d-bis/gru_emoney_token-factory
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
227f4df62b7d676099249234c04636d8e1ddd26d
gru_emoney_token-factory/nginx-setup.md
defiQUG 227f4df62b Enhance API services with new validation and error handling features 
- Integrated additional Zod validation schemas for improved input validation across various API routes.
- Updated existing services to utilize the new validation middleware, ensuring better request integrity.
- Improved error handling mechanisms in key services to provide clearer feedback on request failures.
- Conducted code cleanup to enhance readability and maintainability of the API services.
2025-12-12 20:37:41 -08:00

350 lines
7.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Nginx Configuration Setup Guide
This guide explains how to set up and deploy the nginx configuration for the eMoney Token Factory API.
## Overview
The nginx configuration handles:
- **10 production domains** (5 services × 2 protocols)
- **10 staging domains** (5 services × 2 protocols)
- SSL/TLS termination
- Load balancing
- Rate limiting
- Security headers
- Health checks
## Prerequisites
- Nginx 1.18+ installed
- SSL certificates for all domains
- Backend services running on specified ports
- Root or sudo access
## Installation Steps
### 1. Install Nginx
```bash
# Ubuntu/Debian
sudo apt update
sudo apt install nginx
# CentOS/RHEL
sudo yum install nginx
# Verify installation
nginx -v
```
### 2. Backup Default Configuration
```bash
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
```
### 3. Copy Configuration File
```bash
sudo cp nginx.conf /etc/nginx/nginx.conf
```
### 4. Create SSL Certificate Directories
```bash
sudo mkdir -p /etc/ssl/certs
sudo mkdir -p /etc/ssl/private
sudo chmod 700 /etc/ssl/private
```
### 5. Install SSL Certificates
For each domain, install SSL certificates:
```bash
# Production domains
sudo cp api.d-bis.org.crt /etc/ssl/certs/
sudo cp api.d-bis.org.key /etc/ssl/private/
sudo cp api.d-bis.org-chain.crt /etc/ssl/certs/
# Repeat for all domains:
# - mappings.api.d-bis.org
# - webhooks.api.d-bis.org
# - orchestrator.api.d-bis.org
# - packets.api.d-bis.org
# - api-staging.d-bis.org
# - mappings.api-staging.d-bis.org
# - webhooks.api-staging.d-bis.org
# - orchestrator.api-staging.d-bis.org
# - packets.api-staging.d-bis.org
# Set proper permissions
sudo chmod 644 /etc/ssl/certs/*.crt
sudo chmod 600 /etc/ssl/private/*.key
```
### 6. Update Upstream Server IPs
Edit `/etc/nginx/nginx.conf` and replace placeholder IPs with actual backend server IPs:
```bash
sudo nano /etc/nginx/nginx.conf
```
Update these sections:
- `upstream rest_api_production` - Replace `192.0.2.1:3000`
- `upstream mapping_service_production` - Replace `192.0.2.2:3004`
- `upstream webhook_service_production` - Replace `192.0.2.3:3001`
- `upstream orchestrator_service_production` - Replace `192.0.2.4:3002`
- `upstream packet_service_production` - Replace `192.0.2.5:3003`
- All staging upstreams similarly
### 7. Test Configuration
```bash
sudo nginx -t
```
Expected output:
```
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
### 8. Create Log Directories
```bash
sudo mkdir -p /var/log/nginx
sudo chown nginx:nginx /var/log/nginx
```
### 9. Start and Enable Nginx
```bash
sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl status nginx
```
### 10. Verify Services
```bash
# Check nginx is listening on ports
sudo netstat -tlnp | grep nginx
# Should show ports 80 and 443
# Test health endpoints
curl -k https://api.d-bis.org/health
curl -k https://mappings.api.d-bis.org/health
curl -k https://webhooks.api.d-bis.org/health
curl -k https://orchestrator.api.d-bis.org/health
curl -k https://packets.api.d-bis.org/health
```
## Configuration Details
### Rate Limiting
- **API endpoints**: 100 requests/minute with burst of 20
