ENTERPRISE: Implement zero-config SSL/TLS with dual HTTP/HTTPS architecture

Major architectural improvements: - Auto-generate SSL certificates on first startup with OpenSSL - Dual HTTP (8081) + HTTPS (8443) backend API servers - Frontend auto-detects protocol and uses appropriate API endpoint - Fix database ORM initialization race condition with getDb() pattern - WebSocket authentication with JWT verification during handshake - Zero-config .env file generation for production deployment - Docker and nginx configurations for container deployment Technical fixes: - Eliminate module initialization race conditions in database access - Replace direct db imports with safer getDb() function calls - Automatic HTTPS frontend development server (npm run dev:https) - SSL certificate generation with termix.crt/termix.key - Cross-platform environment variable support with cross-env This enables seamless HTTP→HTTPS upgrade with zero manual configuration. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-22 11:12:58 +08:00
parent dfc92428e0
commit 7763e6a904
28 changed files with 1122 additions and 113 deletions
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -9,10 +9,37 @@ http {
    sendfile on;
    keepalive_timeout 65;

+    # SSL Configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # HTTP Server - Redirect to HTTPS
    server {
        listen ${PORT};
        server_name localhost;

+        # Redirect all HTTP traffic to HTTPS
+        return 301 https://$server_name:${SSL_PORT:-8443}$request_uri;
+    }
+
+    # HTTPS Server
+    server {
+        listen ${SSL_PORT:-8443} ssl;
+        server_name localhost;
+
+        # SSL Certificate paths
+        ssl_certificate ${SSL_CERT_PATH:-/app/ssl/termix.crt};
+        ssl_certificate_key ${SSL_KEY_PATH:-/app/ssl/termix.key};
+
+        # Security headers for HTTPS
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options DENY always;
+        add_header X-Content-Type-Options nosniff always;
+        add_header X-XSS-Protection "1; mode=block" always;
+
        location / {
            root /usr/share/nginx/html;
            index index.html index.htm;