From 81a7612308d83a785a5292e10f6d02e38575bfb2 Mon Sep 17 00:00:00 2001 From: user Date: Thu, 11 Sep 2025 19:20:00 +0300 Subject: [PATCH] init --- ipfs/init/001-config.sh | 25 ++++++++ nginx.conf | 138 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 ipfs/init/001-config.sh create mode 100644 nginx.conf diff --git a/ipfs/init/001-config.sh b/ipfs/init/001-config.sh new file mode 100644 index 0000000..e9c3f8e --- /dev/null +++ b/ipfs/init/001-config.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -e + +# Expose API and Gateway inside container. Do NOT publish API outside docker network. +ipfs config Addresses.API /ip4/0.0.0.0/tcp/5001 +ipfs config Addresses.Gateway /ip4/0.0.0.0/tcp/8080 + +# Gateway should not fetch from the wider network; serve only local content +ipfs config --json Gateway.NoFetch true + +# DHT client mode with accelerated providing +ipfs config --json Routing '{ "Type": "dhtclient", "AcceleratedDHTClient": true }' + +# Reprovider pinned content periodically +ipfs config --json Reprovider '{ "Interval": "22h", "Strategy": "pinned+mfs" }' + +# Keep connection manager within reasonable bounds +ipfs config --json Swarm.ConnMgr '{ "Type": "basic", "LowWater": 50, "HighWater": 200, "GracePeriod": "20s" }' + +# CORS for RPC API (visible only in docker network) +ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]' +ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT","POST","GET"]' + +echo "IPFS init script applied" + diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..d5f461f --- /dev/null +++ b/nginx.conf @@ -0,0 +1,138 @@ +upstream backend_app { + server 127.0.0.1:13200; + keepalive 32; +} + +upstream frontend_web { + server 127.0.0.1:13300; + keepalive 16; +} + +# Access log format including request id +log_format reqid '$time_iso8601 [$req_id] $remote_addr "$request" $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent"'; + +# Correlate/propagate request id; if client sent X-Request-Id use it, otherwise generate +map $http_x_request_id $req_id { + default $http_x_request_id; + "" $request_id; +} + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 80; + server_name my-public-node-8.projscale.dev; + # Emit request id even on redirects + add_header X-Request-Id $req_id always; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + server_name my-public-node-8.projscale.dev; + # Access log with request id + access_log /var/log/nginx/access.log reqid; + + # SSL configuration (valid certs) + ssl_certificate /etc/letsencrypt/live/my-public-node-8.projscale.dev/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/my-public-node-8.projscale.dev/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_session_tickets off; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable after confirming HTTPS only + + # Общие параметры для стабильности и больших файлов + client_max_body_size 10G; + client_body_timeout 300s; + client_header_timeout 300s; + keepalive_timeout 65s; + + # Сжатие текстовых ответов + gzip on; + gzip_comp_level 5; + gzip_min_length 1024; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; + + # Безопасные заголовки (минимальный набор) и корреляция + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options SAMEORIGIN always; + add_header Referrer-Policy strict-origin-when-cross-origin always; + add_header X-Request-Id $req_id always; + + # CORS (для API и префлайтов) + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; + add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, x-file-name, x-last-chunk, x-chunk-start, x-upload-id, x-request-id" always; + + # Быстрая обработка preflight (если бэкенд недоступен) + if ($request_method = OPTIONS) { return 204; } + + # Статика фронтенда (SPA) + location / { + proxy_pass http://frontend_web; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Request-Id $req_id; + proxy_read_timeout 60s; + } + + # Агрессивное кеширование хешированных ассетов (Vite кладет их в /assets) + location ^~ /assets/ { + proxy_pass http://frontend_web; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Request-Id $req_id; + proxy_read_timeout 60s; + proxy_hide_header Cache-Control; + add_header Cache-Control "public, max-age=31536000, immutable" always; + } + + # API + location /api/ { + proxy_pass http://backend_app; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Request-Id $req_id; + + # Для chunked uploads и стриминга – не буферизуем запрос/ответ + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_buffering off; + proxy_max_temp_file_size 0; + proxy_set_header Connection ""; + + # Таймауты для больших файлов + proxy_connect_timeout 300s; + proxy_send_timeout 300s; + proxy_read_timeout 300s; + + # Вебсокеты (на будущее) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + # Health to backend + location = /health { + proxy_pass http://backend_app/api/system.version; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Request-Id $req_id; + } +} \ No newline at end of file