my-dev
/
configs
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

This commit is contained in:
user 2025-09-11 19:20:00 +03:00
commit 81a7612308
2 changed files with 163 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
ipfs/init/001-config.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/sh
set -e
# Expose API and Gateway inside container. Do NOT publish API outside docker network.
ipfs config Addresses.API /ip4/0.0.0.0/tcp/5001
ipfs config Addresses.Gateway /ip4/0.0.0.0/tcp/8080
# Gateway should not fetch from the wider network; serve only local content
ipfs config --json Gateway.NoFetch true
# DHT client mode with accelerated providing
ipfs config --json Routing '{ "Type": "dhtclient", "AcceleratedDHTClient": true }'
# Reprovider pinned content periodically
ipfs config --json Reprovider '{ "Interval": "22h", "Strategy": "pinned+mfs" }'
# Keep connection manager within reasonable bounds
ipfs config --json Swarm.ConnMgr '{ "Type": "basic", "LowWater": 50, "HighWater": 200, "GracePeriod": "20s" }'
# CORS for RPC API (visible only in docker network)
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT","POST","GET"]'
echo "IPFS init script applied"

138
nginx.conf Normal file
View File

@ -0,0 +1,138 @@
upstream backend_app {
server 127.0.0.1:13200;
keepalive 32;
}
upstream frontend_web {
server 127.0.0.1:13300;
keepalive 16;
}
# Access log format including request id
log_format reqid '$time_iso8601 [$req_id] $remote_addr "$request" $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent"';
# Correlate/propagate request id; if client sent X-Request-Id use it, otherwise generate
map $http_x_request_id $req_id {
default $http_x_request_id;
"" $request_id;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name my-public-node-8.projscale.dev;
# Emit request id even on redirects
add_header X-Request-Id $req_id always;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name my-public-node-8.projscale.dev;
# Access log with request id
access_log /var/log/nginx/access.log reqid;
# SSL configuration (valid certs)
ssl_certificate /etc/letsencrypt/live/my-public-node-8.projscale.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my-public-node-8.projscale.dev/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable after confirming HTTPS only
# Общие параметры для стабильности и больших файлов
client_max_body_size 10G;
client_body_timeout 300s;
client_header_timeout 300s;
keepalive_timeout 65s;
# Сжатие текстовых ответов
gzip on;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
# Безопасные заголовки (минимальный набор) и корреляция
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options SAMEORIGIN always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header X-Request-Id $req_id always;
# CORS (для API и префлайтов)
add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, x-file-name, x-last-chunk, x-chunk-start, x-upload-id, x-request-id" always;
# Быстрая обработка preflight (если бэкенд недоступен)
if ($request_method = OPTIONS) { return 204; }
# Статика фронтенда (SPA)
location / {
proxy_pass http://frontend_web;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Id $req_id;
proxy_read_timeout 60s;
}
# Агрессивное кеширование хешированных ассетов (Vite кладет их в /assets)
location ^~ /assets/ {
proxy_pass http://frontend_web;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Id $req_id;
proxy_read_timeout 60s;
proxy_hide_header Cache-Control;
add_header Cache-Control "public, max-age=31536000, immutable" always;
}
# API
location /api/ {
proxy_pass http://backend_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Id $req_id;
# Для chunked uploads и стриминга не буферизуем запрос/ответ
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_max_temp_file_size 0;
proxy_set_header Connection "";
# Таймауты для больших файлов
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
# Вебсокеты (на будущее)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
# Health to backend
location = /health {
proxy_pass http://backend_app/api/system.version;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Id $req_id;
}
}