From 1cb22b3f2b2f40d1b35807cfd917ed81bb2ddd7f Mon Sep 17 00:00:00 2001 From: Peyman Date: Sat, 17 May 2025 13:09:44 +0330 Subject: [PATCH 01/34] Testing config --- nginx.conf | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/nginx.conf b/nginx.conf index b1ac5d1..1758c24 100644 --- a/nginx.conf +++ b/nginx.conf @@ -157,6 +157,36 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_KC; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $host; + proxy_pass http://keycloak:8080; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_V2_AUTH; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Authorization $http_authorization; + proxy_pass http://auth-gateway:8080; + } + } + server { listen 443 ssl; listen [::]:443 ssl; From 47f11d82a0c7ecf64405ce6ddc562a424b8b30f5 Mon Sep 17 00:00:00 2001 From: Peyman Date: Sat, 31 May 2025 18:56:58 +0330 Subject: [PATCH 02/34] Add v2api config --- nginx.conf | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/nginx.conf b/nginx.conf index 1758c24..65195b3 100644 --- a/nginx.conf +++ b/nginx.conf @@ -177,6 +177,10 @@ http { server_name $SERVER_NAME_V2_AUTH; + if ($request_method = 'OPTIONS') { + return 204; + } + location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -187,6 +191,27 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name v2api.opex.dev; + + if ($request_method = 'OPTIONS') { + return 204; + } + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Authorization $http_authorization; + proxy_pass http://api:8080; + rewrite ^/(.*)$ /opex/$1 break; + } + } + server { listen 443 ssl; listen [::]:443 ssl; From 307b19db00106c339d5fcced90838cf2ac1c9885 Mon Sep 17 00:00:00 2001 From: Amir Rajabi <34955519+AmirRajabii@users.noreply.github.com> Date: Sat, 19 Jul 2025 18:11:57 +0330 Subject: [PATCH 03/34] add profile --- nginx.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nginx.conf b/nginx.conf index 65195b3..df7a533 100644 --- a/nginx.conf +++ b/nginx.conf @@ -390,6 +390,12 @@ http { proxy_pass $backend; rewrite ^/api/(.*)$ /$1 break; } + + location /profile { + set $backend http://profile:8080; + proxy_pass $backend; + rewrite ^/profile/(.*)$ /$1 break; + } location /sapi { set $backend http://api:8080; From d1b98649108ec0a27619d15746e004d4c6ba2230 Mon Sep 17 00:00:00 2001 From: Peyman Date: Tue, 29 Jul 2025 14:06:21 +0330 Subject: [PATCH 04/34] Add ip configs --- nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nginx.conf b/nginx.conf index 65195b3..e594f14 100644 --- a/nginx.conf +++ b/nginx.conf @@ -166,6 +166,8 @@ http { location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_pass http://keycloak:8080; } @@ -186,6 +188,7 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; proxy_set_header Authorization $http_authorization; proxy_pass http://auth-gateway:8080; } From 1f9b4bfdff967d0d766b1f52dd16b43c1cbaa7bd Mon Sep 17 00:00:00 2001 From: Amir Rajabi <34955519+AmirRajabii@users.noreply.github.com> Date: Wed, 3 Sep 2025 13:26:15 +0330 Subject: [PATCH 05/34] Add bc-gateway --- nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nginx.conf b/nginx.conf index 1d88deb..914cc18 100644 --- a/nginx.conf +++ b/nginx.conf @@ -399,6 +399,11 @@ http { proxy_pass $backend; rewrite ^/profile/(.*)$ /$1 break; } + location /bc-gateway { + set $backend http://bc-gateway:8080; + proxy_pass $backend; + rewrite ^/bc-gateway/(.*)$ /$1 break; + } location /sapi { set $backend http://api:8080; From 4dd660299fc89a6e4d0f906304e10fea5be3c1ef Mon Sep 17 00:00:00 2001 From: Amir Rajabi <34955519+AmirRajabii@users.noreply.github.com> Date: Wed, 3 Sep 2025 14:30:21 +0330 Subject: [PATCH 06/34] Remove bc-gateway --- nginx.conf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/nginx.conf b/nginx.conf index 914cc18..1d88deb 100644 --- a/nginx.conf +++ b/nginx.conf @@ -399,11 +399,6 @@ http { proxy_pass $backend; rewrite ^/profile/(.*)$ /$1 break; } - location /bc-gateway { - set $backend http://bc-gateway:8080; - proxy_pass $backend; - rewrite ^/bc-gateway/(.*)$ /$1 break; - } location /sapi { set $backend http://api:8080; From 63ba56e9299a6797045669179aac8ef6c62db17e Mon Sep 17 00:00:00 2001 From: Amir Rajabi <34955519+AmirRajabii@users.noreply.github.com> Date: Sun, 2 Nov 2025 15:43:38 +0330 Subject: [PATCH 07/34] Add auth gateway health check --- nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nginx.conf b/nginx.conf index 1d88deb..5e0c743 100644 --- a/nginx.conf +++ b/nginx.conf @@ -280,6 +280,11 @@ http { proxy_pass $backend; rewrite ^/auth(.*)$ /actuator/health/$1 break; } + location /auth-gateway { + set $backend http://auth-gateway:8080; + proxy_pass $backend; + rewrite ^/auth-gateway(.*)$ /actuator/health/$1 break; + } location /wallet { set $backend http://wallet:8080; From 493573276f42b1a8b8b6a4e064db278938402816 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Wed, 5 Nov 2025 19:19:07 +0330 Subject: [PATCH 08/34] Add bc location for handling chain scanner webhook --- nginx.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nginx.conf b/nginx.conf index 5e0c743..fd48102 100644 --- a/nginx.conf +++ b/nginx.conf @@ -411,6 +411,12 @@ http { rewrite ^/sapi/(.*)$ /$1 break; } + location /bc { + set $backend http://bc-gateway:8080; + proxy_pass $backend; + rewrite ^/sapi/(.*)$ /$1 break; + } + location /captcha { add_header Access-Control-Allow-Credentials true always; add_header Access-Control-Allow-Origin $http_origin always; From a25dcb9d438dc2f4d030f8803b27d01ff0318858 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Wed, 5 Nov 2025 19:40:31 +0330 Subject: [PATCH 09/34] Fix the bc location --- nginx.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nginx.conf b/nginx.conf index fd48102..7b794bd 100644 --- a/nginx.conf +++ b/nginx.conf @@ -412,10 +412,10 @@ http { } location /bc { - set $backend http://bc-gateway:8080; - proxy_pass $backend; - rewrite ^/sapi/(.