Scott.Idem/OSIT-AE-Docker-Env
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: disabled internal SSL/HTTPS in Nginx configs to support host-level SSL termination.

Browse Source
This commit is contained in:
Scott Idem
2026-03-11 23:05:51 -04:00
parent 14173cfc22
commit a7b6112f4d
3 changed files with 202 additions and 279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
conf/nginx/site-enabled_aether_app_svelte_node.conf
View File

@@ -64,73 +64,73 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name
${DOCKER_AE_APP_SERVER_NAME}
svelte.localhost demo.localhost dev.localhost
bak-app.oneskyit.com
bak-connect.oneskyit.com *.bak-connect.oneskyit.com
bak-demo.oneskyit.com *.bak-demo.oneskyit.com
bak-businessgroup.oneskyit.com *.bak-businessgroup.oneskyit.com
bak-ishlt.oneskyit.com *.bak-ishlt.oneskyit.com
dev-app.oneskyit.com
dev-connect.oneskyit.com *.dev-connect.oneskyit.com
dev-demo.oneskyit.com *.dev-demo.oneskyit.com
dev-aacc.oneskyit.com *.dev-aacc.oneskyit.com
dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com
dev-businessgroup.oneskyit.com *.dev-businessgroup.oneskyit.com
dev-chow.oneskyit.com *.dev-chow.oneskyit.com
dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com
dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com
dev-lci.oneskyit.com *.dev-lci.oneskyit.com
dev-npa.oneskyit.com *.dev-npa.oneskyit.com
dev-rli.oneskyit.com *.dev-rli.oneskyit.com
sr-app.oneskyit.com
sr-connect.oneskyit.com *.sr-connect.oneskyit.com
sr-demo.oneskyit.com *.sr-demo.oneskyit.com
sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com
sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com
sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com
sr-lci.oneskyit.com *.sr-lci.oneskyit.com
test-app.oneskyit.com
;
access_log /logs/nginx/access_svelte_node.log;
error_log /logs/nginx/error_svelte_node.log;
include /etc/nginx/options-ssl-nginx.conf;
ssl_certificate /etc/certs/fullchain_wild.pem;
ssl_certificate_key /etc/certs/privkey_wild.pem;
ssl_dhparam /etc/certs/ssl-dhparams.pem;
client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE};
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
proxy_read_timeout 1500s;
proxy_pass http://svelte_backend;
}
}
# server {
# listen 443 ssl;
# listen [::]:443 ssl;
# http2 on;
#
# server_name
# ${DOCKER_AE_APP_SERVER_NAME}
# svelte.localhost demo.localhost dev.localhost
#
# bak-app.oneskyit.com
# bak-connect.oneskyit.com *.bak-connect.oneskyit.com
# bak-demo.oneskyit.com *.bak-demo.oneskyit.com
#
# bak-businessgroup.oneskyit.com *.bak-businessgroup.oneskyit.com
# bak-ishlt.oneskyit.com *.bak-ishlt.oneskyit.com
#
# dev-app.oneskyit.com
# dev-connect.oneskyit.com *.dev-connect.oneskyit.com
# dev-demo.oneskyit.com *.dev-demo.oneskyit.com
#
# dev-aacc.oneskyit.com *.dev-aacc.oneskyit.com
# dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com
# dev-businessgroup.oneskyit.com *.dev-businessgroup.oneskyit.com
# dev-chow.oneskyit.com *.dev-chow.oneskyit.com
# dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com
# dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com
# dev-lci.oneskyit.com *.dev-lci.oneskyit.com
# dev-npa.oneskyit.com *.dev-npa.oneskyit.com
# dev-rli.oneskyit.com *.dev-rli.oneskyit.com
#
# sr-app.oneskyit.com
# sr-connect.oneskyit.com *.sr-connect.oneskyit.com
# sr-demo.oneskyit.com *.sr-demo.oneskyit.com
#
# sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com
# sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com
# sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com
# sr-lci.oneskyit.com *.sr-lci.oneskyit.com
#
# test-app.oneskyit.com
# ;
#
# access_log /logs/nginx/access_svelte_node.log;
# error_log /logs/nginx/error_svelte_node.log;
#
# include /etc/nginx/options-ssl-nginx.conf;
#
# ssl_certificate /etc/certs/fullchain_wild.pem;
# ssl_certificate_key /etc/certs/privkey_wild.pem;
# ssl_dhparam /etc/certs/ssl-dhparams.pem;
#
# client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE};
#
# location / {
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_redirect off;
# proxy_buffering off;
#
# proxy_read_timeout 1500s;
#
# proxy_pass http://svelte_backend;
# }
# }
upstream svelte_backend {

212
conf/nginx/site-enabled_aether_fastapi_gunicorn.conf
View File

@@ -101,112 +101,112 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name
${DOCKER_AE_API_SERVER_NAME}
fastapi.localhost
api.localhost
localhost
;
# server_name
# fastapi_gunicorn.localhost
# dev-api.localhost
# dev-api.oneskyit.com
# test-api.oneskyit.com
# ;
access_log /logs/nginx/access_fastapi_gunicorn.log;
error_log /logs/nginx/error_fastapi_gunicorn.log;
include /etc/nginx/options-ssl-nginx.conf;
ssl_certificate /etc/certs/fullchain_wild.pem;
ssl_certificate_key /etc/certs/privkey_wild.pem;
ssl_dhparam /etc/certs/ssl-dhparams.pem;
# include brotli.conf;
# include gzip.conf;
client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G;
location / {
# Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_redirect off;
proxy_buffering off;
# I think "X-Real-IP" might be needed for some things?
proxy_set_header X-Real-IP $remote_addr;
# # This is needed for long running Python code. Default is 60 seconds
# # Increased from 1200 to 1500 on 2022-04-17
# # Increased from 1500 to 2000 on 2023-03-15
# # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16
# fastcgi_connect_timeout 35s;
# fastcgi_send_timeout 35s;
# fastcgi_read_timeout 35s;
# proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
proxy_read_timeout 2100s;
proxy_pass http://fastapi_backend;
}
location /ws {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# proxy_read_timeout 600;
# proxy_headers_hash_max_size 1024;
proxy_pass http://fastapi_backend;
access_log /logs/nginx/access_fastapi_gunicorn_ws.log;
error_log /logs/nginx/error_fastapi_gunicorn_ws.log;
}
location /v3/ws {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 2100s;
proxy_pass http://fastapi_backend;
access_log /logs/nginx/access_fastapi_gunicorn_v3_ws.log;
error_log /logs/nginx/error_fastapi_gunicorn_v3_ws.log;
}
}
# server {
# listen 443 ssl;
# listen [::]:443 ssl;
# http2 on;
#
# server_name
# ${DOCKER_AE_API_SERVER_NAME}
# fastapi.localhost
# api.localhost
# localhost
# ;
#
# # server_name
# # fastapi_gunicorn.localhost
# # dev-api.localhost
# # dev-api.oneskyit.com
# # test-api.oneskyit.com
# # ;
#
# access_log /logs/nginx/access_fastapi_gunicorn.log;
# error_log /logs/nginx/error_fastapi_gunicorn.log;
#
# include /etc/nginx/options-ssl-nginx.conf;
#
# ssl_certificate /etc/certs/fullchain_wild.pem;
# ssl_certificate_key /etc/certs/privkey_wild.pem;
# ssl_dhparam /etc/certs/ssl-dhparams.pem;
#
# # include brotli.conf;
# # include gzip.conf;
#
# client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G;
#
# location / {
# # Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx
# proxy_set_header Host $http_host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade;
#
# proxy_redirect off;
# proxy_buffering off;
#
# # I think "X-Real-IP" might be needed for some things?
# proxy_set_header X-Real-IP $remote_addr;
#
# # # This is needed for long running Python code. Default is 60 seconds
# # # Increased from 1200 to 1500 on 2022-04-17
# # # Increased from 1500 to 2000 on 2023-03-15
# # # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16
# # fastcgi_connect_timeout 35s;
# # fastcgi_send_timeout 35s;
# # fastcgi_read_timeout 35s;
#
# # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
# proxy_read_timeout 2100s;
#
# proxy_pass http://fastapi_backend;
# }
#
# location /ws {
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_http_version 1.1;
#
# proxy_redirect off;
# proxy_buffering off;
#
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
#
# # proxy_read_timeout 600;
# # proxy_headers_hash_max_size 1024;
#
# proxy_pass http://fastapi_backend;
#
# access_log /logs/nginx/access_fastapi_gunicorn_ws.log;
# error_log /logs/nginx/error_fastapi_gunicorn_ws.log;
# }
#
# location /v3/ws {
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_http_version 1.1;
#
# proxy_redirect off;
# proxy_buffering off;
#
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
#
# proxy_read_timeout 2100s;
#
# proxy_pass http://fastapi_backend;
#
# access_log /logs/nginx/access_fastapi_gunicorn_v3_ws.log;
# error_log /logs/nginx/error_fastapi_gunicorn_v3_ws.log;
# }
# }
upstream fastapi_backend {

