7763e6a904
Major architectural improvements: - Auto-generate SSL certificates on first startup with OpenSSL - Dual HTTP (8081) + HTTPS (8443) backend API servers - Frontend auto-detects protocol and uses appropriate API endpoint - Fix database ORM initialization race condition with getDb() pattern - WebSocket authentication with JWT verification during handshake - Zero-config .env file generation for production deployment - Docker and nginx configurations for container deployment Technical fixes: - Eliminate module initialization race conditions in database access - Replace direct db imports with safer getDb() function calls - Automatic HTTPS frontend development server (npm run dev:https) - SSL certificate generation with termix.crt/termix.key - Cross-platform environment variable support with cross-env This enables seamless HTTP→HTTPS upgrade with zero manual configuration. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
212 lines
7.6 KiB
Nginx Configuration File
212 lines
7.6 KiB
Nginx Configuration File
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
sendfile on;
|
|
keepalive_timeout 65;
|
|
|
|
# SSL Configuration
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# HTTP Server - Redirect to HTTPS
|
|
server {
|
|
listen ${PORT};
|
|
server_name localhost;
|
|
|
|
# Redirect all HTTP traffic to HTTPS
|
|
return 301 https://$server_name:${SSL_PORT:-8443}$request_uri;
|
|
}
|
|
|
|
# HTTPS Server
|
|
server {
|
|
listen ${SSL_PORT:-8443} ssl;
|
|
server_name localhost;
|
|
|
|
# SSL Certificate paths
|
|
ssl_certificate ${SSL_CERT_PATH:-/app/ssl/termix.crt};
|
|
ssl_certificate_key ${SSL_KEY_PATH:-/app/ssl/termix.key};
|
|
|
|
# Security headers for HTTPS
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options DENY always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
location / {
|
|
root /usr/share/nginx/html;
|
|
index index.html index.htm;
|
|
}
|
|
|
|
location ~ ^/users(/.*)?$ {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location ~ ^/version(/.*)?$ {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location ~ ^/releases(/.*)?$ {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location ~ ^/alerts(/.*)?$ {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location ~ ^/credentials(/.*)?$ {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /ssh/ {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# WebSocket proxy for authenticated terminal connections
|
|
location /ssh/websocket/ {
|
|
# Pass to WebSocket server with authentication support
|
|
proxy_pass http://127.0.0.1:8082/;
|
|
proxy_http_version 1.1;
|
|
|
|
# WebSocket upgrade headers
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_cache_bypass $http_upgrade;
|
|
|
|
# Pass client information for authentication logging
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Important: Pass query parameters (contains JWT token)
|
|
proxy_pass_request_args on;
|
|
|
|
# WebSocket timeouts (longer for terminal sessions)
|
|
proxy_read_timeout 86400s; # 24 hours
|
|
proxy_send_timeout 86400s; # 24 hours
|
|
proxy_connect_timeout 10s; # Quick auth check
|
|
|
|
# Disable buffering for real-time terminal
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
|
|
# Handle connection errors gracefully
|
|
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
|
}
|
|
|
|
location /ssh/tunnel/ {
|
|
proxy_pass http://127.0.0.1:8083;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /ssh/file_manager/recent {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /ssh/file_manager/pinned {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /ssh/file_manager/shortcuts {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /ssh/file_manager/ssh/ {
|
|
proxy_pass http://127.0.0.1:8084;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /health {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location ~ ^/status(/.*)?$ {
|
|
proxy_pass http://127.0.0.1:8085;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location ~ ^/metrics(/.*)?$ {
|
|
proxy_pass http://127.0.0.1:8085;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
}
|
|
} |