From a7b6112f4d3ffecbaf6d9c354b7270eca2c9b11d Mon Sep 17 00:00:00 2001 From: Scott Idem Date: Wed, 11 Mar 2026 23:05:51 -0400 Subject: [PATCH] chore: disabled internal SSL/HTTPS in Nginx configs to support host-level SSL termination. --- .../site-enabled_aether_app_svelte_node.conf | 134 +++++------ .../site-enabled_aether_fastapi_gunicorn.conf | 212 +++++++++--------- conf/nginx/site.conf | 135 +++-------- 3 files changed, 202 insertions(+), 279 deletions(-) diff --git a/conf/nginx/site-enabled_aether_app_svelte_node.conf b/conf/nginx/site-enabled_aether_app_svelte_node.conf index a944461..f7f3743 100644 --- a/conf/nginx/site-enabled_aether_app_svelte_node.conf +++ b/conf/nginx/site-enabled_aether_app_svelte_node.conf @@ -64,73 +64,73 @@ server { } -server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - - server_name - ${DOCKER_AE_APP_SERVER_NAME} - svelte.localhost demo.localhost dev.localhost - - bak-app.oneskyit.com - bak-connect.oneskyit.com *.bak-connect.oneskyit.com - bak-demo.oneskyit.com *.bak-demo.oneskyit.com - - bak-businessgroup.oneskyit.com *.bak-businessgroup.oneskyit.com - bak-ishlt.oneskyit.com *.bak-ishlt.oneskyit.com - - dev-app.oneskyit.com - dev-connect.oneskyit.com *.dev-connect.oneskyit.com - dev-demo.oneskyit.com *.dev-demo.oneskyit.com - - dev-aacc.oneskyit.com *.dev-aacc.oneskyit.com - dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com - dev-businessgroup.oneskyit.com *.dev-businessgroup.oneskyit.com - dev-chow.oneskyit.com *.dev-chow.oneskyit.com - dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com - dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com - dev-lci.oneskyit.com *.dev-lci.oneskyit.com - dev-npa.oneskyit.com *.dev-npa.oneskyit.com - dev-rli.oneskyit.com *.dev-rli.oneskyit.com - - sr-app.oneskyit.com - sr-connect.oneskyit.com *.sr-connect.oneskyit.com - sr-demo.oneskyit.com *.sr-demo.oneskyit.com - - sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com - sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com - sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com - sr-lci.oneskyit.com *.sr-lci.oneskyit.com - - test-app.oneskyit.com - ; - - access_log /logs/nginx/access_svelte_node.log; - error_log /logs/nginx/error_svelte_node.log; - - include /etc/nginx/options-ssl-nginx.conf; - - ssl_certificate /etc/certs/fullchain_wild.pem; - ssl_certificate_key /etc/certs/privkey_wild.pem; - ssl_dhparam /etc/certs/ssl-dhparams.pem; - - client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; - - location / { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_redirect off; - proxy_buffering off; - - proxy_read_timeout 1500s; - - proxy_pass http://svelte_backend; - } -} +# server { +# listen 443 ssl; +# listen [::]:443 ssl; +# http2 on; +# +# server_name +# ${DOCKER_AE_APP_SERVER_NAME} +# svelte.localhost demo.localhost dev.localhost +# +# bak-app.oneskyit.com +# bak-connect.oneskyit.com *.bak-connect.oneskyit.com +# bak-demo.oneskyit.com *.bak-demo.oneskyit.com +# +# bak-businessgroup.oneskyit.com *.bak-businessgroup.oneskyit.com +# bak-ishlt.oneskyit.com *.bak-ishlt.oneskyit.com +# +# dev-app.oneskyit.com +# dev-connect.oneskyit.com *.dev-connect.oneskyit.com +# dev-demo.oneskyit.com *.dev-demo.oneskyit.com +# +# dev-aacc.oneskyit.com *.dev-aacc.oneskyit.com +# dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com +# dev-businessgroup.oneskyit.com *.dev-businessgroup.oneskyit.com +# dev-chow.oneskyit.com *.dev-chow.oneskyit.com +# dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com +# dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com +# dev-lci.oneskyit.com *.dev-lci.oneskyit.com +# dev-npa.oneskyit.com *.dev-npa.oneskyit.com +# dev-rli.oneskyit.com *.dev-rli.oneskyit.com +# +# sr-app.oneskyit.com +# sr-connect.oneskyit.com *.sr-connect.oneskyit.com +# sr-demo.oneskyit.com *.sr-demo.oneskyit.com +# +# sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com +# sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com +# sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com +# sr-lci.oneskyit.com *.sr-lci.oneskyit.com +# +# test-app.oneskyit.com +# ; +# +# access_log /logs/nginx/access_svelte_node.log; +# error_log /logs/nginx/error_svelte_node.log; +# +# include /etc/nginx/options-ssl-nginx.conf; +# +# ssl_certificate /etc/certs/fullchain_wild.pem; +# ssl_certificate_key /etc/certs/privkey_wild.pem; +# ssl_dhparam /etc/certs/ssl-dhparams.pem; +# +# client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; +# +# location / { +# proxy_set_header Host $http_host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# +# proxy_redirect off; +# proxy_buffering off; +# +# proxy_read_timeout 1500s; +# +# proxy_pass http://svelte_backend; +# } +# } upstream svelte_backend { diff --git a/conf/nginx/site-enabled_aether_fastapi_gunicorn.conf b/conf/nginx/site-enabled_aether_fastapi_gunicorn.conf index 74ec312..e5b7b9a 100644 --- a/conf/nginx/site-enabled_aether_fastapi_gunicorn.conf +++ b/conf/nginx/site-enabled_aether_fastapi_gunicorn.conf @@ -101,112 +101,112 @@ server { } -server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - - server_name - ${DOCKER_AE_API_SERVER_NAME} - fastapi.localhost - api.localhost - localhost - ; - - # server_name - # fastapi_gunicorn.localhost - # dev-api.localhost - # dev-api.oneskyit.com - # test-api.oneskyit.com - # ; - - access_log /logs/nginx/access_fastapi_gunicorn.log; - error_log /logs/nginx/error_fastapi_gunicorn.log; - - include /etc/nginx/options-ssl-nginx.conf; - - ssl_certificate /etc/certs/fullchain_wild.pem; - ssl_certificate_key /etc/certs/privkey_wild.pem; - ssl_dhparam /etc/certs/ssl-dhparams.pem; - - # include brotli.conf; - # include gzip.conf; - - client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G; - - location / { - # Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_redirect off; - proxy_buffering off; - - # I think "X-Real-IP" might be needed for some things? - proxy_set_header X-Real-IP $remote_addr; - - # # This is needed for long running Python code. Default is 60 seconds - # # Increased from 1200 to 1500 on 2022-04-17 - # # Increased from 1500 to 2000 on 2023-03-15 - # # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16 - # fastcgi_connect_timeout 35s; - # fastcgi_send_timeout 35s; - # fastcgi_read_timeout 35s; - - # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser - proxy_read_timeout 2100s; - - proxy_pass http://fastapi_backend; - } - - location /ws { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_http_version 1.1; - - proxy_redirect off; - proxy_buffering off; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # proxy_read_timeout 600; - # proxy_headers_hash_max_size 1024; - - proxy_pass http://fastapi_backend; - - access_log /logs/nginx/access_fastapi_gunicorn_ws.log; - error_log /logs/nginx/error_fastapi_gunicorn_ws.log; - } - - location /v3/ws { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_http_version 1.1; - - proxy_redirect off; - proxy_buffering off; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_read_timeout 2100s; - - proxy_pass http://fastapi_backend; - - access_log /logs/nginx/access_fastapi_gunicorn_v3_ws.log; - error_log /logs/nginx/error_fastapi_gunicorn_v3_ws.log; - } -} +# server { +# listen 443 ssl; +# listen [::]:443 ssl; +# http2 on; +# +# server_name +# ${DOCKER_AE_API_SERVER_NAME} +# fastapi.localhost +# api.localhost +# localhost +# ; +# +# # server_name +# # fastapi_gunicorn.localhost +# # dev-api.localhost +# # dev-api.oneskyit.com +# # test-api.oneskyit.com +# # ; +# +# access_log /logs/nginx/access_fastapi_gunicorn.log; +# error_log /logs/nginx/error_fastapi_gunicorn.log; +# +# include /etc/nginx/options-ssl-nginx.conf; +# +# ssl_certificate /etc/certs/fullchain_wild.pem; +# ssl_certificate_key /etc/certs/privkey_wild.pem; +# ssl_dhparam /etc/certs/ssl-dhparams.pem; +# +# # include brotli.conf; +# # include gzip.conf; +# +# client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G; +# +# location / { +# # Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx +# proxy_set_header Host $http_host; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection $connection_upgrade; +# +# proxy_redirect off; +# proxy_buffering off; +# +# # I think "X-Real-IP" might be needed for some things? +# proxy_set_header X-Real-IP $remote_addr; +# +# # # This is needed for long running Python code. Default is 60 seconds +# # # Increased from 1200 to 1500 on 2022-04-17 +# # # Increased from 1500 to 2000 on 2023-03-15 +# # # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16 +# # fastcgi_connect_timeout 35s; +# # fastcgi_send_timeout 35s; +# # fastcgi_read_timeout 35s; +# +# # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser +# proxy_read_timeout 2100s; +# +# proxy_pass http://fastapi_backend; +# } +# +# location /ws { +# proxy_set_header Host $http_host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# +# proxy_http_version 