diff --git a/Dockerfile b/Dockerfile index 25d7456..41ca5d2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,40 @@ +# Multi-stage build for Astro SSR application FROM node:lts AS base WORKDIR /app +# Install dependencies FROM base AS deps COPY package*.json ./ -RUN npm install +RUN npm ci --only=production +# Build stage FROM base AS build -COPY --from=deps /app/node_modules ./node_modules +COPY package*.json ./ +RUN npm ci COPY . . RUN npm run build -FROM nginx:stable-alpine AS deploy -COPY --from=build /app/dist /usr/share/nginx/html -COPY ./nginx/nginx.conf /etc/nginx/nginx.conf +# Production stage +FROM node:lts-alpine AS production +WORKDIR /app -EXPOSE 8080 +# Copy necessary files +COPY --from=deps /app/node_modules ./node_modules +COPY --from=build /app/dist ./dist +COPY --from=build /app/server.js ./server.js +COPY --from=build /app/package.json ./package.json +COPY --from=build /app/.env ./.env + +# Set environment +ENV NODE_ENV=production +ENV PORT=3000 + +# Expose port +EXPOSE 3000 + +# Health check +HEALTHCHECK --interval=30s --timeout=3s --start-period=40s \ + CMD node -e "require('http').get('http://localhost:3000/', (r) => {if (r.statusCode !== 200) throw new Error(r.statusCode)})" + +# Start server +CMD ["node", "server.js"] diff --git a/docker-compose.yml b/docker-compose.yml index b7deac6..4bc4114 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,60 @@ +version: '3.8' + services: - astrowind: - build: . - container_name: astrowind + # Main Astro SSR Application + web: + build: + context: . + dockerfile: Dockerfile + container_name: 365devnet-web + restart: unless-stopped ports: - - 8080:8080 + - "3000" + environment: + - NODE_ENV=production + - PORT=3000 + - ENABLE_SSR_CSP=1 + # Add your other environment variables here + # - GEMINI_API_KEY=${GEMINI_API_KEY} + # - EMAIL_USER=${EMAIL_USER} + # - EMAIL_PASS=${EMAIL_PASS} + env_file: + - .env + volumes: + # Mount logs directory if you want to persist logs + - ./logs:/app/logs + networks: + - devnet + healthcheck: + test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/', (r) => {if (r.statusCode !== 200) throw new Error(r.statusCode)})"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 40s + + # Nginx Reverse Proxy (Optional - for SSL termination & caching) + nginx: + image: nginx:stable-alpine + container_name: 365devnet-nginx + restart: unless-stopped + ports: + - "80:80" + - "443:443" + volumes: + - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro + # Add SSL certificates if you have them + # - ./ssl/cert.pem:/etc/nginx/ssl/cert.pem:ro + # - ./ssl/key.pem:/etc/nginx/ssl/key.pem:ro + depends_on: + web: + condition: service_healthy + networks: + - devnet + +networks: + devnet: + driver: bridge + +# Optional: Add volumes for persistent data +volumes: + logs: diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 3e37b34..df159f9 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -8,9 +8,17 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; + # Logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + # Gzip compression gzip on; gzip_disable "msie6"; gzip_vary on; @@ -32,48 +40,97 @@ http { image/svg+xml font/woff2; + # Upstream to Node.js server + upstream nodejs_backend { + server web:3000; + keepalive 64; + } + server { - listen 8080; - server_name _; + listen 80; + server_name 365devnet.eu www.365devnet.eu; - root /usr/share/nginx/html; - index index.html index.htm; - - # Security headers + # Security headers (applied at proxy level) add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), interest-cohort=()" always; - add_header Cross-Origin-Opener-Policy "same-origin" always; - add_header Cross-Origin-Embedder-Policy "credentialless" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'nonce-astro' https://chat.365devnet.eu; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cdn.pixabay.com https://raw.githubusercontent.com; font-src 'self' data:; connect-src 'self' https://chat.365devnet.eu wss://chat.365devnet.eu; frame-src https://chat.365devnet.eu; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" always; - # Error pages - error_page 404 /404.html; - location = /404.html { - internal; - } + # Client body size limit + client_max_body_size 10M; - # Main route fallback + # Proxy settings for Node.js location / { - try_files $uri $uri/index.html =404; + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + + # WebSocket support (for HMR if needed) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Standard proxy headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffering + proxy_buffering on; + proxy_buffer_size 4k; + proxy_buffers 8 4k; + proxy_busy_buffers_size 8k; } - # 🚫 Block hidden and sensitive files (e.g., .env, .git) + # Cache static assets aggressively + location ~* ^/_astro/.+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Host $host; + + # Cache for 1 year (immutable) + expires 365d; + add_header Cache-Control "public, immutable"; + access_log off; + } + + # Block hidden and sensitive files location ~ /\.(?!well-known).* { deny all; } - # 🚫 Block access to config and archive files - location ~* \.(cjs|ts|json|sh|zip|log|env)$ { - deny all; - } - - # 🧠 Optional: cache static assets for 6 months - location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg|otf|webp)$ { - expires 6M; + # Health check endpoint + location /health { + proxy_pass http://nodejs_backend; access_log off; - add_header Cache-Control "public"; } } -} \ No newline at end of file + + # SSL configuration (uncomment when you have certificates) + # server { + # listen 443 ssl http2; + # server_name 365devnet.eu www.365devnet.eu; + # + # ssl_certificate /etc/nginx/ssl/cert.pem; + # ssl_certificate_key /etc/nginx/ssl/key.pem; + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + # + # # Rest of the configuration same as port 80 + # # ... (copy from above) + # } + + # Redirect www to non-www (optional) + # server { + # listen 80; + # server_name www.365devnet.eu; + # return 301 http://365devnet.eu$request_uri; + # } +}