Merge pull request #200 from lvchkn/proxy-update

Proxy config change

docker-compose.production.yml

@@ -33,14 +33,16 @@ services:
       - "80:80"
     volumes:
       - ./nginx.production.conf:/etc/nginx/nginx.conf:ro
+      - /etc/nginx/ssl/nginx.crt:/etc/nginx/ssl/nginx.crt:ro
+      - /etc/nginx/ssl/nginx.key:/etc/nginx/ssl/nginx.key:ro
       - ./certbot/conf:/etc/nginx/ssl:ro
       - ./certbot/www:/var/www/certbot:ro
   certbot:
     image: certbot/certbot:v2.11.0
     volumes:
       - ./certbot/conf:/etc/letsencrypt:rw
       - ./certbot/www:/var/www/certbot:rw
-    command: renew --webroot -w /var/www/certbot --dry-run --cert-name ${DOMAIN} --agree-tos --register-unsafely-without-email
+    command: certonly --webroot -w /var/www/certbot --dry-run -d www.${DOMAIN} -d {DOMAIN} --agree-tos --register-unsafely-without-email
   postgres:
     image: postgres:15.1
     restart: always

nginx.production.conf

@@ -10,7 +10,7 @@ http {
 
     server {
         listen 80;
-        server_name %domain%;
+        server_name %domain% www.%domain% api.%domain%;
 
          location /.well-known/acme-challenge/ {
             root /var/www/certbot;
@@ -21,23 +21,72 @@ http {
          }
     }
 
+    server {
+        listen 443 ssl default_server;
+
+        ssl_certificate     /etc/nginx/ssl/nginx.crt;
+        ssl_certificate_key /etc/nginx/ssl/nginx.key;
+
+        return 444;
+    }
+
     server {
         listen 443 ssl;
-        server_name %domain%;
+        server_name api.%domain%;
 
-        ssl_certificate     /etc/nginx/ssl/live/%domain%/fullchain.pem;
-        ssl_certificate_key /etc/nginx/ssl/live/%domain%/privkey.pem;
+        ssl_certificate     /etc/nginx/ssl/live/api.%domain%/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/api.%domain%/privkey.pem;
 
         location / {
             proxy_pass          http://feed:5245;
             proxy_http_version  1.1;
             proxy_set_header    Upgrade $http_upgrade;
             proxy_set_header    Connection keep-alive;
+            proxy_set_header    Host api.%domain%;
+            proxy_cache_bypass  $http_upgrade;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto $scheme;
+            proxy_ssl_server_name on;
+        }
+    }
+
+    server {
+        listen 443 ssl;
+        server_name %domain%;
+
+        ssl_certificate     /etc/nginx/ssl/live/%domain%/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/%domain%/privkey.pem;
+
+        location / {
+            proxy_pass          http://react-app:80;
+            proxy_http_version  1.1;
+            proxy_set_header    Upgrade $http_upgrade;
+            proxy_set_header    Connection keep-alive;
             proxy_set_header    Host %domain%;
             proxy_cache_bypass  $http_upgrade;
             proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header    X-Forwarded-Proto $scheme;
             proxy_ssl_server_name on;
         }
     }
+
+    server {
+        listen 443 ssl;
+        server_name www.%domain%;
+
+        ssl_certificate     /etc/nginx/ssl/live/www.%domain%/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/www.%domain%/privkey.pem;
+
+        location / {
+            proxy_pass          http://react-app:80;
+            proxy_http_version  1.1;
+            proxy_set_header    Upgrade $http_upgrade;
+            proxy_set_header    Connection keep-alive;
+            proxy_set_header    Host www.%domain%;
+            proxy_cache_bypass  $http_upgrade;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto $scheme;
+            proxy_ssl_server_name on;
+        }
+    }
 }