Files
ss-tools/docker/nginx.ssl.conf
2026-05-20 09:59:03 +03:00

66 lines
2.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# #region docker.nginx.ssl.conf [C:3] [TYPE Module] [SEMANTICS nginx,ssl,https,enterprise]
# @BRIEF Nginx config с опциональным SSL — HTTP (порт 80) + HTTPS (порт 443).
# Используется frontend.entrypoint.sh, если найдены server.crt + server.key.
# @PRE SSL сертификаты: /etc/nginx/ssl/server.crt и /etc/nginx/ssl/server.key.
# Внутренний Docker DNS: backend:8000 для API/WS прокси.
# @POST HTTP (80) редиректит на HTTPS (443) если SSL включён.
# HTTPS (443) сервит статику + прокси /api/ и /ws/ на backend.
# @LAYER Infrastructure
# @RELATION DEPENDS_ON -> [docker/frontend.entrypoint.sh]
# @RELATION DEPENDS_ON -> [docker/nginx.conf]
# @INVARIANT Порт 80 всегда открыт (fallback для HTTP-only окружений).
# @INVARIANT /api/ и /ws/ проксируются на http://backend:8000 (без TLS внутри compose-сети).
# @REJECTED Прокси на HTTPS внутри compose-сети отвергнут — избыточно.
# #endregion docker.nginx.ssl.conf
server {
listen 80 default_server;
server_name _;
# Редирект на HTTPS если сертификаты установлены
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
server_name _;
resolver 127.0.0.11 ipv6=off;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
set $backend_api http://backend:8000;
proxy_pass $backend_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300s;
}
location /ws/ {
set $backend_ws http://backend:8000;
proxy_pass $backend_ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300s;
}
}