysite102.http.conf
+38
View File
@@ -0,0 +1,38 @@
# HTTP fallback for easysite102.ru (no SSL cert)
server {
listen 80;
server_name easysite102.ru www.easysite102.ru;
location / {
proxy_pass http://easysite:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
location /api/v1/ {
proxy_pass http://api_yal:8787;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
main_dc/nginx/conf.available/30-easysite102.ssl.conf
+48
View File
@@ -0,0 +1,48 @@
# CERT_DOMAIN=easysite102.ru
# Автоматически сгенерировано generate-configs.sh
server {
listen 443 ssl;
server_name easysite102.ru www.easysite102.ru;
ssl_certificate /etc/letsencrypt/live/easysite102.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/easysite102.ru/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
location / {
proxy_pass http://easysite:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
location /api/v1/ {
proxy_pass http://api_yal:8787;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
main_dc/nginx/conf.available/40-begushiybashkir.http.conf
+39
View File
@@ -0,0 +1,39 @@
# HTTP fallback for begushiybashkir.ru (no SSL cert)
server {
listen 80;
server_name begushiybashkir.ru www.begushiybashkir.ru;
location / {
root /usr/share/nginx/begushiybashkir/html;
index index.html;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://api_bb:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
location /uploads/ {
alias /uploads/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
main_dc/nginx/conf.available/40-begushiybashkir.ssl.conf
+48
View File
@@ -0,0 +1,48 @@
# CERT_DOMAIN=begushiybashkir.ru
# Автоматически сгенерировано generate-configs.sh
server {
listen 443 ssl;
server_name begushiybashkir.ru www.begushiybashkir.ru;
ssl_certificate /etc/letsencrypt/live/begushiybashkir.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/begushiybashkir.ru/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
location / {
root /usr/share/nginx/begushiybashkir/html;
index index.html;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://api_bb:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
location /uploads/ {
alias /uploads/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
main_dc/nginx/conf.available/50-begushiybashkir_idn.http.conf
+39
View File
@@ -0,0 +1,39 @@
# HTTP fallback for xn--80abahjtcfl5d0a8di.xn--p1ai (no SSL cert)
server {
listen 80;
server_name xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai;
location / {
root /usr/share/nginx/begushiybashkir/html;
index index.html;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://api_bb:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
location /uploads/ {
alias /uploads/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
main_dc/nginx/conf.available/50-begushiybashkir_idn.ssl.conf
+48
View File
@@ -0,0 +1,48 @@
# CERT_DOMAIN=xn--80abahjtcfl5d0a8di.xn--p1ai
# Автоматически сгенерировано generate-configs.sh
server {
listen 443 ssl;
server_name xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai;
ssl_certificate /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
location / {
root /usr/share/nginx/begushiybashkir/html;
index index.html;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://api_bb:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
location /uploads/ {
alias /uploads/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
main_dc/nginx/conf.d/.gitkeep
View File
main_dc/nginx/entrypoint.sh
Executable
+37
View File
@@ -0,0 +1,37 @@
#!/bin/bash
# entrypoint.sh — per-domain HTTPS переключение
# Для каждого домена проверяет сертификат и активирует SSL или HTTP конфиг
set -euo pipefail
CONF_AVAILABLE="/etc/nginx/conf.available"
CONF_D="/etc/nginx/conf.d"
CERT_DIR="/etc/letsencrypt/live"
rm -f "$CONF_D"/*.conf
# базовый HTTP (ACME challenge, catch-all redirect)
if [ -f "$CONF_AVAILABLE/00-http.conf" ]; then
ln -sf "$CONF_AVAILABLE/00-http.conf" "$CONF_D/00-http.conf"
fi
# per-domain конфиги
shopt -s nullglob
for ssl_conf in "$CONF_AVAILABLE"/*.ssl.conf; do
base="$(basename "$ssl_conf" .ssl.conf)"
http_conf="$CONF_AVAILABLE/$base.http.conf"
# CERT_DOMAIN в первой строке: # CERT_DOMAIN=example.ru
cert_domain="$(head -1 "$ssl_conf" | grep -oP '(?<=# CERT_DOMAIN=).+')" || true
