Merge branch 'dev' of https://dev.discours.io/discours.io/core into dev

2024-12-22 00:24:29 +03:00 · 2024-12-22 00:24:29 +03:00 · e539e0334f
commit e539e0334f
parent 1898b3ef3f 1100a1b66f
2 changed files with 58 additions and 65 deletions
--- a/.gitea/workflows/main.yml
+++ b/.gitea/workflows/main.yml
@ -26,10 +26,10 @@ jobs:
          ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: Push to dokku for dev branch
-        if: github.ref == 'refs/heads/dev' && steps.check_container.outcome == 'success'
+        if: github.ref == 'refs/heads/dev'
        uses: dokku/github-action@master
        with:
          branch: 'dev'
          force: true
-          git_remote_url: 'ssh://dokku@staging.discours.io:22/core'
+          git_remote_url: 'ssh://dokku@v2.discours.io:22/core'
          ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }}
--- a/nginx.conf.sigil
+++ b/nginx.conf.sigil
@ -1,21 +1,17 @@
 {{ $proxy_settings := "proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Host $http_host; proxy_set_header X-Request-Start $msec;" }}
 {{ $gzip_settings := "gzip on; gzip_min_length  1100; gzip_buffers  4 32k; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml; gzip_vary on; gzip_comp_level  6;" }}

+{{ $cors_headers_options := "if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '$allow_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; }" }}
+{{ $cors_headers_post := "if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' '$allow_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; add_header 'Access-Control-Allow-Credentials' 'true' always; }" }}
+{{ $cors_headers_get := "if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '$allow_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; add_header 'Access-Control-Allow-Credentials' 'true' always; }" }}
+
 map $http_origin $allow_origin {
-    "https://testing.dscrs.site"    "https://testing.dscrs.site";
-    "https://testing.discours.io"   "https://testing.discours.io";
-    "https://core.dscrs.site"       "https://core.dscrs.site";
-    "https://localhost:3000"        "https://localhost:3000";
+    ~^https?:\/\/((.*\.)?localhost(:\d+)?|discoursio-webapp(-(.*))?\.vercel\.app|(.*\.)?discours\.io|(.*\.)?dscrs\.site)$ $http_origin;
    default "";
 }

-# Определим переменную для CORS заголовков
-map $request_method $cors_method {
-    OPTIONS 204;
-    default $request_method;
-}
-
-proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g 
+                 inactive=60m use_temp_path=off;
 limit_conn_zone $binary_remote_addr zone=addr:10m;
 limit_req_zone $binary_remote_addr zone=req_zone:10m rate=20r/s;

@ -30,18 +26,10 @@ server {
        listen [::]:{{ $listen_port }};
        listen {{ $listen_port }};
        server_name {{ $.NOSSL_SERVER_NAME }};
-
-        # CORS headers first
-        add_header 'Access-Control-Allow-Origin' $allow_origin always;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-        add_header 'Access-Control-Allow-Credentials' 'true' always;
-        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
-        add_header 'Access-Control-Max-Age' 1728000 always;
-
-        # Then other headers
        access_log  /var/log/nginx/{{ $.APP }}-access.log;
        error_log   /var/log/nginx/{{ $.APP }}-error.log;
        client_max_body_size 100M;
+
    {{ else if eq $scheme "https" }}
        listen [::]:{{ $listen_port }} ssl http2;
        listen {{ $listen_port }} ssl http2;
@ -60,25 +48,14 @@ server {
        client_max_body_size 100M;
    {{ end }}

+
    location / {
-        if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' $allow_origin always;
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
-            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
-            add_header 'Access-Control-Max-Age' 1728000 always;
-            return 204;
-        }
-
-        proxy_hide_header 'Access-Control-Allow-Origin';
-        proxy_hide_header 'Access-Control-Allow-Methods';
-        proxy_hide_header 'Access-Control-Allow-Headers';
-        proxy_hide_header 'Access-Control-Allow-Credentials';
-        proxy_hide_header 'Access-Control-Max-Age';
-
        proxy_pass  http://{{ $.APP }}-{{ $upstream_port }};
        {{ $proxy_settings }}
        {{ $gzip_settings }}
+        {{ $cors_headers_options }}
+        {{ $cors_headers_post }}
+        {{ $cors_headers_get }}

        proxy_cache my_cache;
        proxy_cache_revalidate on;
@ -87,18 +64,36 @@ server {
        proxy_cache_background_update on;
        proxy_cache_lock on;

+        # Connections and request limits increase (bad for DDos)
        limit_conn addr 10000;
        limit_req zone=req_zone burst=10 nodelay;
    }

+    # Custom location block for /upload
+    # location /upload {
+    #     proxy_pass http://uploader-8080/;
+    #     {{ $proxy_settings }}
+    #    {{ $gzip_settings }}
+    #     {{ $cors_headers_options }}
+    #     {{ $cors_headers_post }}
+    #     {{ $cors_headers_get }}
+    # }
+
    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
-        expires 30d;
+    expires 30d;  # This means that the client can cache these resources for 30 days.
    add_header Cache-Control "public, no-transform";
    }

    location ~* \.(mp3)$ {
+      if ($request_method = 'GET') {
+        add_header 'Access-Control-Allow-Origin' $allow_origin always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
      }
+    }
+

    error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
@ -128,6 +123,7 @@ server {
 }
 {{ end }}

+
 {{ range $upstream_port := $.PROXY_UPSTREAM_PORTS | split " " }}
 upstream {{ $.APP }}-{{ $upstream_port }} {
 {{ range $listeners := $.DOKKU_APP_WEB_LISTENERS | split " " }}
@ -138,6 +134,3 @@ upstream {{ $.APP }}-{{ $upstream_port }} {
 {{ end }}
 }
 {{ end }}
-
-log_format cors '$request_method $http_origin -> $allow_origin';
-access_log /var/log/nginx/cors-debug.log cors;