1.1; +# +# proxy_redirect off; +# proxy_buffering off; +# +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "upgrade"; +# +# # proxy_read_timeout 600; +# # proxy_headers_hash_max_size 1024; +# +# proxy_pass http://fastapi_backend; +# +# access_log /logs/nginx/access_fastapi_gunicorn_ws.log; +# error_log /logs/nginx/error_fastapi_gunicorn_ws.log; +# } +# +# location /v3/ws { +# proxy_set_header Host $http_host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# +# proxy_http_version 1.1; +# +# proxy_redirect off; +# proxy_buffering off; +# +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "upgrade"; +# +# proxy_read_timeout 2100s; +# +# proxy_pass http://fastapi_backend; +# +# access_log /logs/nginx/access_fastapi_gunicorn_v3_ws.log; +# error_log /logs/nginx/error_fastapi_gunicorn_v3_ws.log; +# } +# } upstream fastapi_backend { diff --git a/conf/nginx/site.conf b/conf/nginx/site.conf index 24ab585..6ed406b 100644 --- a/conf/nginx/site.conf +++ b/conf/nginx/site.conf @@ -1,115 +1,38 @@ +# Aether Platform - Default Nginx Site Config +# This file handles the default (non-matching) requests. + server { listen 80 default_server; server_name _; - return 301 https://$host$request_uri; -} -# server { -# listen 80; -# server_name _; -# -# access_log /logs/nginx/access_docker.log; -# error_log /logs/nginx/error_docker.log; -# -# root /srv/html_php; -# -# index index.html index.htm index.php; -# -# # location / { -# # # root /usr/share/nginx/html; -# # index index.html index.htm; -# # } -# -# location ~ \.php$ { -# index index.html index.htm index.php; -# -# try_files $uri =404; -# fastcgi_split_path_info ^(.+\.php)(/.+)$; -# fastcgi_pass php7:9000; -# fastcgi_index index.php; -# include fastcgi_params; -# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_param PATH_INFO $fastcgi_path_info; -# } -# -# #error_page 404 /404.html; -# -# # redirect server error pages to the static page /50x.html -# # -# # error_page 500 502 503 504 /50x.html; -# # location = /50x.html { -# # root /usr/share/nginx/html; -# # } -# -# # proxy the PHP scripts to Apache listening on 127.0.0.1:80 -# # -# #location ~ \.php$ { -# # proxy_pass http://127.0.0.1; -# #} -# -# # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 -# # -# #location ~ \.php$ { -# # root html; -# # fastcgi_pass 127.0.0.1:9000; -# # fastcgi_index index.php; -# # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; -# # include fastcgi_params; -# #} -# -# # deny access to .htaccess files, if Apache's document root -# # concurs with nginx's one -# # -# #location ~ /\.ht { -# # deny all; -# #} -# } - -server { - listen 443 ssl; - listen [::]:443 ssl; - # http2 on; - - server_name _; - - access_log /logs/nginx/access_docker.log; - error_log /logs/nginx/error_docker.log; - - # Do not overflow the SSL send buffer (causes extra round trips) - # ssl_buffer_size 8k; - - include /etc/nginx/options-ssl-nginx.conf; - - ssl_certificate /etc/certs/fullchain.pem; - ssl_certificate_key /etc/certs/privkey.pem; - ssl_dhparam /etc/certs/ssl-dhparams.pem; + access_log /logs/nginx/access_docker_default.log; + error_log /logs/nginx/error_docker_default.log; + # Just return a 404 for any non-matching domains location / { return 404; } - -# root /srv/html_php; -# -# index index.php index.html; -# -# # These two locations remove .html and .php from filenames. -# location / { -# try_files $uri $uri/ $uri.html $uri.php$is_args$query_string; -# } -# -# location ~ \.php$ { -# root /srv/html_php; -# -# # index index.html index.htm index.php; -# -# try_files $uri =404; -# # try_files $uri $document_root$fastcgi_script_name =404; -# -# fastcgi_split_path_info ^(.+\.php)(/.+)$; -# fastcgi_pass php7:9000; -# fastcgi_index index.php; -# include fastcgi_params; -# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_param PATH_INFO $fastcgi_path_info; -# } } + +# SSL is disabled by default for internal containers. +# If you need SSL termination INSIDE the container, uncomment this block +# and ensure valid certs are in /etc/certs/ +# +# server { +# listen 443 ssl; +# listen [::]:443 ssl; +# server_name _; +# +# access_log /logs/nginx/access_docker_ssl.log; +# error_log /logs/nginx/error_docker_ssl.log; +# +# include /etc/nginx/options-ssl-nginx.conf; +# +# ssl_certificate /etc/certs/fullchain.pem; +# ssl_certificate_key /etc/certs/privkey.pem; +# ssl_dhparam /etc/certs/ssl-dhparams.pem; +# +# location / { +# return 404; +# } +# }