From 04a0a6ddf4dc8c8a23f793014f575768cc5bc181 Mon Sep 17 00:00:00 2001 From: Stepan Vladovskiy Date: Fri, 20 Dec 2024 14:35:59 -0300 Subject: [PATCH 1/2] debug: Sigil back to map with only discours.io domain --- .gitea/workflows/main.yml | 4 +- nginx.conf.sigil | 119 ++++++++++++++++++-------------------- 2 files changed, 58 insertions(+), 65 deletions(-) diff --git a/.gitea/workflows/main.yml b/.gitea/workflows/main.yml index 935386fd..18730b95 100644 --- a/.gitea/workflows/main.yml +++ b/.gitea/workflows/main.yml @@ -26,10 +26,10 @@ jobs: ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }} - name: Push to dokku for dev branch - if: github.ref == 'refs/heads/dev' && steps.check_container.outcome == 'success' + if: github.ref == 'refs/heads/dev' uses: dokku/github-action@master with: branch: 'dev' force: true - git_remote_url: 'ssh://dokku@staging.discours.io:22/core' + git_remote_url: 'ssh://dokku@v2.discours.io:22/core' ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }} diff --git a/nginx.conf.sigil b/nginx.conf.sigil index b4a94bc7..3ded5032 100644 --- a/nginx.conf.sigil +++ b/nginx.conf.sigil @@ -1,21 +1,17 @@ {{ $proxy_settings := "proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Host $http_host; proxy_set_header X-Request-Start $msec;" }} {{ $gzip_settings := "gzip on; gzip_min_length 1100; gzip_buffers 4 32k; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml; gzip_vary on; gzip_comp_level 6;" }} +{{ $cors_headers_options := "if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '$allow_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; }" }} +{{ $cors_headers_post := "if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' '$allow_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; add_header 'Access-Control-Allow-Credentials' 'true' always; }" }} +{{ $cors_headers_get := "if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '$allow_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; add_header 'Access-Control-Allow-Credentials' 'true' always; }" }} + map $http_origin $allow_origin { - "https://testing.dscrs.site" "https://testing.dscrs.site"; - "https://testing.discours.io" "https://testing.discours.io"; - "https://core.dscrs.site" "https://core.dscrs.site"; - "https://localhost:3000" "https://localhost:3000"; - default ""; + ~^https?:\/\/((.*\.)?localhost(:\d+)?|discoursio-webapp(-(.*))?\.vercel\.app|(.*\.)?discours\.io)$ $http_origin; + default ""; } -# Определим переменную для CORS заголовков -map $request_method $cors_method { - OPTIONS 204; - default $request_method; -} - -proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off; +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g + inactive=60m use_temp_path=off; limit_conn_zone $binary_remote_addr zone=addr:10m; limit_req_zone $binary_remote_addr zone=req_zone:10m rate=20r/s; @@ -30,18 +26,10 @@ server { listen [::]:{{ $listen_port }}; listen {{ $listen_port }}; server_name {{ $.NOSSL_SERVER_NAME }}; - - # CORS headers first - add_header 'Access-Control-Allow-Origin' $allow_origin always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; - add_header 'Access-Control-Allow-Credentials' 'true' always; - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; - add_header 'Access-Control-Max-Age' 1728000 always; - - # Then other headers access_log /var/log/nginx/{{ $.APP }}-access.log; error_log /var/log/nginx/{{ $.APP }}-error.log; client_max_body_size 100M; + {{ else if eq $scheme "https" }} listen [::]:{{ $listen_port }} ssl http2; listen {{ $listen_port }} ssl http2; @@ -60,25 +48,14 @@ server { client_max_body_size 100M; {{ end }} + location / { - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' $allow_origin always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; - add_header 'Access-Control-Allow-Credentials' 'true' always; - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; - add_header 'Access-Control-Max-Age' 1728000 always; - return 204; - } - - proxy_hide_header 'Access-Control-Allow-Origin'; - proxy_hide_header 'Access-Control-Allow-Methods'; - proxy_hide_header 