*)$ /$1 break; - } + set $backend http://bc-gateway:8080; + proxy_pass $backend; + rewrite ^/bc/(.*)$ /$1 break; + } location /captcha { add_header Access-Control-Allow-Credentials true always; From 370e9ec6d42ab1f0848fc8c9409d3531c6ea639b Mon Sep 17 00:00:00 2001 From: Amir Rajabi <34955519+AmirRajabii@users.noreply.github.com> Date: Tue, 24 Feb 2026 15:49:37 +0330 Subject: [PATCH 10/34] Add server block for admin v2 panel Added new server configuration for admin panel with proxy settings. --- nginx.conf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/nginx.conf b/nginx.conf index 7b794bd..4ff36f1 100644 --- a/nginx.conf +++ b/nginx.conf @@ -108,6 +108,24 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_ADMIN_V2_PANEL; + + location ~* \.(.*)$ { + set $backend http://admin-v2-panel-nginx; + proxy_pass $backend; + } + + location / { + set $backend http://admin-v2-panel-nginx; + proxy_pass $backend; + rewrite .* / break; + } + } + server { listen 443 ssl; listen [::]:443 ssl; From 1b40ab8165642083112f639bd243e6d22d2e0033 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Mon, 13 Apr 2026 20:35:22 +0330 Subject: [PATCH 11/34] Add mobile web app route in the nginx config --- docker-compose.yml | 3 ++ nginx.conf | 90 +++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 84 insertions(+), 9 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c7686ac..c5cb581 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,9 +17,12 @@ services: - SERVER_WALLET_STAT=$SERVER_WALLET_STAT - SERVER_NAME_KC=$SERVER_NAME_KC - SERVER_NAME_V2_AUTH=$SERVER_NAME_V2_AUTH + - SERVER_NAME_BETA_APP=$SERVER_NAME_BETA_APP secrets: - opex_dev_crt - private_pem + volumes: + - /var/www:/var/www:ro nginx-exporter: image: nginx/nginx-prometheus-exporter:1.1.0 ports: diff --git a/nginx.conf b/nginx.conf index 4ff36f1..da5b75e 100644 --- a/nginx.conf +++ b/nginx.conf @@ -41,6 +41,10 @@ http { proxy_set_header X-Forwarded-Port $EXPOSED_PORT; resolver 127.0.0.11 valid=60s; + map $http_x_client_type $web_app_root { + default /desktop; + mobile /mobile; + } server { listen 80; @@ -446,15 +450,83 @@ http { rewrite ^/captcha/(.*)$ /$1 break; } - location /binance { - proxy_set_header Host api.binance.com; - proxy_set_header X-Real-IP ''; - proxy_set_header X-Forwarded-For ''; - proxy_set_header X-Forwarded-Host ''; - set $backend https://api.binance.com; - proxy_pass $backend; - rewrite ^/binance/(.*)$ /$1 break; - } + resolver 127.0.0.11 valid=30s; + resolver_timeout 15s; + + + location /binance { + + # target upstream (IMPORTANT: must be variable for DNS resolution) + set $backend https://binance.beeep.ir; + + # route path + rewrite ^/binance/(.*)$ /$1 break; + + # upstream connection settings + proxy_pass $backend; + + # correct upstream identity + proxy_set_header Host binance.beeep.ir; + proxy_ssl_server_name on; + proxy_ssl_name binance.beeep.ir; + + # client headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # timeouts (important for slow Binance-like APIs) + proxy_connect_timeout 60s; + proxy_send_timeout 300s; + proxy_read_timeout 300s; + send_timeout 300s; + + # retry logic (VERY IMPORTANT for your error) + proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; + proxy_next_upstream_tries 3; + proxy_next_upstream_timeout 60s; + + # TLS (since upstream is HTTPS) + proxy_ssl_verify off; + + # avoid buffering issues for slow responses + proxy_buffering off; + proxy_request_buffering off; + + # stability + proxy_intercept_errors off; + } + + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_BETA_APP; + + root /var/www; + + index index.html; + + + location / { + + # Try requested file in selected app + try_files $web_app_root$request_uri + $web_app_root/index.html; + } + + # ----------------------------------- + # Static assets optimization + # ----------------------------------- + location ~* \.(js|css|png|jpg|jpeg|svg|ico|woff2?)$ { + expires 7d; + add_header Cache-Control "public"; + + try_files $web_app_root$request_uri; + } } + } From 671bce82506b9b7a86d3d55cae062af3ac8dd177 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Mon, 13 Apr 2026 21:12:18 +0330 Subject: [PATCH 12/34] Handle public files in nginx --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index da5b75e..9508f1c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -524,7 +524,7 @@ http { expires 7d; add_header Cache-Control "public"; - try_files $web_app_root$request_uri; + try_files $web_app_root$request_uri $web_app_root/index.html =404; } } From 598c06471ac52852fc9684df7af8a2cc162c9bfd Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 14 Apr 2026 17:59:10 +0330 Subject: [PATCH 13/34] Change the root directory for the beta apps --- nginx.conf | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/nginx.conf b/nginx.conf index 9508f1c..5a9365d 100644 --- a/nginx.conf +++ b/nginx.conf @@ -41,9 +41,10 @@ http { proxy_set_header X-Forwarded-Port $EXPOSED_PORT; resolver 127.0.0.11 valid=60s; + map $http_x_client_type $web_app_root { - default /desktop; - mobile /mobile; + default /var/www/desktop; + mobile /var/www/mobile; } server { @@ -499,33 +500,32 @@ http { } - server { - listen 443 ssl; - listen [::]:443 ssl; - server_name $SERVER_NAME_BETA_APP; - root /var/www; + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_BETA_APP; - index index.html; + root /var/www; + index index.html; - location / { + location / { + set $full_path "${web_app_root}${request_uri}"; - # Try requested file in selected app - try_files $web_app_root$request_uri - $web_app_root/index.html; - } + try_files $full_path ${web_app_root}/index.html =404; + } - # ----------------------------------- - # Static assets optimization - # ----------------------------------- - location ~* \.(js|css|png|jpg|jpeg|svg|ico|woff2?)$ { - expires 7d; - add_header Cache-Control "public"; + location ~* \.(js|css|png|jpg|jpeg|svg|ico|woff2?)$ { + expires 7d; + add_header Cache-Control "public"; - try_files $web_app_root$request_uri $web_app_root/index.html =404; - } + set $full_path "${web_app_root}${request_uri}"; + try_files $full_path =404; + } + } } From 03c89179932b0de5c65c84b40d2feb17a2ed490b Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 14 Apr 2026 18:09:27 +0330 Subject: [PATCH 14/34] Change the way to separate mobile/desktop web app --- nginx.conf | 67 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 48 insertions(+), 19 deletions(-) diff --git a/nginx.conf b/nginx.conf index 5a9365d..0d2b3a5 100644 --- a/nginx.conf +++ b/nginx.conf @@ -42,9 +42,15 @@ http { resolver 127.0.0.11 valid=60s; - map $http_x_client_type $web_app_root { - default /var/www/desktop; - mobile /var/www/mobile; + map $http_user_agent $is_mobile { + default 0; + ~*(iphone|ipod|android|blackberry|windows phone|mobile|opera mini|iemobile) 1; + } + + # Set root path based on device type + map $is_mobile $web_app_root { + 0 /var/www/desktop; + 1 /var/www/mobile; } server { @@ -502,31 +508,54 @@ http { - server { - listen 443 ssl; - listen [::]:443 ssl; +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; - server_name $SERVER_NAME_BETA_APP; + server_name $SERVER_NAME_BETA_APP; - root /var/www; - index index.html; + # Root directory - dynamically set + root $web_app_root; - location / { - set $full_path "${web_app_root}${request_uri}"; + # Default files + index index.html index.htm; - try_files $full_path ${web_app_root}/index.html =404; - } + # Main location block + location / { + try_files $uri $uri/ /index.html; + } - location ~* \.(js|css|png|jpg|jpeg|svg|ico|woff2?)$ { - expires 7d; - add_header Cache-Control "public"; + # Static assets - long cache + location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { + expires 1y; + add_header Cache-Control "public, immutable"; + access_log off; + try_files $uri =404; + } - set $full_path "${web_app_root}${request_uri}"; - try_files $full_path =404; - } + # Security headers (recommended) + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss + application/rss+xml application/atom+xml image/svg+xml; + + # Error pages + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; } } + } } From 22d4ff145e3e42b028e074750c2223777792edac Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 14 Apr 2026 18:23:05 +0330 Subject: [PATCH 15/34] Fix the regex issue in separating mobile and desktop apps --- nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.conf b/nginx.conf index 0d2b3a5..43b34b5 100644 --- a/nginx.conf +++ b/nginx.conf @@ -44,7 +44,7 @@ http { map $http_user_agent $is_mobile { default 0; - ~*(iphone|ipod|android|blackberry|windows phone|mobile|opera mini|iemobile) 1; + ~*\(iphone|ipod|android|blackberry|windows\ phone|mobile|opera\ mini|iemobile\) 1; } # Set root path based on device type @@ -555,7 +555,7 @@ server { root /usr/share/nginx/html; } } - } + } From 459d318f93d74c2d3391fc02a9f220235d4ba35d Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 14 Apr 2026 18:52:15 +0330 Subject: [PATCH 16/34] Set the log directory for nginx --- nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nginx.conf b/nginx.conf index 43b34b5..c247b29 100644 --- a/nginx.conf +++ b/nginx.conf @@ -5,6 +5,9 @@ events { } http { + access_log /dev/stdout; + error_log /dev/stdout debug; + include /etc/nginx/mime.types; sendfile on; From a8cc888f6e2784a94eb491e9a3f4915e41550df7 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 14 Apr 2026 19:13:54 +0330 Subject: [PATCH 17/34] Change the log directory for nginx --- nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.conf b/nginx.conf index c247b29..f460256 100644 --- a/nginx.conf +++ b/nginx.conf @@ -5,8 +5,8 @@ events { } http { - access_log /dev/stdout; - error_log /dev/stdout debug; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log debug; include /etc/nginx/mime.types; sendfile on; From 4e9e55fc61190dc665830c42c8babd6260367186 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Wed, 15 Apr 2026 14:39:05 +0330 Subject: [PATCH 18/34] Change the route policy of beta app --- nginx.conf | 60 +++++++++++++++++++++++------------------------------- 1 file changed, 26 insertions(+), 34 deletions(-) diff --git a/nginx.conf b/nginx.conf index f460256..eaf9a6c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -46,8 +46,15 @@ http { resolver 127.0.0.11 valid=60s; map $http_user_agent $is_mobile { - default 0; - ~*\(iphone|ipod|android|blackberry|windows\ phone|mobile|opera\ mini|iemobile\) 1; + default 0; + ~*iphone 1; + ~*ipod 1; + ~*android 1; + ~*blackberry 1; + ~*windows\ phone 1; + mobile 1; + opera\ mini 1; + iemobile 1; } # Set root path based on device type @@ -510,55 +517,40 @@ http { } - server { listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name $SERVER_NAME_BETA_APP; + index index.html; - # Root directory - dynamically set - root $web_app_root; + # Redirect mobile users + location / { + if ($is_mobile) { + rewrite ^ /mobile break; + } - # Default files - index index.html index.htm; + root /var/www/desktop; + try_files $uri $uri/ /index.html; + } - # Main location block - location / { + # Mobile app + location /mobile/ { + alias /var/www/mobile/; try_files $uri $uri/ /index.html; } - # Static assets - long cache + # Static assets (shared logic) location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; access_log off; - try_files $uri =404; } - # Security headers (recommended) - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Gzip compression - gzip on; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_types text/plain text/css text/xml text/javascript - application/json application/javascript application/xml+rss - application/rss+xml application/atom+xml image/svg+xml; - - # Error pages - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; + # Optional: silence favicon errors + location = /favicon.ico { + log_not_found off; + access_log off; } } - - } From a49500777a8c5aa6345da05d5bc59d1fcba36518 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Wed, 15 Apr 2026 14:44:46 +0330 Subject: [PATCH 19/34] Handle errors around favicon --- nginx.conf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nginx.conf b/nginx.conf index eaf9a6c..96ca2fc 100644 --- a/nginx.conf +++ b/nginx.conf @@ -519,7 +519,7 @@ http { server { listen 443 ssl http2; - server_name $SERVER_NAME_BETA_APP; + server_name $rot; index index.html; @@ -548,8 +548,13 @@ server { # Optional: silence favicon errors location = /favicon.ico { - log_not_found off; access_log off; + log_not_found off; + + # Always serve from desktop (simplest + safest) + root /var/www/desktop; + + try_files /favicon.ico =204; } } From aede9c44a6818d33afe65fec3f41a3ab8496f297 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Fri, 17 Apr 2026 20:00:42 +0330 Subject: [PATCH 20/34] Fix typo in beta app block --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index 96ca2fc..f856fff 100644 --- a/nginx.conf +++ b/nginx.conf @@ -519,7 +519,7 @@ http { server { listen 443 ssl http2; - server_name $rot; + server_name $SERVER_NAME_BETA_APP; index index.html; From 2c7036b43b5179046846c4b3a2268412bd4b34a4 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Fri, 17 Apr 2026 20:42:11 +0330 Subject: [PATCH 21/34] Set SERVER_NAME_BETA_APP as an env for the nginx.conf --- Dockerfile | 3 ++- nginx.conf | 61 +++++++++++++++++++++++++++--------------------------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/Dockerfile b/Dockerfile index a27c553..2305f40 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,9 @@ ENV SERVER_NAME_MOBILE_APP mobile.opex.dev ENV SERVER_WALLET_STAT walletstat.opex.dev ENV SERVER_NAME_KC kc.opex.dev ENV SERVER_NAME_V2_AUTH v2auth.opex.dev +ENV SERVER_NAME_BETA_APP beta-app.opex.dev ENTRYPOINT sh -c 'envsubst \ -\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH \ +\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH, \$SERVER_NAME_BETA_APP \ < /etc/nginx/nginx.conf.org \ | tee /etc/nginx/nginx.conf \ && nginx -g "daemon off;"' diff --git a/nginx.conf b/nginx.conf index f856fff..3ff3662 100644 --- a/nginx.conf +++ b/nginx.conf @@ -517,45 +517,44 @@ http { } -server { - listen 443 ssl http2; - server_name $SERVER_NAME_BETA_APP; + server { + listen 443 ssl http2; + server_name $SERVER_NAME_BETA_APP; + index index.html; - index index.html; + # Redirect mobile users + location / { + if ($is_mobile) { + rewrite ^ /mobile break; + } - # Redirect mobile users - location / { - if ($is_mobile) { - rewrite ^ /mobile break; + root /var/www/desktop; + try_files $uri $uri/ /index.html; } - root /var/www/desktop; - try_files $uri $uri/ /index.html; - } - - # Mobile app - location /mobile/ { - alias /var/www/mobile/; - try_files $uri $uri/ /index.html; - } + # Mobile app + location /mobile/ { + alias /var/www/mobile/; + try_files $uri $uri/ /index.html; + } - # Static assets (shared logic) - location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { - expires 1y; - add_header Cache-Control "public, immutable"; - access_log off; - } + # Static assets (shared logic) + location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { + expires 1y; + add_header Cache-Control "public, immutable"; + access_log off; + } - # Optional: silence favicon errors - location = /favicon.ico { - access_log off; - log_not_found off; + # Optional: silence favicon errors + location = /favicon.ico { + access_log off; + log_not_found off; - # Always serve from desktop (simplest + safest) - root /var/www/desktop; + # Always serve from desktop (simplest + safest) + root /var/www/desktop; - try_files /favicon.ico =204; - } + try_files /favicon.ico =204; + } } } From 5e33838992c9d50beb9fe6e94f1a70464231a27a Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Fri, 17 Apr 2026 20:50:34 +0330 Subject: [PATCH 22/34] Remove extra spaces in envsubst --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2305f40..8d68b24 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,8 +16,7 @@ ENV SERVER_NAME_KC kc.opex.dev ENV SERVER_NAME_V2_AUTH v2auth.opex.dev ENV SERVER_NAME_BETA_APP beta-app.opex.dev ENTRYPOINT sh -c 'envsubst \ -\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH, \$SERVER_NAME_BETA_APP \ -< /etc/nginx/nginx.conf.org \ +\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH,\$SERVER_NAME_BETA_APP\ | tee /etc/nginx/nginx.conf \ && nginx -g "daemon off;"' EXPOSE 443 From 3718e4816a18ac2a5781f030d215898d280535bb Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Fri, 17 Apr 2026 21:10:36 +0330 Subject: [PATCH 23/34] Fix the issue in the syntax of envsubst --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8d68b24..1a37b09 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,8 @@ ENV SERVER_NAME_KC kc.opex.dev ENV SERVER_NAME_V2_AUTH v2auth.opex.dev ENV SERVER_NAME_BETA_APP beta-app.opex.dev ENTRYPOINT sh -c 'envsubst \ -\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH,\$SERVER_NAME_BETA_APP\ +\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH,\$SERVER_NAME_BETA_APP \ +< /etc/nginx/nginx.conf.org \ | tee /etc/nginx/nginx.conf \ && nginx -g "daemon off;"' EXPOSE 443 From fe544cb320fcc37968e025ce68ed321a848ed706 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Sat, 18 Apr 2026 16:59:41 +0330 Subject: [PATCH 24/34] Change the beta app root to a dynamic configuration --- nginx.conf | 58 ++++++++++++++++++------------------------------------ 1 file changed, 19 insertions(+), 39 deletions(-) diff --git a/nginx.conf b/nginx.conf index 3ff3662..7254a2c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -517,44 +517,24 @@ http { } - server { - listen 443 ssl http2; - server_name $SERVER_NAME_BETA_APP; - index index.html; - - # Redirect mobile users - location / { - if ($is_mobile) { - rewrite ^ /mobile break; - } - - root /var/www/desktop; - try_files $uri $uri/ /index.html; - } - - # Mobile app - location /mobile/ { - alias /var/www/mobile/; - try_files $uri $uri/ /index.html; - } - - # Static assets (shared logic) - location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { - expires 1y; - add_header Cache-Control "public, immutable"; - access_log off; - } - - # Optional: silence favicon errors - location = /favicon.ico { - access_log off; - log_not_found off; - - # Always serve from desktop (simplest + safest) - root /var/www/desktop; - - try_files /favicon.ico =204; - } - } + server { + listen 443 ssl http2; + server_name $SERVER_NAME_BETA_APP; + + location / { + try_files + $web_root$uri + $web_root$uri/ + $web_root/index.html; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { + try_files $web_root$uri =404; + + expires 1y; + add_header Cache-Control "public, immutable"; + access_log off; + } + } } From a03fa6a56c031ee38307184bdf38fbc9eaa72b4c Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Sat, 18 Apr 2026 17:07:29 +0330 Subject: [PATCH 25/34] Rename web_root var to web_app_root --- nginx.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nginx.conf b/nginx.conf index 7254a2c..1e632f2 100644 --- a/nginx.conf +++ b/nginx.conf @@ -523,13 +523,13 @@ http { location / { try_files - $web_root$uri - $web_root$uri/ - $web_root/index.html; + $web_app_root$uri + $web_app_root$uri/ + $web_app_root/index.html; } location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { - try_files $web_root$uri =404; + try_files $web_app_root$uri =404; expires 1y; add_header Cache-Control "public, immutable"; From 05baf1e781f3862f2ed8aa6e5d1076a1bd42be80 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Sat, 18 Apr 2026 17:17:55 +0330 Subject: [PATCH 26/34] Change the location order --- nginx.conf | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/nginx.conf b/nginx.conf index 1e632f2..00ef8ae 100644 --- a/nginx.conf +++ b/nginx.conf @@ -521,12 +521,6 @@ http { listen 443 ssl http2; server_name $SERVER_NAME_BETA_APP; - location / { - try_files - $web_app_root$uri - $web_app_root$uri/ - $web_app_root/index.html; - } location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { try_files $web_app_root$uri =404; @@ -535,6 +529,11 @@ http { add_header Cache-Control "public, immutable"; access_log off; } + location / { + try_files + $web_app_root$uri + $web_app_root/index.html; + } } } From e469e30b5454237148bd058e8193d516a924c268 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Sat, 18 Apr 2026 17:29:27 +0330 Subject: [PATCH 27/34] Change thes tructure of locations in beta app section --- nginx.conf | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/nginx.conf b/nginx.conf index 00ef8ae..d7904fa 100644 --- a/nginx.conf +++ b/nginx.conf @@ -518,22 +518,29 @@ http { server { - listen 443 ssl http2; - server_name $SERVER_NAME_BETA_APP; + listen 443 ssl http2; + server_name $SERVER_NAME_BETA_APP; - location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { - try_files $web_app_root$uri =404; + location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { + root $web_app_root; + try_files $uri =404; - expires 1y; - add_header Cache-Control "public, immutable"; - access_log off; - } - location / { - try_files - $web_app_root$uri - $web_app_root/index.html; - } + expires 1y; + add_header Cache-Control "public, immutable"; + access_log off; + } + + location = /index.html { + root $web_app_root; + internal; + } + + location / { + root $web_app_root; + + try_files $uri $uri/ /index.html; + } } } From 0e829afba2994bd4989d5a133a38430f8a605aed Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Sat, 18 Apr 2026 17:50:28 +0330 Subject: [PATCH 28/34] Make a decision about the root in the server blok to handle root in all interal requests --- nginx.conf | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/nginx.conf b/nginx.conf index d7904fa..df4d7b8 100644 --- a/nginx.conf +++ b/nginx.conf @@ -521,26 +521,21 @@ http { listen 443 ssl http2; server_name $SERVER_NAME_BETA_APP; + set $web_app_root /var/www/desktop; - location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff|woff2|ttf|eot)$ { - root $web_app_root; - try_files $uri =404; + if ($http_user_agent ~* (iphone|ipod|android|blackberry|windows\ phone|mobile|opera\ mini|iemobile)) { + set $web_app_root /var/www/mobile; + } - expires 1y; - add_header Cache-Control "public, immutable"; - access_log off; - } + location / { + root $web_app_root; + try_files $uri $uri/ /index.html; + } - location = /index.html { - root $web_app_root; - internal; - } - - location / { - root $web_app_root; - - try_files $uri $uri/ /index.html; - } + location = /index.html { + root $web_app_root; + add_header Cache-Control "no-cache, no-store, must-revalidate"; + } } } From 0fa9fa1ea8e348cbbf8c5d960f5d05ebbdb30ce2 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Sat, 30 May 2026 15:02:20 +0330 Subject: [PATCH 29/34] Route swagger subdomain --- Dockerfile | 3 ++- docker-compose.yml | 1 + nginx.conf | 60 +++++++++++++++------------------------------- 3 files changed, 22 insertions(+), 42 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1a37b09..9fb20fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,8 +15,9 @@ ENV SERVER_WALLET_STAT walletstat.opex.dev ENV SERVER_NAME_KC kc.opex.dev ENV SERVER_NAME_V2_AUTH v2auth.opex.dev ENV SERVER_NAME_BETA_APP beta-app.opex.dev +ENV SERVER_NAME_SWAGGER swagger.opex.dev ENTRYPOINT sh -c 'envsubst \ -\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH,\$SERVER_NAME_BETA_APP \ +\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH,\$SERVER_NAME_BETA_APP,\$SERVER_NAME_SWAGGER \ < /etc/nginx/nginx.conf.org \ | tee /etc/nginx/nginx.conf \ && nginx -g "daemon off;"' diff --git a/docker-compose.yml b/docker-compose.yml index c5cb581..b05da91 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,6 +18,7 @@ services: - SERVER_NAME_KC=$SERVER_NAME_KC - SERVER_NAME_V2_AUTH=$SERVER_NAME_V2_AUTH - SERVER_NAME_BETA_APP=$SERVER_NAME_BETA_APP + - SERVER_NAME_SWAGGER=$SERVER_NAME_SWAGGER secrets: - opex_dev_crt - private_pem diff --git a/nginx.conf b/nginx.conf index df4d7b8..38f82ce 100644 --- a/nginx.conf +++ b/nginx.conf @@ -99,6 +99,17 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name $SERVER_NAME_SWAGGER; + + location / { + set $backend http://swagger-docs:8080; + proxy_pass $backend; + } + } server { listen 443 ssl; listen [::]:443 ssl; @@ -472,47 +483,14 @@ http { location /binance { - - # target upstream (IMPORTANT: must be variable for DNS resolution) - set $backend https://binance.beeep.ir; - - # route path - rewrite ^/binance/(.*)$ /$1 break; - - # upstream connection settings - proxy_pass $backend; - - # correct upstream identity - proxy_set_header Host binance.beeep.ir; - proxy_ssl_server_name on; - proxy_ssl_name binance.beeep.ir; - - # client headers - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # timeouts (important for slow Binance-like APIs) - proxy_connect_timeout 60s; - proxy_send_timeout 300s; - proxy_read_timeout 300s; - send_timeout 300s; - - # retry logic (VERY IMPORTANT for your error) - proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; - proxy_next_upstream_tries 3; - proxy_next_upstream_timeout 60s; - - # TLS (since upstream is HTTPS) - proxy_ssl_verify off; - - # avoid buffering issues for slow responses - proxy_buffering off; - proxy_request_buffering off; - - # stability - proxy_intercept_errors off; - } + proxy_set_header Host api.binance.com; + proxy_set_header X-Real-IP ''; + proxy_set_header X-Forwarded-For ''; + proxy_set_header X-Forwarded-Host ''; + set $backend https://api.binance.com; + proxy_pass $backend; + rewrite ^/binance/(.*)$ /$1 break; + } } From fb9df65eaa693baf3590ffd6e9ecbe3f8a6c8121 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 16 Jun 2026 16:46:23 +0330 Subject: [PATCH 30/34] Add modsec and lua modules to nginx --- Dockerfile | 48 ++++++++-------- docker-compose.yml | 1 + entrypoint.sh | 38 +++++++++++++ lua/upload_check.lua | 63 +++++++++++++++++++++ modsecurity/modsecurity.conf | 93 +++++++++++++++++++++++++++++++ modsecurity/modsecurity.conf.back | 41 ++++++++++++++ nginx.conf => nginx.conf.template | 52 +++++++++++------ 7 files changed, 296 insertions(+), 40 deletions(-) create mode 100644 entrypoint.sh create mode 100644 lua/upload_check.lua create mode 100644 modsecurity/modsecurity.conf create mode 100644 modsecurity/modsecurity.conf.back rename nginx.conf => nginx.conf.template (91%) diff --git a/Dockerfile b/Dockerfile index 9fb20fa..be5db8f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,24 +1,24 @@ -FROM nginx:1.20.2 -COPY nginx.conf /etc/nginx/nginx.conf.org -COPY health-check.conf /etc/nginx/ -ENV EXPOSED_PORT 443 -ENV SERVER_NAME_DASHBOARD dashboard.opex.dev -ENV SERVER_NAME_ADMIN_PANEL admin.opex.dev -ENV SERVER_NAME_WEB_APP app.opex.dev -ENV SERVER_NAME_AUTH auth.opex.dev -ENV SERVER_NAME_HEALTH health.opex.dev -ENV SERVER_NAME_API api.opex.dev -ENV SERVER_NAME_KIBANA kibana.opex.dev -ENV SERVER_NAME_GRAFANA grafana.opex.dev -ENV SERVER_NAME_MOBILE_APP mobile.opex.dev -ENV SERVER_WALLET_STAT walletstat.opex.dev -ENV SERVER_NAME_KC kc.opex.dev -ENV SERVER_NAME_V2_AUTH v2auth.opex.dev -ENV SERVER_NAME_BETA_APP beta-app.opex.dev -ENV SERVER_NAME_SWAGGER swagger.opex.dev -ENTRYPOINT sh -c 'envsubst \ -\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH,\$SERVER_NAME_BETA_APP,\$SERVER_NAME_SWAGGER \ -< /etc/nginx/nginx.conf.org \ -| tee /etc/nginx/nginx.conf \ -&& nginx -g "daemon off;"' -EXPOSE 443 +FROM really/nginx-modsecurity:latest +USER root +# Install envsubst safely from the same Alpine version +RUN apk add --no-cache gettext + +# nginx template +COPY nginx.conf.template /etc/nginx/nginx.conf.template + +# ModSecurity configuration +COPY ./modsecurity/ /etc/nginx/modsecurity/ + +# Lua scripts (if you need them) +COPY ./lua/ /etc/nginx/lua/ + +COPY ./health-check.conf /etc/nginx/health-check.conf + +# Startup script +COPY entrypoint.sh /entrypoint.sh + +RUN chmod +x /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] + +EXPOSE 443 \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index b05da91..e29f188 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,6 +19,7 @@ services: - SERVER_NAME_V2_AUTH=$SERVER_NAME_V2_AUTH - SERVER_NAME_BETA_APP=$SERVER_NAME_BETA_APP - SERVER_NAME_SWAGGER=$SERVER_NAME_SWAGGER + - SERVER_NAME_ADMIN_V2_PANEL=$SERVER_NAME_ADMIN_V2_PANEL secrets: - opex_dev_crt - private_pem diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..f732a03 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +echo "Generating nginx.conf..." + +envsubst ' +$EXPOSED_PORT +$SERVER_NAME_DASHBOARD +$SERVER_NAME_ADMIN_PANEL +$SERVER_NAME_WEB_APP +$SERVER_NAME_AUTH +$SERVER_NAME_HEALTH +$SERVER_NAME_API +$SERVER_NAME_MOBILE_APP +$SERVER_WALLET_STAT +$SERVER_NAME_GRAFANA +$SERVER_NAME_KIBANA +$SERVER_NAME_KC +$SERVER_NAME_V2_AUTH +$SERVER_NAME_BETA_APP +$SERVER_NAME_SWAGGER +$SERVER_NAME_ADMIN_V2_PANEL +' \ +< /etc/nginx/nginx.conf.template \ +> /etc/nginx/nginx.conf + + +echo "Generated config size:" +wc -c /etc/nginx/nginx.conf + +echo "Checking events section:" +grep "events" /etc/nginx/nginx.conf || true + + +nginx -t + +exec nginx -g "daemon off;" \ No newline at end of file diff --git a/lua/upload_check.lua b/lua/upload_check.lua new file mode 100644 index 0000000..4884462 --- /dev/null +++ b/lua/upload_check.lua @@ -0,0 +1,63 @@ +local allowed_ext = {".png", ".jpg", ".jpeg"} +local blocked_ext = {".php", ".exe", ".sh", ".bat", ".js" , ".svg"} -- dangerous extensions + +local function ends_with(str, ending) + return str:lower():sub(-#ending) == ending:lower() +end + +local function contains_blocked(str) + str = str:lower() + for _, ext in ipairs(blocked_ext) do + if str:find(ext, 1, true) then + return true + end + end + return false +end + +local headers = ngx.req.get_headers() +local content_type = headers["content-type"] +local is_admin = false + +local admin_ips = { + ["188.136.193.194"] = true, + ["193.186.32.236"] = true, + ["188.75.66.34"] = true +} + +local client_ip = ngx.var.remote_addr + +local is_admin = admin_ips[client_ip] or false + +ngx.log(ngx.ERR, "Client IP: ", client_ip, " | Admin: ", tostring(is_admin)) + +if content_type and content_type:find("multipart/form-data", 1, true) and not is_admin then + ngx.req.read_body() + local body = ngx.req.get_body_data() + if body then + for filename in body:gmatch('filename="(.-)"') do + -- 1. Check allowed extensions + local allowed = false + for _, ext in ipairs(allowed_ext) do + if ends_with(filename, ext) then + allowed = true + break + end + end + if not allowed then + ngx.status = 403 + ngx.say("Blocked upload: only PNG, JPG, JPEG allowed") + ngx.exit(403) + end + + -- 2. Check for multiple dangerous extensions + if contains_blocked(filename) then + ngx.status = 403 + ngx.say("Blocked upload: filename contains forbidden extension") + ngx.exit(403) + end + end + end +end +ngx.req.discard_body() + diff --git a/modsecurity/modsecurity.conf b/modsecurity/modsecurity.conf new file mode 100644 index 0000000..6573cbd --- /dev/null +++ b/modsecurity/modsecurity.conf @@ -0,0 +1,93 @@ +# Enable ModSecurity +SecRuleEngine On +SecRequestBodyAccess On +SecResponseBodyAccess Off + +# Logging +SecAuditEngine RelevantOnly +SecAuditLog /var/log/modsec_audit.log +SecAuditLogParts AIJDEFHZ +SecAuditLogType Serial +SecDebugLog /var/log/modsec_debug.log +SecDebugLogLevel 3 +# Temp directories +SecTmpDir /tmp/ +SecDataDir /tmp/ + +# Keep uploaded files temporarily for inspection +SecUploadDir /tmp/modsec-upload/ +SecUploadKeepFiles On + +# Default actions +SecDefaultAction "phase:1,log,auditlog,pass" +SecDefaultAction "phase:2,log,auditlog,pass" + +############################################################ +# 1. Block dangerous HTML/script payloads in parameters only +# (NOT raw multipart request body) +############################################################ +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_HEADERS \ + "@rx (?i)(]*>)" \ + "id:1001,phase:2,t:none,deny,log,msg:'Blocked dangerous HTML/script tag in request'" + +############################################################ +# 2. Block dangerous MIME types +SecRule REQUEST_HEADERS:Content-Type "@rx (?i)(application/x-php|application/x-msdownload|application/x-sh|text/x-python|application/x-msdos-program)" \ + "id:1002,phase:1,t:none,deny,log,msg:'Blocked dangerous MIME type'" + +############################################################ +# 3. Block direct access to dangerous file URIs +SecRule REQUEST_URI "@rx (?i)\.(php[0-9]?|phtml|phar|asp|aspx|jsp|exe|sh|bat|pl|py|cgi)(\?|$)" \ + "id:1003,phase:1,t:none,deny,log,msg:'Blocked direct request to dangerous file type in URI'" + +############################################################ +# 4. Code injection patterns +SecRule REQUEST_BODY "(?i)(<\?php|system\(|exec\(|shell_exec\(|passthru\(|popen\(|cmd\.exe|/bin/sh|/bin/bash)" \ + "id:1004,phase:2,t:none,deny,log,msg:'Blocked possible code injection pattern'" + + diff --git a/nginx.conf b/nginx.conf.template similarity index 91% rename from nginx.conf rename to nginx.conf.template index 38f82ce..67da210 100644 --- a/nginx.conf +++ b/nginx.conf.template @@ -1,9 +1,13 @@ +user nginx; +pid /var/run/nginx.pid; worker_processes auto; +load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; events { - worker_connections 1024; + worker_connections 1024; } + http { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log debug; @@ -41,7 +45,7 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Forwarded-Port $EXPOSED_PORT; + proxy_set_header X-Forwarded-Port ${EXPOSED_PORT}; resolver 127.0.0.11 valid=60s; @@ -63,6 +67,22 @@ http { 1 /var/www/mobile; } + real_ip_header X-Forwarded-For; + set_real_ip_from 0.0.0.0/0; + real_ip_recursive on; + + + # Lua + lua_package_path "/etc/nginx/lua/?.lua;;"; + + # ModSecurity global + modsecurity on; + modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; + + # Lua global for all requests + access_by_lua_file /etc/nginx/lua/upload_check.lua; + + server { listen 80; @@ -75,7 +95,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_WALLET_STAT; + server_name ${SERVER_WALLET_STAT}; location / { add_header Access-Control-Allow-Credentials true always; @@ -91,7 +111,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_KIBANA; + server_name ${SERVER_NAME_KIBANA}; location / { set $backend http://kibana:5601; @@ -103,7 +123,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_SWAGGER; + server_name ${SERVER_NAME_SWAGGER}; location / { set $backend http://swagger-docs:8080; @@ -114,7 +134,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_GRAFANA; + server_name ${SERVER_NAME_GRAFANA}; location / { set $backend http://grafana:3000; @@ -126,7 +146,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_ADMIN_PANEL; + server_name ${SERVER_NA}ME_ADMIN_PANEL}; location ~* \.(.*)$ { set $backend http://admin-panel; @@ -144,7 +164,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_ADMIN_V2_PANEL; + server_name ${SERVER_NAME_ADMIN_V2_PANEL}; location ~* \.(.*)$ { set $backend http://admin-v2-panel-nginx; @@ -162,7 +182,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_WEB_APP; + server_name ${SERVER_NA}ME_WEB_APP}; location ~* \.(.*)$ { set $backend http://web-app; @@ -180,7 +200,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_MOBILE_APP; + server_name ${SERVER_NAME_MOBILE_APP}; location ~* \.(.*)$ { set $backend http://mobile-app; @@ -198,7 +218,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_AUTH; + server_name ${SERVER_NAME_AUTH}; location / { set $backend http://auth:8080; @@ -211,7 +231,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_KC; + server_name ${SERVER_NAME_KC}; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -227,7 +247,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_V2_AUTH; + server_name ${SERVER_NAME_V2_AUTH}; if ($request_method = 'OPTIONS') { return 204; @@ -269,7 +289,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_HEALTH; + server_name ${SERVER_NAME_HEALTH}; location /accountant { set $backend http://accountant:8080; @@ -359,7 +379,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name $SERVER_NAME_API; + server_name ${SERVER_NAME_API}; if ($request_method = 'OPTIONS') { return 204; @@ -497,7 +517,7 @@ http { server { listen 443 ssl http2; - server_name $SERVER_NAME_BETA_APP; + server_name ${SERVER_NAME_BETA_APP}; set $web_app_root /var/www/desktop; From f122eb7281a9a071011c1287674e5d4ff116ca01 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 16 Jun 2026 20:27:51 +0330 Subject: [PATCH 31/34] Implementing compatibility between operating systems --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index be5db8f..f7c216f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,9 @@ COPY ./health-check.conf /etc/nginx/health-check.conf # Startup script COPY entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh + +RUN sed -i 's/\r$//' /entrypoint.sh \ + && chmod +x /entrypoint.sh \ ENTRYPOINT ["/entrypoint.sh"] From 0d49083e49245f0de8aaa522f05157d506718cc5 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Tue, 16 Jun 2026 20:31:56 +0330 Subject: [PATCH 32/34] Implementing compatibility between operating systems --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f7c216f..ddb9a27 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,7 @@ COPY entrypoint.sh /entrypoint.sh RUN sed -i 's/\r$//' /entrypoint.sh \ - && chmod +x /entrypoint.sh \ + && chmod +x /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] From 0748e1f05343b4cb8faeb377e4bee1b7021e3673 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Wed, 17 Jun 2026 16:42:22 +0330 Subject: [PATCH 33/34] Correct a typo --- lua/upload_check.lua | 14 +++++++++++--- nginx.conf.template | 21 ++++++++++----------- 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/lua/upload_check.lua b/lua/upload_check.lua index 4884462..1622420 100644 --- a/lua/upload_check.lua +++ b/lua/upload_check.lua @@ -29,8 +29,14 @@ local client_ip = ngx.var.remote_addr local is_admin = admin_ips[client_ip] or false -ngx.log(ngx.ERR, "Client IP: ", client_ip, " | Admin: ", tostring(is_admin)) - +-- ngx.log(ngx.ERR, "Client IP: ", client_ip, " | Admin: ", tostring(is_admin)) +ngx.log( + ngx.ERR, + "URI=", ngx.var.request_uri, + " METHOD=", ngx.req.get_method(), + " CONTENT_TYPE=", tostring(content_type), + " ADMIN=", tostring(is_admin) +) if content_type and content_type:find("multipart/form-data", 1, true) and not is_admin then ngx.req.read_body() local body = ngx.req.get_body_data() @@ -47,6 +53,7 @@ if content_type and content_type:find("multipart/form-data", 1, true) and not is if not allowed then ngx.status = 403 ngx.say("Blocked upload: only PNG, JPG, JPEG allowed") + ngx.log(ngx.ERR,"Blocked upload: only PNG, JPG, JPEG allowed") ngx.exit(403) end @@ -54,10 +61,11 @@ if content_type and content_type:find("multipart/form-data", 1, true) and not is if contains_blocked(filename) then ngx.status = 403 ngx.say("Blocked upload: filename contains forbidden extension") + ngx.log(ngx.ERR,"Blocked upload: filename contains forbidden extension") ngx.exit(403) end end end end -ngx.req.discard_body() +-- ngx.req.discard_body() diff --git a/nginx.conf.template b/nginx.conf.template index 67da210..cc74d66 100644 --- a/nginx.conf.template +++ b/nginx.conf.template @@ -146,7 +146,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name ${SERVER_NA}ME_ADMIN_PANEL}; + server_name ${SERVER_NAME_ADMIN_PANEL}; location ~* \.(.*)$ { set $backend http://admin-panel; @@ -182,7 +182,7 @@ http { listen 443 ssl; listen [::]:443 ssl; - server_name ${SERVER_NA}ME_WEB_APP}; + server_name ${SERVER_NAME_WEB_APP}; location ~* \.(.*)$ { set $backend http://web-app; @@ -501,16 +501,15 @@ http { resolver 127.0.0.11 valid=30s; resolver_timeout 15s; - location /binance { - proxy_set_header Host api.binance.com; - proxy_set_header X-Real-IP ''; - proxy_set_header X-Forwarded-For ''; - proxy_set_header X-Forwarded-Host ''; - set $backend https://api.binance.com; - proxy_pass $backend; - rewrite ^/binance/(.*)$ /$1 break; - } + proxy_set_header Host api.binance.com; + proxy_set_header X-Real-IP ''; + proxy_set_header X-Forwarded-For ''; + proxy_set_header X-Forwarded-Host ''; + set $backend https://api.binance.com; + proxy_pass $backend; + rewrite ^/binance/(.*)$ /$1 break; + } } From 43fe08b595780ff991f47291d468b76eb2b4e6d3 Mon Sep 17 00:00:00 2001 From: fatemeh imanipour Date: Wed, 17 Jun 2026 17:18:09 +0330 Subject: [PATCH 34/34] Change the admin panel config --- nginx.conf.template | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/nginx.conf.template b/nginx.conf.template index cc74d66..b2e29e3 100644 --- a/nginx.conf.template +++ b/nginx.conf.template @@ -166,15 +166,22 @@ http { server_name ${SERVER_NAME_ADMIN_V2_PANEL}; - location ~* \.(.*)$ { - set $backend http://admin-v2-panel-nginx; - proxy_pass $backend; - } + client_max_body_size 50M; location / { - set $backend http://admin-v2-panel-nginx; - proxy_pass $backend; - rewrite .* / break; + proxy_pass http://admin-v2-panel-nginx; + + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port 443; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; } }