Scott.Idem/OSIT-AE-Docker-Env
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: disabled internal SSL/HTTPS in Nginx configs to support host-level SSL termination.

Browse Source
This commit is contained in:
Scott Idem
2026-03-11 23:05:51 -04:00
parent 14173cfc22
commit a7b6112f4d
3 changed files with 202 additions and 279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
conf/nginx/site-enabled_aether_app_svelte_node.conf
View File

@@ -64,73 +64,73 @@ server {
} }
server { # server {
listen 443 ssl; # listen 443 ssl;
listen [::]:443 ssl; # listen [::]:443 ssl;
http2 on; # http2 on;
#
server_name # server_name
${DOCKER_AE_APP_SERVER_NAME} # ${DOCKER_AE_APP_SERVER_NAME}
svelte.localhost demo.localhost dev.localhost # svelte.localhost demo.localhost dev.localhost
#
bak-app.oneskyit.com # bak-app.oneskyit.com
bak-connect.oneskyit.com *.bak-connect.oneskyit.com # bak-connect.oneskyit.com *.bak-connect.oneskyit.com
bak-demo.oneskyit.com *.bak-demo.oneskyit.com # bak-demo.oneskyit.com *.bak-demo.oneskyit.com
#
bak-businessgroup.oneskyit.com *.bak-businessgroup.oneskyit.com # bak-businessgroup.oneskyit.com *.bak-businessgroup.oneskyit.com
bak-ishlt.oneskyit.com *.bak-ishlt.oneskyit.com # bak-ishlt.oneskyit.com *.bak-ishlt.oneskyit.com
#
dev-app.oneskyit.com # dev-app.oneskyit.com
dev-connect.oneskyit.com *.dev-connect.oneskyit.com # dev-connect.oneskyit.com *.dev-connect.oneskyit.com
dev-demo.oneskyit.com *.dev-demo.oneskyit.com # dev-demo.oneskyit.com *.dev-demo.oneskyit.com
#
dev-aacc.oneskyit.com *.dev-aacc.oneskyit.com # dev-aacc.oneskyit.com *.dev-aacc.oneskyit.com
dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com # dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com
dev-businessgroup.oneskyit.com *.dev-businessgroup.oneskyit.com # dev-businessgroup.oneskyit.com *.dev-businessgroup.oneskyit.com
dev-chow.oneskyit.com *.dev-chow.oneskyit.com # dev-chow.oneskyit.com *.dev-chow.oneskyit.com
dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com # dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com
dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com # dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com
dev-lci.oneskyit.com *.dev-lci.oneskyit.com # dev-lci.oneskyit.com *.dev-lci.oneskyit.com
dev-npa.oneskyit.com *.dev-npa.oneskyit.com # dev-npa.oneskyit.com *.dev-npa.oneskyit.com
dev-rli.oneskyit.com *.dev-rli.oneskyit.com # dev-rli.oneskyit.com *.dev-rli.oneskyit.com
#
sr-app.oneskyit.com # sr-app.oneskyit.com
sr-connect.oneskyit.com *.sr-connect.oneskyit.com # sr-connect.oneskyit.com *.sr-connect.oneskyit.com
sr-demo.oneskyit.com *.sr-demo.oneskyit.com # sr-demo.oneskyit.com *.sr-demo.oneskyit.com
#
sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com # sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com
sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com # sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com
sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com # sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com
sr-lci.oneskyit.com *.sr-lci.oneskyit.com # sr-lci.oneskyit.com *.sr-lci.oneskyit.com
#
test-app.oneskyit.com # test-app.oneskyit.com
; # ;
#
access_log /logs/nginx/access_svelte_node.log; # access_log /logs/nginx/access_svelte_node.log;
error_log /logs/nginx/error_svelte_node.log; # error_log /logs/nginx/error_svelte_node.log;
#
include /etc/nginx/options-ssl-nginx.conf; # include /etc/nginx/options-ssl-nginx.conf;
#
ssl_certificate /etc/certs/fullchain_wild.pem; # ssl_certificate /etc/certs/fullchain_wild.pem;
ssl_certificate_key /etc/certs/privkey_wild.pem; # ssl_certificate_key /etc/certs/privkey_wild.pem;
ssl_dhparam /etc/certs/ssl-dhparams.pem; # ssl_dhparam /etc/certs/ssl-dhparams.pem;
#
client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE};
#
location / { # location / {
proxy_set_header Host $http_host; # proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Proto $scheme;
#
proxy_redirect off; # proxy_redirect off;
proxy_buffering off; # proxy_buffering off;
#
proxy_read_timeout 1500s; # proxy_read_timeout 1500s;
#
proxy_pass http://svelte_backend; # proxy_pass http://svelte_backend;
} # }
} # }
upstream svelte_backend { upstream svelte_backend {