135
conf/nginx/site.conf
View File

@@ -1,115 +1,38 @@
# Aether Platform - Default Nginx Site Config
# This file handles the default (non-matching) requests.
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# server {
# listen 80;
# server_name _;
#
# access_log /logs/nginx/access_docker.log;
# error_log /logs/nginx/error_docker.log;
#
# root /srv/html_php;
#
# index index.html index.htm index.php;
#
# # location / {
# # # root /usr/share/nginx/html;
# # index index.html index.htm;
# # }
#
# location ~ \.php$ {
# index index.html index.htm index.php;
#
# try_files $uri =404;
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass php7:9000;
# fastcgi_index index.php;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# }
#
# #error_page 404 /404.html;
#
# # redirect server error pages to the static page /50x.html
# #
# # error_page 500 502 503 504 /50x.html;
# # location = /50x.html {
# # root /usr/share/nginx/html;
# # }
#
# # proxy the PHP scripts to Apache listening on 127.0.0.1:80
# #
# #location ~ \.php$ {
# # proxy_pass http://127.0.0.1;
# #}
#
# # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# #
# #location ~ \.php$ {
# # root html;
# # fastcgi_pass 127.0.0.1:9000;
# # fastcgi_index index.php;
# # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# # include fastcgi_params;
# #}
#
# # deny access to .htaccess files, if Apache's document root
# # concurs with nginx's one
# #
# #location ~ /\.ht {
# # deny all;
# #}
# }
server {
listen 443 ssl;
listen [::]:443 ssl;
# http2 on;
server_name _;
access_log /logs/nginx/access_docker.log;
error_log /logs/nginx/error_docker.log;
# Do not overflow the SSL send buffer (causes extra round trips)
# ssl_buffer_size 8k;
include /etc/nginx/options-ssl-nginx.conf;
ssl_certificate /etc/certs/fullchain.pem;
ssl_certificate_key /etc/certs/privkey.pem;
ssl_dhparam /etc/certs/ssl-dhparams.pem;
access_log /logs/nginx/access_docker_default.log;
error_log /logs/nginx/error_docker_default.log;
# Just return a 404 for any non-matching domains
location / {
return 404;
}
# root /srv/html_php;
#
# index index.php index.html;
#
# # These two locations remove .html and .php from filenames.
# location / {
# try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
# }
#
# location ~ \.php$ {
# root /srv/html_php;
#
# # index index.html index.htm index.php;
#
# try_files $uri =404;
# # try_files $uri $document_root$fastcgi_script_name =404;
#
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass php7:9000;
# fastcgi_index index.php;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# }
}
# SSL is disabled by default for internal containers.
# If you need SSL termination INSIDE the container, uncomment this block
# and ensure valid certs are in /etc/certs/
#
# server {
# listen 443 ssl;
# listen [::]:443 ssl;
# server_name _;
#
# access_log /logs/nginx/access_docker_ssl.log;
# error_log /logs/nginx/error_docker_ssl.log;
#
# include /etc/nginx/options-ssl-nginx.conf;
#
# ssl_certificate /etc/certs/fullchain.pem;
# ssl_certificate_key /etc/certs/privkey.pem;
# ssl_dhparam /etc/certs/ssl-dhparams.pem;
#
# location / {
# return 404;
# }
# }