if [ -n "$cert_domain" ] && [ -f "$CERT_DIR/$cert_domain/fullchain.pem" ]; then
ln -sf "$ssl_conf" "$CONF_D/$base.ssl.conf"
echo "$base → HTTPS ($cert_domain)"
elif [ -f "$http_conf" ]; then
ln -sf "$http_conf" "$CONF_D/$base.http.conf"
echo "$base → HTTP (no cert for $cert_domain)"
fi
done
echo "---"
ls -la "$CONF_D/" | grep -v '^total'
nginx -t
main_dc/nginx/nginx-http.conf
+18 -9
View File
@@ -1,16 +1,18 @@
# Автоматически сгенерировано generate-configs.sh — не редактировать вручную
# HTTP-only конфигурация (работает когда нет сертификатов)
server {
listen 80;
server_name yalarba.ru \
www.yalarba.ru \
easysite102.ru \
www.easysite102.ru \
valitovgaziz.ru \
www.valitovgaziz.ru \
xn--80abahjtcfl5d0a8di.xn--p1ai \
www.xn--80abahjtcfl5d0a8di.xn--p1ai \
easysite102.ru \
www.easysite102.ru \
begushiybashkir.ru \
www.begushiybashkir.ru \
auth.yalarba.ru;
xn--80abahjtcfl5d0a8di.xn--p1ai \
www.xn--80abahjtcfl5d0a8di.xn--p1ai;
location / {
root /usr/share/nginx/stub/html;
@@ -25,12 +27,19 @@ server {
# Блок для HTTPS → HTTP редиректа (порт 443)
server {
listen 443 ssl;
server_name yalarba.ru www.yalarba.ru easysite102.ru www.easysite102.ru valitovgaziz.ru www.valitovgaziz.ru xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai begushiybashkir.ru www.begushiybashkir.ru;
server_name yalarba.ru \
www.yalarba.ru \
valitovgaziz.ru \
www.valitovgaziz.ru \
easysite102.ru \
www.easysite102.ru \
begushiybashkir.ru \
www.begushiybashkir.ru \
xn--80abahjtcfl5d0a8di.xn--p1ai \
www.xn--80abahjtcfl5d0a8di.xn--p1ai;
# Указание пустых сертификатов (обязательно для запуска Nginx)
ssl_certificate /etc/nginx/ssl/dummy.crt;
ssl_certificate_key /etc/nginx/ssl/dummy.key;
# Редирект всех HTTPS-запросов на HTTP
return 301 http://$host$request_uri;
}
}
main_dc/nginx/nginx-ssl.conf
+81 -222
View File
@@ -1,130 +1,52 @@
# ================================================
# КОНФИГУРАЦИЯ NGINX С ПОДДЕРЖКОЙ SSL
# Основные задачи:
# 1. Перенаправление HTTP → HTTPS
# 2. Обслуживание статических файлов
# 3. Проксирование к backend сервисам
# 4. Поддержка нескольких доменов
# ================================================
# Автоматически сгенерировано generate-configs.sh — не редактировать вручную
# Полная HTTPS конфигурация
# ================================================
# БЛОК 1: HTTP СЕРВЕР (ПОРТ 80)
# ================================================
# --- HTTP → HTTPS редирект ---
server {
# Прослушивание порта 80 для всех входящих HTTP соединений
listen 80;
# Список доменов, которые обслуживает этот сервер
# Все запросы к этим доменам по HTTP будут обработаны здесь
server_name yalarba.ru www.yalarba.ru
valitovgaziz.ru www.valitovgaziz.ru
easysite102.ru www.easysite102.ru
begushiybashkir.ru
xn--80abahjtcfl5d0a8di.xn--p1ai; # Punycode для IDN домена
# ============================================
# ЛОКАЦИЯ: Проверочные файлы для Certbot
# ============================================
# Этот блок КРИТИЧЕСКИ ВАЖЕН для получения SSL сертификатов
# Certbot (Let's Encrypt) размещает здесь временные файлы
# для подтверждения владения доменом
server_name yalarba.ru www.yalarba.ru valitovgaziz.ru www.valitovgaziz.ru easysite102.ru www.easysite102.ru begushiybashkir.ru www.begushiybashkir.ru xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai;
location /.well-known/acme-challenge/ {
# Директория, где Certbot хранит проверочные файлы
root /var/www/certbot;
# Дополнительные настройки не нужны - nginx просто отдает файлы
}
# ============================================
# ЛОКАЦИЯ: Основное перенаправление
# ============================================
# Все HTTP запросы перенаправляются на HTTPS
# Это обеспечивает безопасность и правильную SEO-практику
location / {
# 301 - постоянный редирект (лучше для SEO, кэшируется браузерами)
# https://$host$request_uri - сохраняет домен и полный путь запроса
return 301 https://$host$request_uri;
# Пример:
# HTTP: http://example.com/page?param=1
# ↓ перенаправление ↓
# HTTPS: https://example.com/page?param=1
}
