починка уведомлени в тг22

2025-08-14 00:25:46 +02:00 · 2025-01-04 05:20:56 +06:00
parent 4634262b91
commit cb9a10e36c
9 changed files with 285 additions and 48 deletions
--- a/docker/nginx/Dockerfile
+++ b/docker/nginx/Dockerfile
@@ -1,14 +1,16 @@
 FROM nginx:alpine

-# Копируем конфигурацию nginx
-COPY docker/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
+# Установка certbot и зависимостей
+RUN apk add --no-cache certbot certbot-nginx openssl

-# Копируем собранные файлы фронтенда
-COPY frontend/dist /usr/share/nginx/html/
+# Копирование скриптов и конфигурации
+COPY ./docker/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY ./docker/nginx/default.conf /etc/nginx/conf.d/default.conf
+COPY ./docker/nginx/entrypoint.sh /entrypoint.sh

-# Удаляем дефолтную страницу nginx
-RUN rm -rf /usr/share/nginx/html/50x.html
+# Создание директорий для certbot
+RUN mkdir -p /var/www/certbot && \
+    mkdir -p /etc/letsencrypt && \
+    chmod +x /entrypoint.sh

-EXPOSE 80
-
-CMD ["nginx", "-g", "daemon off;"]
+ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -0,0 +1,75 @@
+upstream backend_upstream {
+    server backend:8000;
+}
+
+upstream frontend_upstream {
+    server frontend:5173;
+}
+
+# Редирект с HTTP на HTTPS
+server {
+    listen 80;
+    server_name itformhelp.ru www.itformhelp.ru;
+    
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# Основной HTTPS сервер
+server {
+    listen 443 ssl http2;
+    server_name itformhelp.ru www.itformhelp.ru;
+
+    ssl_certificate /etc/letsencrypt/live/itformhelp.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/itformhelp.ru/privkey.pem;
+    
+    # Дополнительные настройки SSL
+    ssl_trusted_certificate /etc/letsencrypt/live/itformhelp.ru/chain.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+    
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Frontend proxy
+    location / {
+        proxy_pass http://frontend_upstream;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # API proxy
+    location /api/ {
+        proxy_pass http://backend_upstream;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# Редирект с IP на домен
+server {
+    listen 80;
+    server_name 185.139.70.62;
+    return 301 https://itformhelp.ru$request_uri;
+} 
--- a/docker/nginx/entrypoint.sh
+++ b/docker/nginx/entrypoint.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# Домены для SSL-сертификата
+domains="itformhelp.ru www.itformhelp.ru"
+email="admin@itformhelp.ru"
+
+# Функция для получения сертификата
+get_certificate() {
+    echo "Requesting Let's Encrypt certificate for $domains ..."
+    
+    # Создаем временный конфиг nginx для валидации certbot
+    cat > /etc/nginx/conf.d/temp.conf << EOF
+server {
+    listen 80;
+    server_name $domains;
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    location / {
+        return 301 https://\$host\$request_uri;
+    }
+}
+EOF
+
+    # Перезапускаем nginx с временным конфигом
+    nginx -t && nginx -s reload
+
+    # Запрашиваем сертификат
+    certbot certonly --webroot \
+        --webroot-path=/var/www/certbot \
+        --email $email \
+        --agree-tos \
+        --no-eff-email \
+        --force-renewal \
+        -d $(echo $domains | sed 's/ / -d /g')
+
+    # Удаляем временный конфиг
+    rm /etc/nginx/conf.d/temp.conf
+}
+
+# Проверяем наличие сертификата
+if [ ! -d "/etc/letsencrypt/live/itformhelp.ru" ]; then
+    get_certificate
+fi
+
+# Запускаем фоновый процесс для автоматического обновления сертификатов
+while :; do
+    certbot renew --deploy-hook "nginx -s reload"
+    sleep 12h
+done &
+
+# Запускаем nginx
+nginx -g "daemon off;" 
--- a/docker/nginx/nginx.conf
+++ b/docker/nginx/nginx.conf
@@ -1,25 +1,41 @@
 user nginx;
 worker_processes auto;
-
-error_log /var/log/nginx/error.log notice;
 pid /var/run/nginx.pid;

 events {
    worker_connections 1024;
+    multi_accept on;
 }

 http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

-    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-                   '$status $body_bytes_sent "$http_referer" '
-                   '"$http_user_agent" "$http_x_forwarded_for"';
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

-    access_log /var/log/nginx/access.log main;
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;

-    sendfile on;
-    keepalive_timeout 65;
+    gzip on;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    include /etc/nginx/conf.d/*.conf;
 }