212
conf/nginx/site-enabled_aether_fastapi_gunicorn.conf
View File

@@ -101,112 +101,112 @@ server {
} }
server { # server {
listen 443 ssl; # listen 443 ssl;
listen [::]:443 ssl; # listen [::]:443 ssl;
http2 on; # http2 on;
#
server_name # server_name
${DOCKER_AE_API_SERVER_NAME} # ${DOCKER_AE_API_SERVER_NAME}
fastapi.localhost # fastapi.localhost
api.localhost # api.localhost
localhost # localhost
; # ;
#
# server_name # # server_name
# fastapi_gunicorn.localhost # # fastapi_gunicorn.localhost
# dev-api.localhost # # dev-api.localhost
# dev-api.oneskyit.com # # dev-api.oneskyit.com
# test-api.oneskyit.com # # test-api.oneskyit.com
# ; # # ;
#
access_log /logs/nginx/access_fastapi_gunicorn.log; # access_log /logs/nginx/access_fastapi_gunicorn.log;
error_log /logs/nginx/error_fastapi_gunicorn.log; # error_log /logs/nginx/error_fastapi_gunicorn.log;
#
include /etc/nginx/options-ssl-nginx.conf; # include /etc/nginx/options-ssl-nginx.conf;
#
ssl_certificate /etc/certs/fullchain_wild.pem; # ssl_certificate /etc/certs/fullchain_wild.pem;
ssl_certificate_key /etc/certs/privkey_wild.pem; # ssl_certificate_key /etc/certs/privkey_wild.pem;
ssl_dhparam /etc/certs/ssl-dhparams.pem; # ssl_dhparam /etc/certs/ssl-dhparams.pem;
#
# include brotli.conf; # # include brotli.conf;
# include gzip.conf; # # include gzip.conf;
#
client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G; # client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G;
#
location / { # location / {
# Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx # # Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx
proxy_set_header Host $http_host; # proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade; # proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; # proxy_set_header Connection $connection_upgrade;
#
proxy_redirect off; # proxy_redirect off;
proxy_buffering off; # proxy_buffering off;
#
# I think "X-Real-IP" might be needed for some things? # # I think "X-Real-IP" might be needed for some things?
proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $remote_addr;
#
# # This is needed for long running Python code. Default is 60 seconds # # # This is needed for long running Python code. Default is 60 seconds
# # Increased from 1200 to 1500 on 2022-04-17 # # # Increased from 1200 to 1500 on 2022-04-17
# # Increased from 1500 to 2000 on 2023-03-15 # # # Increased from 1500 to 2000 on 2023-03-15
# # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16 # # # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16
# fastcgi_connect_timeout 35s; # # fastcgi_connect_timeout 35s;
# fastcgi_send_timeout 35s; # # fastcgi_send_timeout 35s;
# fastcgi_read_timeout 35s; # # fastcgi_read_timeout 35s;
#
# proxy read timeout being too low will cause 504 Gateway Time-out on the client browser # # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
proxy_read_timeout 2100s; # proxy_read_timeout 2100s;
#
proxy_pass http://fastapi_backend; # proxy_pass http://fastapi_backend;
} # }
#
location /ws { # location /ws {
proxy_set_header Host $http_host; # proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Proto $scheme;
#
proxy_http_version 1.1; # proxy_http_version 1.1;
#
proxy_redirect off; # proxy_redirect off;
proxy_buffering off; # proxy_buffering off;
#
proxy_set_header Upgrade $http_upgrade; # proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; # proxy_set_header Connection "upgrade";
#
# proxy_read_timeout 600; # # proxy_read_timeout 600;
# proxy_headers_hash_max_size 1024; # # proxy_headers_hash_max_size 1024;
#
proxy_pass http://fastapi_backend; # proxy_pass http://fastapi_backend;
#
access_log /logs/nginx/access_fastapi_gunicorn_ws.log; # access_log /logs/nginx/access_fastapi_gunicorn_ws.log;
error_log /logs/nginx/error_fastapi_gunicorn_ws.log; # error_log /logs/nginx/error_fastapi_gunicorn_ws.log;
} # }
#
location /v3/ws { # location /v3/ws {
proxy_set_header Host $http_host; # proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Proto $scheme;
#
proxy_http_version 1.1; # proxy_http_version 1.1;
#
proxy_redirect off; # proxy_redirect off;
proxy_buffering off; # proxy_buffering off;
#
proxy_set_header Upgrade $http_upgrade; # proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; # proxy_set_header Connection "upgrade";
#
proxy_read_timeout 2100s; # proxy_read_timeout 2100s;
#
proxy_pass http://fastapi_backend; # proxy_pass http://fastapi_backend;
#
access_log /logs/nginx/access_fastapi_gunicorn_v3_ws.log; # access_log /logs/nginx/access_fastapi_gunicorn_v3_ws.log;
error_log /logs/nginx/error_fastapi_gunicorn_v3_ws.log; # error_log /logs/nginx/error_fastapi_gunicorn_v3_ws.log;
} # }
} # }
upstream fastapi_backend { upstream fastapi_backend {

