iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/test-env/04-swag-nginx-configs.md
Murat ÖZDEMİR 5ddba7eba4 docs: update production roadmap for HA Vault and shared storage 
- Refactor production setup documentation to reflect a 3-node Vault Raft cluster starting from launch.
- Update all paths to use StorageBox mounts for shared state (SWAG config, TLS certs, Monitoring data).
- Switch Nginx configuration convention from proxy-confs to site-confs to align with SWAG's auto-include behavior.
- Standardize TLS private key extensions to .pem.
- Update node failover and recovery facts to include monitoring services.
- Align deployment pipeline instructions with the latest environment variable-driven approach.
2026-05-16 16:18:21 +03:00

192 lines
4.9 KiB
Markdown
Raw Blame History

# 04 — SWAG Nginx Proxy Configs (Test)
## Context
SWAG nginx auto-includes only `site-confs/*.conf`. All proxy config templates live in `swag/site-confs/` in the repo and are rendered to `/opt/iklimco/swag/site-confs/` on the host at deploy time.
Templates use `${VAR}` placeholders processed with `envsubst` at deploy time.
## Required env vars (in `.env` on storagebox `test/secrets/iklim.co/.env`)
```bash
API_SUBDOMAIN=api-test.iklim.co
APIGW_SUBDOMAIN=apigw-test.iklim.co
RABBITMQ_SUBDOMAIN=rabbitmq-test.iklim.co
GRAFANA_SUBDOMAIN=grafana-test.iklim.co
RESTRICTED_IP_1=78.187.87.109
RESTRICTED_IP_2=95.70.151.248
```
## Files to create
### `swag/site-confs/default.conf`
Default catch-all: HTTP→HTTPS redirect + 444 for unknown HTTPS hosts.
```nginx
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
include /config/nginx/ssl.conf;
return 444;
}
```
### `swag/site-confs/api.conf.tpl`
Public API gateway — no IP restriction.
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${API_SUBDOMAIN};
include /config/nginx/ssl.conf;
include /config/nginx/resolver.conf;
client_max_body_size 50m;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app apisix;
set $upstream_port 9080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
```
### `swag/site-confs/apigw.conf.tpl`
APISIX Dashboard — IP restricted.
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${APIGW_SUBDOMAIN};
include /config/nginx/ssl.conf;
include /config/nginx/resolver.conf;
client_max_body_size 0;
location / {
allow ${RESTRICTED_IP_1};
allow ${RESTRICTED_IP_2};
deny all;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app apisix-dashboard;
set $upstream_port 9000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
```
### `swag/site-confs/rabbitmq.conf.tpl`
RabbitMQ Management UI — IP restricted.
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${RABBITMQ_SUBDOMAIN};
include /config/nginx/ssl.conf;
include /config/nginx/resolver.conf;
client_max_body_size 0;
location / {
allow ${RESTRICTED_IP_1};
allow ${RESTRICTED_IP_2};
deny all;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app rabbitmq;
set $upstream_port 15672;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
```
### `swag/site-confs/grafana.conf.tpl`
Grafana — IP restricted.
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${GRAFANA_SUBDOMAIN};
include /config/nginx/ssl.conf;
include /config/nginx/resolver.conf;
client_max_body_size 0;
location / {
allow ${RESTRICTED_IP_1};
allow ${RESTRICTED_IP_2};
deny all;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app grafana;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
```
## Deploy step (handled by pipeline — see `07-deploy-pipeline-update.md`)
```bash
# Process templates and write to host
mkdir -p /opt/iklimco/swag/site-confs
set -a; . ./.env; set +a
export RESTRICTED_IP_1="78.187.87.109"
export RESTRICTED_IP_2="95.70.151.248"
for tpl in swag/site-confs/*.conf.tpl; do
out="/opt/iklimco/swag/site-confs/$(basename "${tpl%.tpl}")"
envsubst < "$tpl" > "$out"
echo "✅ $out"
done
cp swag/site-confs/default.conf /opt/iklimco/swag/site-confs/default.conf
```
## Verification
After deploy, check SWAG nginx config is valid:
```bash
docker exec $(docker ps -q -f name=iklimco_swag) nginx -t
```
Check subdomains resolve (from outside the server):
```bash
curl -sk https://api-test.iklim.co/health # expects APISIX response
curl -sk https://grafana-test.iklim.co # expects 403 Forbidden (wrong IP)
```
## Notes
- `include /config/nginx/resolver.conf` enables dynamic upstream resolution via Docker DNS —
required for overlay service names like `apisix`, `grafana`, etc.
- SWAG's `proxy.conf` already sets `X-Real-IP`, `X-Forwarded-For`, `X-Forwarded-Proto` and
WebSocket upgrade headers. No manual addition needed.
- `*.iklim.co` cert covers both `api.iklim.co` and `api-test.iklim.co` subdomains —
both test and prod servers can independently obtain and use it.
Reference in New Issue View Git Blame Copy Permalink