Align deploy with central nginx: host-published 2569 + paste-in vhost (manual certs)
- Central nginx is containerized and proxies via host IP (171.22.25.73:port), not localhost → publish app on host :2569 (was 127.0.0.1)
- nginx vhost rewritten to match the monolithic config style (server blocks to paste into http{}, manual /etc/ssl/hamkadr certs, proxy_pass 171.22.25.73:2569, $connection_upgrade)
- DEPLOY.md: corrected architecture/ports, removed certbot+sites-available (use manual certs + single nginx.conf)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -1,25 +1,38 @@
|
||||
# hamkadr.ir reverse-proxy vhost for the EXISTING nginx on the server.
|
||||
# Install:
|
||||
# sudo cp deploy/nginx-hamkadr.ir.conf /etc/nginx/sites-available/hamkadr.ir
|
||||
# sudo ln -s /etc/nginx/sites-available/hamkadr.ir /etc/nginx/sites-enabled/
|
||||
# sudo nginx -t && sudo systemctl reload nginx
|
||||
# sudo certbot --nginx -d hamkadr.ir -d www.hamkadr.ir # adds the :443 server + HTTP→HTTPS redirect
|
||||
# ============================================================================
|
||||
# hamkadr.ir — paste these two server{} blocks INTO the http { } block of your
|
||||
# central nginx.conf (the one with nexus/mirror/gitea/meezi), then:
|
||||
# nginx -t && nginx -s reload (or: docker exec <nginx> nginx -s reload)
|
||||
#
|
||||
# The port below MUST match HOST_PORT in the Gitea ENV_FILE secret (default 2569).
|
||||
# Prereqs (match your existing pattern):
|
||||
# • TLS cert placed at /etc/ssl/hamkadr/fullchain.pem + privateKey.pem (manual, like your others)
|
||||
# • hamkadr.ir + www.hamkadr.ir A records → 171.22.25.73
|
||||
# • the app published on the host at :2569 (docker-compose.yml) — nginx reaches it via the host IP,
|
||||
# exactly like meezi (5080), draletaha (5010), etc. $connection_upgrade map is already defined globally.
|
||||
# ============================================================================
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name hamkadr.ir www.hamkadr.ir;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
http2 on;
|
||||
server_name hamkadr.ir www.hamkadr.ir;
|
||||
client_max_body_size 25m;
|
||||
|
||||
ssl_certificate /etc/ssl/hamkadr/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/hamkadr/privateKey.pem;
|
||||
|
||||
# The app binds 127.0.0.1:2569 (docker-compose.yml, service "api") — never exposed publicly.
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:2569;
|
||||
proxy_pass http://171.22.25.73:2569;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme; # app's ForwardedHeaders reads this → knows it's HTTPS
|
||||
proxy_read_timeout 60s;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user