135
conf/nginx/site.conf
View File

@@ -1,115 +1,38 @@
# Aether Platform - Default Nginx Site Config
# This file handles the default (non-matching) requests.
server { server {
listen 80 default_server; listen 80 default_server;
server_name _; server_name _;
return 301 https://$host$request_uri;
}
# server { access_log /logs/nginx/access_docker_default.log;
# listen 80; error_log /logs/nginx/error_docker_default.log;
# server_name _;
#
# access_log /logs/nginx/access_docker.log;
# error_log /logs/nginx/error_docker.log;
#
# root /srv/html_php;
#
# index index.html index.htm index.php;
#
# # location / {
# # # root /usr/share/nginx/html;
# # index index.html index.htm;
# # }
#
# location ~ \.php$ {
# index index.html index.htm index.php;
#
# try_files $uri =404;
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass php7:9000;
# fastcgi_index index.php;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# }
#
# #error_page 404 /404.html;
#
# # redirect server error pages to the static page /50x.html
# #
# # error_page 500 502 503 504 /50x.html;
# # location = /50x.html {
# # root /usr/share/nginx/html;
# # }
#
# # proxy the PHP scripts to Apache listening on 127.0.0.1:80
# #
# #location ~ \.php$ {
# # proxy_pass http://127.0.0.1;
# #}
#
# # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# #
# #location ~ \.php$ {
# # root html;
# # fastcgi_pass 127.0.0.1:9000;
# # fastcgi_index index.php;
# # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# # include fastcgi_params;
# #}
#
# # deny access to .htaccess files, if Apache's document root
# # concurs with nginx's one
# #
# #location ~ /\.ht {
# # deny all;
# #}
# }
server {
listen 443 ssl;
listen [::]:443 ssl;
# http2 on;
server_name _;
access_log /logs/nginx/access_docker.log;
error_log /logs/nginx/error_docker.log;
# Do not overflow the SSL send buffer (causes extra round trips)
# ssl_buffer_size 8k;
include /etc/nginx/options-ssl-nginx.conf;
ssl_certificate /etc/certs/fullchain.pem;
ssl_certificate_key /etc/certs/privkey.pem;
ssl_dhparam /etc/certs/ssl-dhparams.pem;
# Just return a 404 for any non-matching domains
location / { location / {
return 404; return 404;
} }
# root /srv/html_php;
#
# index index.php index.html;
#
# # These two locations remove .html and .php from filenames.
# location / {
# try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
# }
#
# location ~ \.php$ {
# root /srv/html_php;
#
# # index index.html index.htm index.php;
#
# try_files $uri =404;
# # try_files $uri $document_root$fastcgi_script_name =404;
#
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass php7:9000;
# fastcgi_index index.php;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# }
} }
# SSL is disabled by default for internal containers.
# If you need SSL termination INSIDE the container, uncomment this block
# and ensure valid certs are in /etc/certs/
#
# server {
# listen 443 ssl;
# listen [::]:443 ssl;
# server_name _;
#
# access_log /logs/nginx/access_docker_ssl.log;
# error_log /logs/nginx/error_docker_ssl.log;
#
# include /etc/nginx/options-ssl-nginx.conf;
#
# ssl_certificate /etc/certs/fullchain.pem;
# ssl_certificate_key /etc/certs/privkey.pem;
# ssl_dhparam /etc/certs/ssl-dhparams.pem;
#
# location / {
# return 404;
# }
# }