365DevNet/365devnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor Docker setup for Astro SSR application and Nginx reverse proxy

Browse Source 
- Updated docker-compose.yml to define services for the Astro SSR application and Nginx reverse proxy, including health checks and environment variables.
- Modified Dockerfile to implement a multi-stage build process, optimizing dependency installation and production setup.
- Enhanced nginx.conf with improved proxy settings, security headers, and caching strategies for static assets, ensuring better performance and security.
This commit is contained in:
Richard Bergsma
2025-11-05 00:07:35 +01:00
parent 4609e367fd
commit 67d976ac0f
3 changed files with 173 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
Dockerfile
View File

@@ -1,17 +1,40 @@
# Multi-stage build for Astro SSR application
FROM node:lts AS base
WORKDIR /app
# Install dependencies
FROM base AS deps
COPY package*.json ./
RUN npm install
RUN npm ci --only=production
# Build stage
FROM base AS build
COPY --from=deps /app/node_modules ./node_modules
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM nginx:stable-alpine AS deploy
COPY --from=build /app/dist /usr/share/nginx/html
COPY ./nginx/nginx.conf /etc/nginx/nginx.conf
# Production stage
FROM node:lts-alpine AS production
WORKDIR /app
EXPOSE 8080
# Copy necessary files
COPY --from=deps /app/node_modules ./node_modules
COPY --from=build /app/dist ./dist
COPY --from=build /app/server.js ./server.js
COPY --from=build /app/package.json ./package.json
COPY --from=build /app/.env ./.env
# Set environment
ENV NODE_ENV=production
ENV PORT=3000
# Expose port
EXPOSE 3000
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s \
CMD node -e "require('http').get('http://localhost:3000/', (r) => {if (r.statusCode !== 200) throw new Error(r.statusCode)})"
# Start server
CMD ["node", "server.js"]

62
docker-compose.yml
View File

@@ -1,6 +1,60 @@
version: '3.8'
services:
astrowind:
build: .
container_name: astrowind
# Main Astro SSR Application
web:
build:
context: .
dockerfile: Dockerfile
container_name: 365devnet-web
restart: unless-stopped
ports:
- 8080:8080
- "3000"
environment:
- NODE_ENV=production
- PORT=3000
- ENABLE_SSR_CSP=1
# Add your other environment variables here
# - GEMINI_API_KEY=${GEMINI_API_KEY}
# - EMAIL_USER=${EMAIL_USER}
# - EMAIL_PASS=${EMAIL_PASS}
env_file:
- .env
volumes:
# Mount logs directory if you want to persist logs
- ./logs:/app/logs
networks:
- devnet
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/', (r) => {if (r.statusCode !== 200) throw new Error(r.statusCode)})"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
# Nginx Reverse Proxy (Optional - for SSL termination & caching)
nginx:
image: nginx:stable-alpine
container_name: 365devnet-nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
# Add SSL certificates if you have them
# - ./ssl/cert.pem:/etc/nginx/ssl/cert.pem:ro
# - ./ssl/key.pem:/etc/nginx/ssl/key.pem:ro
depends_on:
web:
condition: service_healthy
networks:
- devnet
networks:
devnet:
driver: bridge
# Optional: Add volumes for persistent data
volumes:
logs:

113
nginx/nginx.conf
View File

@@ -8,9 +8,17 @@ http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Gzip compression
gzip on;
gzip_disable "msie6";
gzip_vary on;
@@ -32,48 +40,97 @@ http {
image/svg+xml
font/woff2;
# Upstream to Node.js server
upstream nodejs_backend {
server web:3000;
keepalive 64;
}
server {
listen 8080;
server_name _;
listen 80;
server_name 365devnet.eu www.365devnet.eu;
root /usr/share/nginx/html;
index index.html index.htm;
# Security headers
# Security headers (applied at proxy level)
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), interest-cohort=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "credentialless" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'nonce-astro' https://chat.365devnet.eu; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cdn.pixabay.com https://raw.githubusercontent.com; font-src 'self' data:; connect-src 'self' https://chat.365devnet.eu wss://chat.365devnet.eu; frame-src https://chat.365devnet.eu; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" always;
# Error pages
error_page 404 /404.html;
location = /404.html {
internal;
}
# Client body size limit
client_max_body_size 10M;
# Main route fallback
# Proxy settings for Node.js
location / {
try_files $uri $uri/index.html =404;
proxy_pass http://nodejs_backend;
proxy_http_version 1.1;
# WebSocket support (for HMR if needed)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Standard proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# Buffering
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
}
# 🚫 Block hidden and sensitive files (e.g., .env, .git)
# Cache static assets aggressively
location ~* ^/_astro/.+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://nodejs_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
# Cache for 1 year (immutable)
expires 365d;
add_header Cache-Control "public, immutable";
access_log off;
}
# Block hidden and sensitive files
location ~ /\.(?!well-known).* {
deny all;
}
# 🚫 Block access to config and archive files
location ~* \.(cjs|ts|json|sh|zip|log|env)$ {
deny all;
}
# 🧠 Optional: cache static assets for 6 months
location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg|otf|webp)$ {
expires 6M;
# Health check endpoint
location /health {
proxy_pass http://nodejs_backend;
access_log off;
add_header Cache-Control "public";
}
}
# SSL configuration (uncomment when you have certificates)
# server {
# listen 443 ssl http2;
# server_name 365devnet.eu www.365devnet.eu;
#
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Rest of the configuration same as port 80
# # ... (copy from above)
# }
# Redirect www to non-www (optional)
# server {
# listen 80;
# server_name www.365devnet.eu;
# return 301 http://365devnet.eu$request_uri;
# }
}