From 8e3ca9a9b8bc26b9d89c83a0ab1064fe1062673b Mon Sep 17 00:00:00 2001
From: AlexTheGeek <28763288+AlexTheGeek@users.noreply.github.com>
Date: Sat, 3 Feb 2024 14:05:11 +0100
Subject: [PATCH] Adding Nginx Configuration

---
 Nginx/Example/api.insa-cvl.com.conf        |  37 +++++++
 Nginx/Example/vdi.insa-cvl.com.conf        |  37 +++++++
 Nginx/Example/vnc.insa-cvl.com.conf        | 107 +++++++++++++++++++++
 Nginx/Prod_2024/sites-prod-cloudflare.conf | 103 ++++++++++++++++++++
 README.md                                  |   4 +
 5 files changed, 288 insertions(+)
 create mode 100644 Nginx/Example/api.insa-cvl.com.conf
 create mode 100644 Nginx/Example/vdi.insa-cvl.com.conf
 create mode 100644 Nginx/Example/vnc.insa-cvl.com.conf
 create mode 100644 Nginx/Prod_2024/sites-prod-cloudflare.conf

diff --git a/Nginx/Example/api.insa-cvl.com.conf b/Nginx/Example/api.insa-cvl.com.conf
new file mode 100644
index 0000000..5760eb7
--- /dev/null
+++ b/Nginx/Example/api.insa-cvl.com.conf
@@ -0,0 +1,37 @@
+upstream reverse_api{
+        server 127.0.0.1:5001;
+}
+
+server {
+    server_name api.insa-cvl.com;
+    listen 443 ssl;
+    ssl_certificate /path/to/your/certificate/file/fullchain.pem;
+    ssl_certificate_key /path/to/your/private/key/file/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:15m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Robots-Tag none; 
+    add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
+    proxy_cookie_path / "/; HTTPOnly; Secure";
+    more_clear_headers 'X-Powered-By';
+    client_max_body_size 10m;
+    client_body_timeout 120s;
+
+    location / {
+        proxy_pass http://reverse_api;
+        include proxy_params;
+        proxy_hide_header X-Powered-By;
+        proxy_hide_header Cache-Control;
+        proxy_hide_header pragma;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
+}
\ No newline at end of file
diff --git a/Nginx/Example/vdi.insa-cvl.com.conf b/Nginx/Example/vdi.insa-cvl.com.conf
new file mode 100644
index 0000000..4ff0784
--- /dev/null
+++ b/Nginx/Example/vdi.insa-cvl.com.conf
@@ -0,0 +1,37 @@
+upstream reverse_vdi{
+        server 127.0.0.1:5000;
+}
+
+server {
+    server_name vdi.insa-cvl.com;
+    listen 443 ssl;
+    ssl_certificate /path/to/your/certificate/file/fullchain.pem;
+    ssl_certificate_key /path/to/your/private/key/file/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:15m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Robots-Tag none; 
+    add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
+    proxy_cookie_path / "/; HTTPOnly; Secure";
+    more_clear_headers 'X-Powered-By';
+    client_max_body_size 10m;
+    client_body_timeout 120s;
+
+    location / {
+        proxy_pass http://reverse_vdi;
+        include proxy_params;
+        proxy_hide_header X-Powered-By;
+        proxy_hide_header Cache-Control;
+        proxy_hide_header pragma;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
+}
\ No newline at end of file
diff --git a/Nginx/Example/vnc.insa-cvl.com.conf b/Nginx/Example/vnc.insa-cvl.com.conf
new file mode 100644
index 0000000..a92ffc2
--- /dev/null
+++ b/Nginx/Example/vnc.insa-cvl.com.conf
@@ -0,0 +1,107 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+upstream reverse_openstack_vnc{
+        server 172.10.3.60:6080;
+}
+
+upstream reverse_api_vnc{
+        server 127.0.0.1:5001;
+}
+
+
+server {
+    server_name vnc.insa-cvl.com;
+    listen 443 ssl;
+    ssl_certificate /path/to/your/certificate/file/fullchain.pem;
+    ssl_certificate_key /path/to/your/private/key/file/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:15m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Robots-Tag none; 
+    add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
+    proxy_cookie_path / "/; HTTPOnly; Secure";
+    more_clear_headers 'X-Powered-By';
+    client_max_body_size 10m;
