diff --git a/docker-compose.yaml b/docker-compose.yaml index b796190..531b77a 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -53,28 +53,19 @@ services: dockerfile: Dockerfile env_file: - .env - ports: - - "${HTTP_OUTER_PORT}:${HTTP_INNER_PORT}" - - "${HTTPS_OUTER_PORT}:${HTTPS_INNER_PORT}" - depends_on: - - api - - db - - migrator - restart: unless-stopped nginx: build: context: ./nginx dockerfile: Dockerfile - env_file: - - .env + env_file: .env container_name: nginx restart: unless-stopped ports: - "80:80" - "443:443" volumes: - - ./nginx/configs:/etc/nginx/conf.d + - ./nginx/configs/nginx.conf.template:/etc/nginx/templates/nginx.conf.template - certbot-etc:/etc/letsencrypt - ./spa/app:/var/www/yalarba.ru/html networks: @@ -88,9 +79,9 @@ services: volumes: - certbot-etc:/etc/letsencrypt - certbot-var:/var/lib/letsencrypt - command: sh -c "certbot certonly --standalone -p ${CERBOT_PORT} --noninteractive --agree-tos --email ${EMAIL} -d ${DOMAINS} --keep-until-expiring" env_file: - .env + command: sh -c "certbot certonly --standalone -p ${CERTBOT_PORT} --noninteractive --agree-tos --email ${EMAIL} -d ${DOMAINS} --keep-until-expiring" restart: unless-stopped volumes: diff --git a/nginx/configs/nginx.conf b/nginx/configs/nginx.conf index 5280e9b..1da69c3 100644 --- a/nginx/configs/nginx.conf +++ b/nginx/configs/nginx.conf @@ -10,8 +10,8 @@ server { # HTTPS — основной сервер server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; server_name yalarba.ru www.yalarba.ru; # Пути к SSL-сертификату (например, от Let's Encrypt) diff --git a/nginx/configs/nginx.conf.template b/nginx/configs/nginx.conf.template new file mode 100644 index 0000000..1da69c3 --- /dev/null +++ b/nginx/configs/nginx.conf.template @@ -0,0 +1,65 @@ +# HTTP — редирект на HTTPS +server { + listen 80; + listen [::]:80; + server_name yalarb.ru www.yalarb.ru; + + # Перенаправление всех HTTP-запросов на HTTPS + return 301 https://$server_name$request_uri; +} + +# HTTPS — основной сервер +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name yalarba.ru www.yalarba.ru; + + # Пути к SSL-сертификату (например, от Let's Encrypt) + ssl_certificate /etc/letsencrypt/live/yalarba.ru/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/yalarba.ru/privkey.pem; + + # Настройки SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_stapling on; + ssl_stapling_verify on; + + # Корневая директория сайта + root /var/www/yalarba.ru/html; + index index.html index.htm index.nginx-debian.html; + + # Дополнительные заголовки безопасности + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # Обработка статических файлов + location / { + try_files $uri $uri/ =404; + } + + # Запрет доступа к скрытым файлам (например, .htaccess) + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + + # Настройки для PHP (если используется) + # location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; + # } +} + +# HTTP for certbot ssl certificate alterante port +server { + listen ${CERTBOT_PORT}; # альтернативный порт для Certbot + location ~ /.well-known { + allow all; + } +} diff --git a/spa/Dockerfile b/spa/Dockerfile index 871dcc9..cddcac5 100644 --- a/spa/Dockerfile +++ b/spa/Dockerfile @@ -1,8 +1,2 @@ -# Используем официальный образ Nginx -FROM nginx:alpine - -# Копируем index.html в папку Nginx -COPY index.html /usr/share/nginx/html/ - -# (Опционально) Можно заменить конфиг Nginx -COPY nginx/nginx.conf /etc/nginx/conf.d/default.conf +# Используем Node.js для сборки +FROM node:18-alpine as builder