'Access-Control-Allow-Headers'; - proxy_hide_header 'Access-Control-Allow-Credentials'; - proxy_hide_header 'Access-Control-Max-Age'; - - proxy_pass http://{{ $.APP }}-{{ $upstream_port }}; + proxy_pass http://{{ $.APP }}-{{ $upstream_port }}; {{ $proxy_settings }} {{ $gzip_settings }} + {{ $cors_headers_options }} + {{ $cors_headers_post }} + {{ $cors_headers_get }} proxy_cache my_cache; proxy_cache_revalidate on; @@ -87,57 +64,73 @@ server { proxy_cache_background_update on; proxy_cache_lock on; + # Connections and request limits increase (bad for DDos) limit_conn addr 10000; limit_req zone=req_zone burst=10 nodelay; } + # Custom location block for /upload + # location /upload { + # proxy_pass http://uploader-8080/; + # {{ $proxy_settings }} + # {{ $gzip_settings }} + # {{ $cors_headers_options }} + # {{ $cors_headers_post }} + # {{ $cors_headers_get }} + # } + location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { - expires 30d; - add_header Cache-Control "public, no-transform"; + expires 30d; # This means that the client can cache these resources for 30 days. + add_header Cache-Control "public, no-transform"; } location ~* \.(mp3)$ { + if ($request_method = 'GET') { + add_header 'Access-Control-Allow-Origin' $allow_origin always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; + add_header 'Access-Control-Allow-Credentials' 'true' always; + } } + error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html; - location /400-error.html { - root /var/lib/dokku/data/nginx-vhosts/dokku-errors; - internal; - } + location /400-error.html { + root /var/lib/dokku/data/nginx-vhosts/dokku-errors; + internal; + } - error_page 404 /404-error.html; - location /404-error.html { - root /var/lib/dokku/data/nginx-vhosts/dokku-errors; - internal; - } + error_page 404 /404-error.html; + location /404-error.html { + root /var/lib/dokku/data/nginx-vhosts/dokku-errors; + internal; + } - error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html; - location /500-error.html { - root /var/lib/dokku/data/nginx-vhosts/dokku-errors; - internal; - } + error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html; + location /500-error.html { + root /var/lib/dokku/data/nginx-vhosts/dokku-errors; + internal; + } - error_page 502 /502-error.html; - location /502-error.html { - root /var/lib/dokku/data/nginx-vhosts/dokku-errors; - internal; - } + error_page 502 /502-error.html; + location /502-error.html { + root /var/lib/dokku/data/nginx-vhosts/dokku-errors; + internal; + } - include {{ $.DOKKU_ROOT }}/{{ $.APP }}/nginx.conf.d/*.conf; + include {{ $.DOKKU_ROOT }}/{{ $.APP }}/nginx.conf.d/*.conf; } {{ end }} + {{ range $upstream_port := $.PROXY_UPSTREAM_PORTS | split " " }} upstream {{ $.APP }}-{{ $upstream_port }} { {{ range $listeners := $.DOKKU_APP_WEB_LISTENERS | split " " }} {{ $listener_list := $listeners | split ":" }} {{ $listener_ip := index $listener_list 0 }} {{ $listener_port := index $listener_list 1 }} - server {{ $listener_ip }}:{{ $upstream_port }}; + server {{ $listener_ip }}:{{ $upstream_port }}; {{ end }} } {{ end }} - -log_format cors '$request_method $http_origin -> $allow_origin'; -access_log /var/log/nginx/cors-debug.log cors; From 1100a1b66fb0ab2231222625d3e8fa6d19c33a74 Mon Sep 17 00:00:00 2001 From: Stepan Vladovskiy Date: Fri, 20 Dec 2024 14:47:40 -0300 Subject: [PATCH 2/2] debug: add dscrs.site map in cors --- nginx.conf.sigil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf.sigil b/nginx.conf.sigil index 3ded5032..542388ad 100644 --- a/nginx.conf.sigil +++ b/nginx.conf.sigil @@ -6,7 +6,7 @@ {{ $cors_headers_get := "if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '$allow_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; add_header 'Access-Control-Allow-Credentials' 'true' always; }" }} map $http_origin $allow_origin { - ~^https?:\/\/((.*\.)?localhost(:\d+)?|discoursio-webapp(-(.*))?\.vercel\.app|(.*\.)?discours\.io)$ $http_origin; + ~^https?:\/\/((.*\.)?localhost(:\d+)?|discoursio-webapp(-(.*))?\.vercel\.app|(.*\.)?discours\.io|(.*\.)?dscrs\.site)$ $http_origin; default ""; }