diff --git a/.github/workflows/update_primary_nginx.yml b/.github/workflows/update_primary_nginx.yml index 9a4b964..142ed42 100644 --- a/.github/workflows/update_primary_nginx.yml +++ b/.github/workflows/update_primary_nginx.yml @@ -12,104 +12,25 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3.6.0 + uses: actions/checkout@v3 - - name: Check nginx installation - run: | - if ! command -v nginx &> /dev/null; then - echo "Nginx is not installed" - exit 1 - fi - if ! systemctl is-active --quiet nginx; then - echo "Nginx service is not running" - exit 1 - fi + - name: Dotenv Action + uses: falti/dotenv-action@v1.1.4 + with: + export-variables: true + keys-case: bypass - - name: Set up environment variables - env: - GROUP_ID: ${{ secrets.GROUP_ID }} - PORT_PREFIX: ${{ secrets.PORT_PREFIX }} - DEV_POSTFIX: ${{ secrets.DEV_POSTFIX }} - STAG_POSTFIX: ${{ secrets.STAG_POSTFIX }} - PROD_POSTFIX: ${{ secrets.PROD_POSTFIX }} - GATEWAY_POSTFIX: ${{ secrets.GATEWAY_POSTFIX }} - run: | - export DEV_PORT_PREFIX="${PORT_PREFIX}${GROUP_ID}${DEV_POSTFIX}" - export STAG_PORT_PREFIX="${PORT_PREFIX}${GROUP_ID}${STAG_POSTFIX}" - export PROD_PORT_PREFIX="${PORT_PREFIX}${GROUP_ID}${PROD_POSTFIX}" + - name: Check environment variables (can expose secrets so dont be stupid here) + run: env - echo "DEV_PORT_PREFIX=$DEV_PORT_PREFIX" >> $GITHUB_ENV - echo "STAG_PORT_PREFIX=$STAG_PORT_PREFIX" >> $GITHUB_ENV - echo "PROD_PORT_PREFIX=$PROD_PORT_PREFIX" >> $GITHUB_ENV - echo "GATEWAY_POSTFIX=$GATEWAY_POSTFIX" >> $GITHUB_ENV + - name: Copy nginx config file to temp file + run: envsubst '$PROD_PORT_PREFIX,$GATEWAY_POSTFIX,$DEV_PORT_PREFIX,$STAG_PORT_PREFIX' < ./nginx_template.txt > nginx_securefit.conf - - name: Backup existing configurations - run: | - if [ -f /etc/nginx/conf.d/nginx.conf ]; then - sudo cp /etc/nginx/conf.d/nginx.conf /etc/nginx/conf.d/nginx.conf.backup - echo "Created backup of existing nginx.conf" - fi - if [ -f /etc/nginx/nginx.conf ]; then - sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup - echo "Created backup of existing main nginx.conf" - fi + - name: Copy temporary file to correct place + run: sudo cp nginx_securefit.conf /etc/nginx/conf.d/nginx_securefit.conf - - name: Generate server nginx configuration - run: | - if [ ! -f nginx.conf ]; then - echo "Server nginx configuration template not found" - exit 1 - fi - envsubst '${DEV_PORT_PREFIX} ${PROD_PORT_PREFIX} ${STAG_PORT_PREFIX} ${GATEWAY_POSTFIX}' < nginx.conf > ./nginx_securefit.conf + - name: Reload Nginx + run: sudo systemctl reload nginx - - name: Generate Docker nginx configuration - run: | - if [ ! -f nginx/nginx.conf ]; then - echo "Docker nginx configuration template not found" - exit 1 - fi - cp nginx/nginx.conf ./nginx_docker.conf - - - name: Validate configurations - run: | - if ! sudo nginx -t -c ./nginx_securefit.conf; then - echo "Server nginx configuration is invalid" - exit 1 - fi - if ! sudo nginx -t -c ./nginx_docker.conf; then - echo "Docker nginx configuration is invalid" - exit 1 - fi - - - name: Copy configurations to nginx - run: | - sudo cp ./nginx_securefit.conf /etc/nginx/conf.d/nginx.conf || { - echo "Failed to copy server configuration" - exit 1 - } - sudo cp ./nginx_docker.conf /etc/nginx/conf.d/nginx_docker.conf || { - echo "Failed to copy Docker configuration" - exit 1 - } - - - name: Test nginx configuration - run: | - sudo nginx -t || { - echo "Nginx configuration test failed" - exit 1 - } - - - name: Reload nginx service - run: | - sudo systemctl reload nginx || { - echo "Failed to reload nginx" - exit 1 - } - - - name: Verify nginx is running - run: | - if ! systemctl is-active --quiet nginx; then - echo "Nginx service is not running after reload" - exit 1 - fi - echo "Nginx service is running successfully" + - name: Verify that nginx configuration works + run: sudo nginx -t diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index 1bd9b7f..0000000 --- a/nginx.conf +++ /dev/null @@ -1,72 +0,0 @@ -# Security headers -add_header X-Frame-Options "SAMEORIGIN" always; -add_header X-XSS-Protection "1; mode=block" always; -add_header X-Content-Type-Options "nosniff" always; -add_header Referrer-Policy "no-referrer-when-downgrade" always; -add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; - -# Rate limiting -limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - -server { - listen 80; - server_name _; - - # Rate limiting - limit_req zone=one burst=10 nodelay; - - location / { - proxy_pass http://127.0.0.1:23/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Timeouts - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - } -} - -server { - listen 217; - server_name _; - - # Rate limiting - limit_req zone=one burst=10 nodelay; - - location / { - proxy_pass http://127.0.0.1:21/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Timeouts - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - } -} - -server { - listen 227; - server_name _; - - # Rate limiting - limit_req zone=one burst=10 nodelay; - - location / { - proxy_pass http://127.0.0.1:22/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Timeouts - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - } -} diff --git a/nginx_securefit.conf b/nginx_securefit.conf deleted file mode 100644 index 6ff2deb..0000000 --- a/nginx_securefit.conf +++ /dev/null @@ -1,31 +0,0 @@ -server { - listen 80; - - location / { - proxy_pass http://0.0.0.0:${PROD_PORT_PREFIX}${GATEWAY_POSTFIX}/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} - -server { - listen ${DEV_PORT_PREFIX}7; - location / { - proxy_pass http://0.0.0.0:${DEV_PORT_PREFIX}${GATEWAY_POSTFIX}/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} - - -server { - listen ${STAG_PORT_PREFIX}7; - location / { - proxy_pass http://0.0.0.0:${STAG_PORT_PREFIX}${GATEWAY_POSTFIX}/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -}