diff --git a/Dockerfile b/Dockerfile index a27c553..1a37b09 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,9 @@ ENV SERVER_NAME_MOBILE_APP mobile.opex.dev ENV SERVER_WALLET_STAT walletstat.opex.dev ENV SERVER_NAME_KC kc.opex.dev ENV SERVER_NAME_V2_AUTH v2auth.opex.dev +ENV SERVER_NAME_BETA_APP beta-app.opex.dev ENTRYPOINT sh -c 'envsubst \ -\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH \ +\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH,\$SERVER_NAME_BETA_APP \ < /etc/nginx/nginx.conf.org \ | tee /etc/nginx/nginx.conf \ && nginx -g "daemon off;"' diff --git a/docker-compose.yml b/docker-compose.yml index c7686ac..c5cb581 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,9 +17,12 @@ services: - SERVER_WALLET_STAT=$SERVER_WALLET_STAT - SERVER_NAME_KC=$SERVER_NAME_KC - SERVER_NAME_V2_AUTH=$SERVER_NAME_V2_AUTH + - SERVER_NAME_BETA_APP=$SERVER_NAME_BETA_APP secrets: - opex_dev_crt - private_pem + volumes: + - /var/www:/var/www:ro nginx-exporter: image: nginx/nginx-prometheus-exporter:1.1.0 ports: diff --git a/nginx.conf b/nginx.conf index b1ac5d1..df4d7b8 100644 --- a/nginx.conf +++ b/nginx.conf @@ -5,6 +5,9 @@ events { } http { + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log debug; + include /etc/nginx/mime.types; sendfile on; @@ -42,6 +45,24 @@ http { resolver 127.0.0.11 valid=60s; + map $http_user_agent $is_mobile { + default 0; + ~*iphone 1; + ~*ipod 1; + ~*android 1; + ~*blackberry 1; + ~*windows\ phone 1; + mobile 1; + opera\ mini 1; + iemobile 1; + } + + # Set root path based on device type + map $is_mobile $web_app_root { + 0 /var/www/desktop; + 1 /var/www/mobile; + } + server { listen 80; @@ -108,6 +129,24 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_ADMIN_V2_PANEL; + + location ~* \.(.*)$ { + set $backend http://admin-v2-panel-nginx; + proxy_pass $backend; + } + + location / { + set $backend http://admin-v2-panel-nginx; + proxy_pass $backend; + rewrite .* / break; + } + } + server { listen 443 ssl; listen [::]:443 ssl; @@ -157,6 +196,64 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_KC; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_pass http://keycloak:8080; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_V2_AUTH; + + if ($request_method = 'OPTIONS') { + return 204; + } + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Authorization $http_authorization; + proxy_pass http://auth-gateway:8080; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name v2api.opex.dev; + + if ($request_method = 'OPTIONS') { + return 204; + } + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Authorization $http_authorization; + proxy_pass http://api:8080; + rewrite ^/(.*)$ /opex/$1 break; + } + } + server { listen 443 ssl; listen [::]:443 ssl; @@ -222,6 +319,11 @@ http { proxy_pass $backend; rewrite ^/auth(.*)$ /actuator/health/$1 break; } + location /auth-gateway { + set $backend http://auth-gateway:8080; + proxy_pass $backend; + rewrite ^/auth-gateway(.*)$ /actuator/health/$1 break; + } location /wallet { set $backend http://wallet:8080; @@ -335,6 +437,12 @@ http { proxy_pass $backend; rewrite ^/api/(.*)$ /$1 break; } + + location /profile { + set $backend http://profile:8080; + proxy_pass $backend; + rewrite ^/profile/(.*)$ /$1 break; + } location /sapi { set $backend http://api:8080; @@ -342,6 +450,12 @@ http { rewrite ^/sapi/(.*)$ /$1 break; } + location /bc { + set $backend http://bc-gateway:8080; + proxy_pass $backend; + rewrite ^/bc/(.*)$ /$1 break; + } + location /captcha { add_header Access-Control-Allow-Credentials true always; add_header Access-Control-Allow-Origin $http_origin always; @@ -353,15 +467,75 @@ http { rewrite ^/captcha/(.*)$ /$1 break; } - location /binance { - proxy_set_header Host api.binance.com; - proxy_set_header X-Real-IP ''; - proxy_set_header X-Forwarded-For ''; - proxy_set_header X-Forwarded-Host ''; - set $backend https://api.binance.com; - proxy_pass $backend; - rewrite ^/binance/(.*)$ /$1 break; - } + resolver 127.0.0.11 valid=30s; + resolver_timeout 15s; + + + location /binance { + + # target upstream (IMPORTANT: must be variable for DNS resolution) + set $backend https://binance.beeep.ir; + + # route path + rewrite ^/binance/(.*)$ /$1 break; + + # upstream connection settings + proxy_pass $backend; + + # correct upstream identity + proxy_set_header Host binance.beeep.ir; + proxy_ssl_server_name on; + proxy_ssl_name binance.beeep.ir; + + # client headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # timeouts (important for slow Binance-like APIs) + proxy_connect_timeout 60s; + proxy_send_timeout 300s; + proxy_read_timeout 300s; + send_timeout 300s; + + # retry logic (VERY IMPORTANT for your error) + proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; + proxy_next_upstream_tries 3; + proxy_next_upstream_timeout 60s; + + # TLS (since upstream is HTTPS) + proxy_ssl_verify off; + + # avoid buffering issues for slow responses + proxy_buffering off; + proxy_request_buffering off; + + # stability + proxy_intercept_errors off; + } + } + + server { + listen 443 ssl http2; + server_name $SERVER_NAME_BETA_APP; + + set $web_app_root /var/www/desktop; + + if ($http_user_agent ~* (iphone|ipod|android|blackberry|windows\ phone|mobile|opera\ mini|iemobile)) { + set $web_app_root /var/www/mobile; + } + + location / { + root $web_app_root; + try_files $uri $uri/ /index.html; + } + + location = /index.html { + root $web_app_root; + add_header Cache-Control "no-cache, no-store, must-revalidate"; + } + } + }