# ============================================
# ЛОКАЦИЯ: Загруженные файлы
# ============================================
# Обслуживание статических файлов (загрузок) по HTTP
# Может быть полезно для прямых ссылок или кэширования
location /uploads/ {
# Псевдоним пути - запросы к /uploads/ обслуживаются из /uploads/ на диске
alias /uploads/;
# Кэширование в браузере на 1 год
expires 1y;
# Заголовки кэширования:
# "public" - может кэшироваться прокси-серверами
# "immutable" - файлы никогда не меняются, браузер не проверяет обновления
add_header Cache-Control "public, immutable";
# Если файл не найден - вернуть 404 ошибку
try_files $uri =404;
}
location / {
return 301 https://$host$request_uri;
}
}
# ================================================
# БЛОК 2: HTTPS СЕРВЕР ДЛЯ YALARBA.RU
# ================================================
# --- HTTPS серверные блоки ---
server {
# Прослушивание порта 443 с SSL/TLS шифрованием
listen 443 ssl;
# Домены для этого сервера
server_name yalarba.ru www.yalarba.ru;
# ============================================
# НАСТРОЙКИ SSL СЕРТИФИКАТОВ
# ============================================
# Пути к SSL сертификатам, сгенерированным Certbot
ssl_certificate /etc/letsencrypt/live/yalarba.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yalarba.ru/privkey.pem;
# ============================================
# НАСТРОЙКИ БЕЗОПАСНОСТИ SSL
# ============================================
# Разрешенные протоколы - только современные безопасные версии
ssl_protocols TLSv1.2 TLSv1.3;
# Сервер выбирает шифры (не клиент)
ssl_prefer_server_ciphers on;
# Список безопасных шифров
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ============================================
# ЛОКАЦИЯ: Nuxt 4 SSR приложение
# ============================================
location / {
# Проксирование к Nuxt.js SSR серверу
proxy_pass http://yalarba:3000;
# Полный набор заголовков для корректной работы приложения
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# Длинные таймауты
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
# ============================================
# ЛОКАЦИЯ: REST API (api_yal)
# ============================================
location /api/v1/ {
proxy_pass http://api_yal:8787;
proxy_set_header Host $host;
@@ -135,28 +57,30 @@ server {
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
# ================================================
# БЛОК 3: HTTPS СЕРВЕР ДЛЯ VALITOVGAZIZ.RU
# ================================================
server {
listen 443 ssl;
server_name valitovgaziz.ru www.valitovgaziz.ru;
# Свой SSL сертификат для этого домена
ssl_certificate /etc/letsencrypt/live/valitovgaziz.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/valitovgaziz.ru/privkey.pem;
# Те же настройки безопасности SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ============================================
# ЛОКАЦИЯ: Проксирование к Vue SPA контейнеру
# ============================================
location / {
proxy_pass http://valitovgaziz/;
proxy_set_header Host $host;
@@ -169,79 +93,59 @@ server {
proxy_read_timeout 600;
}
# ============================================
# ЛОКАЦИЯ: API для аналитики
# ============================================
location /api/ {
proxy_pass http://analytics:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "POST, GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
add_header Access-Control-Allow-Credentials "true" always;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
}
# ================================================
# БЛОК 4: HTTPS СЕРВЕР ДЛЯ EASYSITE102.RU
# ================================================
server {
listen 443 ssl;
server_name easysite102.ru www.easysite102.ru;
# Свой SSL сертификат
ssl_certificate /etc/letsencrypt/live/easysite102.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/easysite102.ru/privkey.pem;
# Безопасные настройки SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ============================================
# ЛОКАЦИЯ: Проксирование к Nuxt.js приложению
# ============================================
location / {
# ВСЕ запросы проксируются к Nuxt.js серверу
proxy_pass http://easysite:3000;
