Refactor Docker setup for Astro SSR application and Nginx reverse proxy

- Updated docker-compose.yml to define services for the Astro SSR application and Nginx reverse proxy, including health checks and environment variables. - Modified Dockerfile to implement a multi-stage build process, optimizing dependency installation and production setup. - Enhanced nginx.conf with improved proxy settings, security headers, and caching strategies for static assets, ensuring better performance and security.
2025-11-05 00:07:35 +01:00
parent 4609e367fd
commit 67d976ac0f
3 changed files with 173 additions and 39 deletions
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -8,9 +8,17 @@ http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

-    sendfile        on;
-    keepalive_timeout  65;
+    # Logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;

+    sendfile        on;
+    tcp_nopush      on;
+    tcp_nodelay     on;
+    keepalive_timeout  65;
+    types_hash_max_size 2048;
+
+    # Gzip compression
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
@@ -32,48 +40,97 @@ http {
        image/svg+xml
        font/woff2;

+    # Upstream to Node.js server
+    upstream nodejs_backend {
+        server web:3000;
+        keepalive 64;
+    }
+
    server {
-        listen 8080;
-        server_name _;
+        listen 80;
+        server_name 365devnet.eu www.365devnet.eu;

-        root /usr/share/nginx/html;
-        index index.html index.htm;
-
-        # Security headers
+        # Security headers (applied at proxy level)
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), interest-cohort=()" always;
-        add_header Cross-Origin-Opener-Policy "same-origin" always;
-        add_header Cross-Origin-Embedder-Policy "credentialless" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'nonce-astro' https://chat.365devnet.eu; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cdn.pixabay.com https://raw.githubusercontent.com; font-src 'self' data:; connect-src 'self' https://chat.365devnet.eu wss://chat.365devnet.eu; frame-src https://chat.365devnet.eu; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" always;

-        # Error pages
-        error_page 404 /404.html;
-        location = /404.html {
-            internal;
-        }
+        # Client body size limit
+        client_max_body_size 10M;

-        # Main route fallback
+        # Proxy settings for Node.js
        location / {
-            try_files $uri $uri/index.html =404;
+            proxy_pass http://nodejs_backend;
+            proxy_http_version 1.1;
+            
+            # WebSocket support (for HMR if needed)
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            
+            # Standard proxy headers
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header X-Forwarded-Port $server_port;
+
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+
+            # Buffering
+            proxy_buffering on;
+            proxy_buffer_size 4k;
+            proxy_buffers 8 4k;
+            proxy_busy_buffers_size 8k;
        }

-        # 🚫 Block hidden and sensitive files (e.g., .env, .git)
+        # Cache static assets aggressively
+        location ~* ^/_astro/.+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            proxy_pass http://nodejs_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            
+            # Cache for 1 year (immutable)
+            expires 365d;
+            add_header Cache-Control "public, immutable";
+            access_log off;
+        }
+
+        # Block hidden and sensitive files
        location ~ /\.(?!well-known).* {
            deny all;
        }

-        # 🚫 Block access to config and archive files
-        location ~* \.(cjs|ts|json|sh|zip|log|env)$ {
-            deny all;
-        }
-
-        # 🧠 Optional: cache static assets for 6 months
-        location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg|otf|webp)$ {
-            expires 6M;
+        # Health check endpoint
+        location /health {
+            proxy_pass http://nodejs_backend;
            access_log off;
-            add_header Cache-Control "public";
        }
    }
-}
+
+    # SSL configuration (uncomment when you have certificates)
+    # server {
+    #     listen 443 ssl http2;
+    #     server_name 365devnet.eu www.365devnet.eu;
+    #
+    #     ssl_certificate /etc/nginx/ssl/cert.pem;
+    #     ssl_certificate_key /etc/nginx/ssl/key.pem;
+    #     ssl_protocols TLSv1.2 TLSv1.3;
+    #     ssl_ciphers HIGH:!aNULL:!MD5;
+    #     ssl_prefer_server_ciphers on;
+    #
+    #     # Rest of the configuration same as port 80
+    #     # ... (copy from above)
+    # }
+
+    # Redirect www to non-www (optional)
+    # server {
+    #     listen 80;
+    #     server_name www.365devnet.eu;
+    #     return 301 http://365devnet.eu$request_uri;
+    # }
+}