+    client_body_timeout 120s;
+
+
+    add_header Cache-Control no-cache;
+
+    location = /favicon.io {
+            proxy_pass https://reverse_openstack_vnc/favicon.io;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+    location = /package.json {
+            proxy_pass https://reverse_openstack_vnc/package.json;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+
+    location /app/ {
+            proxy_pass https://reverse_openstack_vnc/app/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+    location /core/ {
+            proxy_pass https://reverse_openstack_vnc/core/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+    location /vendor/ {
+            proxy_pass https://reverse_openstack_vnc/vendor/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+
+    location / {
+        auth_request /auth;
+        auth_request_set $auth_status $upstream_status;
+        echo $auth_status;
+
+
+        proxy_pass https://reverse_openstack_vnc/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+
+    }
+
+    location = /auth {
+        internal;
+        proxy_pass http://reverse_api_vnc/check-auth-vnc;
+        proxy_ssl_verify       off;
+        proxy_pass_request_body off;
+        proxy_set_header        Content-Length "";
+        proxy_set_header        X-Original-URI $request_uri;
+
+    }
+
+
+}
\ No newline at end of file
diff --git a/Nginx/Prod_2024/sites-prod-cloudflare.conf b/Nginx/Prod_2024/sites-prod-cloudflare.conf
new file mode 100644
index 0000000..547b3ce
--- /dev/null
+++ b/Nginx/Prod_2024/sites-prod-cloudflare.conf
@@ -0,0 +1,103 @@
+server {
+    listen 80;
+
+    location / {
+        proxy_pass http://127.0.0.1:5001;
+    }
+
+}
+
+server {
+    listen 8081;
+
+    location / {
+        proxy_pass http://127.0.0.1:5000;
+    }
+
+}
+
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+ 
+
+server {
+    listen 8080;
+        error_log /var/log/nginx/error.log debug;
+
+ add_header Cache-Control no-cache;
+
+    location = /favicon.io {
+            proxy_pass https://172.10.3.60:6080/favicon.io;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+    location = /package.json {
+            proxy_pass https://172.10.3.60:6080/package.json;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+
+    location /app/ {
+            proxy_pass https://172.10.3.60:6080/app/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+    location /core/ {
+            proxy_pass https://172.10.3.60:6080/core/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+    location /vendor/ {
+            proxy_pass https://172.10.3.60:6080/vendor/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+    }
+
+
+    location / {
+        auth_request /auth;
+        auth_request_set $auth_status $upstream_status;
+        echo $auth_status;
+
+
+        proxy_pass https://172.10.3.60:6080/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+
+    }
+
+    # Internal location for authentication
+    location = /auth {
+        # Make a subrequest to your API to check authentication
+        internal;
+        proxy_pass http://127.0.0.1/check-auth-vnc;
+#        proxy_pass https://api.insa-cvl.com/check-auth;
+        proxy_ssl_verify       off;
+
+            proxy_pass_request_body off;
+            proxy_set_header        Content-Length "";
+            proxy_set_header        X-Original-URI $request_uri;
+
+    }
+
+
+}
\ No newline at end of file
diff --git a/README.md b/README.md
index 2b9804a..bdaa951 100644
--- a/README.md
+++ b/README.md
@@ -282,3 +282,7 @@ services:
         restart: always
     ```	
 4. Check the logs : `docker logs vdi-app` or `docker-compose logs -f`
+
+
+## Nginx Configuration
+You can use Nginx to serve the API, the scheduler and the frontend. You can find all the configuration files in the [Nginx folder](https://github.com/AlexTheGeek/api-vdi/tree/main/Nginx/Example).