# Полный набор заголовков для корректной работы приложения
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# Длинные таймауты для работы приложения
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
# ============================================
# ЛОКАЦИЯ: API Backend для Easysite (api_yal)
# ============================================
location /api/v1/ {
proxy_pass http://api_yal:8787;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
@@ -255,111 +159,26 @@ server {
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
}
# ================================================
# БЛОК 5: HTTPS СЕРВЕР ДЛЯ IDN ДОМЕНА
# (Punycode для "бегущийбашкир.рф")
# ================================================
server {
listen 443 ssl;
# Punycode представление кириллического домена
server_name xn--80abahjtcfl5d0a8di.xn--p1ai
www.xn--80abahjtcfl5d0a8di.xn--p1ai;
# Отдельный сертификат для IDN домена
ssl_certificate /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/privkey.pem;
# Стандартные SSL настройки
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ============================================
# ЛОКАЦИЯ: SPA приложение (такое же как begushiybashkir.ru)
# ============================================
location / {
root /usr/share/nginx/begushiybashkir/html;
index index.html;
try_files $uri $uri/ /index.html;
}
# ============================================
# ЛОКАЦИЯ: API для "Бегущий Башкир"
# ============================================
location /api/ {
proxy_pass http://api_bb:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
# Те же CORS настройки что и у Easysite
if ($request_method = OPTIONS ) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
# ============================================
# ЛОКАЦИЯ: Загруженные файлы (статическое обслуживание)
# ============================================
location /uploads/ {
# Обслуживание файлов загрузок напрямую из файловой системы
alias /uploads/;
# Долгое кэширование - файлы загрузок редко меняются
expires 1y;
add_header Cache-Control "public, immutable";
# try_files не нужен - nginx сам проверит существование файла
}
}
# ================================================
# БЛОК 6: HTTPS СЕРВЕР ДЛЯ BEGUSHIYBASHKIR.RU
# (ДУБЛИРУЕТ БЛОК 5 С ДРУГИМ ДОМЕНОМ)
# ================================================
server {
listen 443 ssl;
server_name begushiybashkir.ru www.begushiybashkir.ru;
# Свой SSL сертификат для этого домена
ssl_certificate /etc/letsencrypt/live/begushiybashkir.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/begushiybashkir.ru/privkey.pem;
# Стандартные SSL настройки
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ВНИМАНИЕ: Весь контент ниже ДОСЛОВНО ДУБЛИРУЕТ
# предыдущий серверный блок для IDN домена
# ============================================
# ЛОКАЦИЯ: SPA приложение
# ============================================
location / {
root /usr/share/nginx/begushiybashkir/html;
index index.html;
try_files $uri $uri/ /index.html;
}
# ============================================
# ЛОКАЦИЯ: API для "Бегущий Башкир"
# ============================================
location /api/ {
proxy_pass http://api_bb:8080/;
proxy_set_header Host $host;
@@ -371,8 +190,7 @@ server {
proxy_send_timeout 600;
proxy_read_timeout 600;
# Копия CORS настроек
if ($request_method = OPTIONS ) {
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
@@ -381,17 +199,58 @@ server {
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
location /uploads/ {
alias /uploads/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
server {
listen 443 ssl;
server_name xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai;
ssl_certificate /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
location / {
root /usr/share/nginx/begushiybashkir/html;
index index.html;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://api_bb:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
# ============================================
# ЛОКАЦИЯ: Загруженные файлы
# ============================================
location /uploads/ {
alias /uploads/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
# ================================================
# КОНЕЦ КОНФИГУРАЦИИ
# ================================================