feat: restaura o projeto original do clube67.com (Next.js + Express API + MySQL + Redis) livre de gambiarras e dockerizado
This commit is contained in:
@@ -0,0 +1,114 @@
|
||||
# ── Upstream: Next.js frontend ──
|
||||
upstream frontend {
|
||||
server 127.0.0.1:3000;
|
||||
}
|
||||
|
||||
# ── Upstream: Express API backend ──
|
||||
upstream backend {
|
||||
server 127.0.0.1:3001;
|
||||
}
|
||||
|
||||
# ── HTTP → HTTPS redirect ──
|
||||
server {
|
||||
listen 80;
|
||||
server_name clube67.com www.clube67.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# ── Main HTTPS server ──
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name clube67.com www.clube67.com;
|
||||
|
||||
# SSL (managed by certbot)
|
||||
ssl_certificate /etc/letsencrypt/live/clube67.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/clube67.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
# ── Security Headers ──
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
||||
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
|
||||
|
||||
# ── Gzip / Brotli ──
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_min_length 256;
|
||||
gzip_types
|
||||
text/plain text/css text/xml text/javascript
|
||||
application/json application/javascript application/xml
|
||||
application/rss+xml image/svg+xml font/woff2;
|
||||
|
||||
# ── Uploads (static) ──
|
||||
location /uploads/ {
|
||||
alias /www/wwwroot/clube67.com/uploads/;
|
||||
expires 30d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# ── API proxy ──
|
||||
location /api/ {
|
||||
proxy_pass http://backend;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_connect_timeout 60s;
|
||||
proxy_send_timeout 60s;
|
||||
proxy_read_timeout 60s;
|
||||
|
||||
# Disable directory listing
|
||||
autoindex off;
|
||||
}
|
||||
|
||||
# ── WebSocket ──
|
||||
location /socket.io/ {
|
||||
proxy_pass http://backend;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 86400s;
|
||||
}
|
||||
|
||||
# ── Next.js static assets ──
|
||||
location /_next/static/ {
|
||||
proxy_pass http://frontend;
|
||||
expires 365d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# ── Frontend (catch-all) ──
|
||||
location / {
|
||||
proxy_pass http://frontend;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# ── Disable hidden files ──
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# ── File size ──
|
||||
client_max_body_size 10M;
|
||||
}
|
||||
+81
-22
@@ -1,37 +1,96 @@
|
||||
# ── Upstream: Next.js frontend ──
|
||||
upstream frontend {
|
||||
server clube67-frontend:3000;
|
||||
}
|
||||
|
||||
# ── Upstream: Express API backend ──
|
||||
upstream backend {
|
||||
server clube67-backend:3001;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name clube67.com www.clube67.com;
|
||||
|
||||
client_max_body_size 50M;
|
||||
# Limite de upload para arquivos
|
||||
client_max_body_size 10M;
|
||||
|
||||
# Resolver DNS interno do Docker para resolução dinâmica
|
||||
resolver 127.0.0.11 valid=30s;
|
||||
# ── Security Headers ──
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
# Proxy para o Socket.io (Realtime Events)
|
||||
location /socket.io/ {
|
||||
set $backend_upstream http://clube67-backend:3001;
|
||||
proxy_pass $backend_upstream;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# ── Gzip ──
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_min_length 256;
|
||||
gzip_types
|
||||
text/plain text/css text/xml text/javascript
|
||||
application/json application/javascript application/xml
|
||||
application/rss+xml image/svg+xml font/woff2;
|
||||
|
||||
# ── Uploads (static) ──
|
||||
location /uploads/ {
|
||||
alias /www/wwwroot/clube67.com/uploads/;
|
||||
expires 30d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Proxy para tudo (Landing Page Estática & API Express do Clube67)
|
||||
location / {
|
||||
set $backend_upstream http://clube67-backend:3001;
|
||||
proxy_pass $backend_upstream;
|
||||
# ── API proxy ──
|
||||
location /api/ {
|
||||
proxy_pass http://backend;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection 'upgrade';
|
||||
proxy_set_header Host $host;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_connect_timeout 60s;
|
||||
proxy_send_timeout 60s;
|
||||
proxy_read_timeout 60s;
|
||||
autoindex off;
|
||||
}
|
||||
|
||||
# ── WebSocket ──
|
||||
location /socket.io/ {
|
||||
proxy_pass http://backend;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 86400s;
|
||||
}
|
||||
|
||||
# ── Next.js static assets ──
|
||||
location /_next/static/ {
|
||||
proxy_pass http://frontend;
|
||||
expires 365d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# ── Frontend (catch-all) ──
|
||||
location / {
|
||||
proxy_pass http://frontend;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# ── Disable hidden files ──
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user