- **Webhook endpoints**: 50 requests/minute with burst of 10
- **Staging**: Reduced limits (burst of 10 for API, 5 for webhooks)
### Upstream Configuration
- **Load balancing**: Least connections algorithm
- **Health checks**: Max 3 failures, 30s timeout
- **Keepalive**: 32 connections per upstream
### SSL/TLS
- **Protocols**: TLSv1.2, TLSv1.3
- **Ciphers**: Modern, secure cipher suites
- **Session cache**: 10MB shared cache
- **Session timeout**: 10 minutes
- **OCSP stapling**: Enabled
### Security Headers
- **HSTS**: 1 year with subdomains and preload
- **X-Frame-Options**: DENY
- **X-Content-Type-Options**: nosniff
- **X-XSS-Protection**: Enabled
- **Referrer-Policy**: strict-origin-when-cross-origin
- **CSP**: Default-src 'self' with script/style exceptions
### Timeouts
- **Connection**: 30 seconds
- **Send**: 60 seconds (120s for packet service)
- **Read**: 60 seconds (120s for packet service)
- **Keepalive**: 65 seconds
## Monitoring
### Log Locations
- **Access log**: `/var/log/nginx/access.log`
- **Error log**: `/var/log/nginx/error.log`
### Log Rotation
Create `/etc/logrotate.d/nginx`:
```
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 0640 nginx adm
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}
```
### Health Check Monitoring
Set up monitoring for health endpoints:
```bash
# Example monitoring script
#!/bin/bash
for domain in api.d-bis.org mappings.api.d-bis.org webhooks.api.d-bis.org \
orchestrator.api.d-bis.org packets.api.d-bis.org; do
if ! curl -f -s https://$domain/health > /dev/null; then
echo "ALERT: $domain health check failed"
# Send alert notification
fi
done
```
## Troubleshooting
### Check Nginx Status
```bash
sudo systemctl status nginx
sudo journalctl -u nginx -n 50
```
### View Error Logs
```bash
sudo tail -f /var/log/nginx/error.log
```
### Test Specific Configuration
```bash
# Test configuration syntax
sudo nginx -t
# Test specific server block
sudo nginx -T | grep -A 50 "server_name api.d-bis.org"
```
### Common Issues
1. **SSL certificate errors**
- Verify certificate paths are correct
- Check certificate permissions (644 for .crt, 600 for .key)
- Ensure certificate chain is complete
2. **502 Bad Gateway**
- Check backend services are running
- Verify upstream IPs and ports are correct
- Check firewall rules allow nginx to reach backends
3. **Rate limiting too aggressive**
- Adjust `limit_req_zone` rates in http block
- Increase burst values in server blocks
4. **Connection timeouts**
- Increase `proxy_connect_timeout`, `proxy_send_timeout`, `proxy_read_timeout`
- Check backend service response times
## Reload Configuration
After making changes:
```bash
# Test configuration
sudo nginx -t
# Reload nginx (graceful, no downtime)
sudo nginx -s reload
# Or restart (brief downtime)
sudo systemctl restart nginx
```
## Firewall Configuration
Ensure firewall allows HTTP/HTTPS:
```bash
# UFW (Ubuntu)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
```
## Performance Tuning
### Worker Processes
Set `worker_processes` to number of CPU cores:
```nginx
worker_processes auto; # Auto-detects CPU cores
```
### Worker Connections
Adjust based on expected load:
```nginx
worker_connections 2048; # Increase for high traffic
```
### File Descriptors
Increase system limits:
```bash
# Edit /etc/security/limits.conf
nginx soft nofile 65535
nginx hard nofile 65535
```
## Backup and Recovery
### Backup Configuration
```bash
sudo tar -czf nginx-backup-$(date +%Y%m%d).tar.gz \
/etc/nginx/nginx.conf \
/etc/ssl/certs/ \
/etc/ssl/private/
```
### Restore Configuration
```bash
sudo tar -xzf nginx-backup-YYYYMMDD.tar.gz -C /
sudo nginx -t
sudo systemctl reload nginx
```
## Support
For nginx configuration issues, contact: infrastructure@d-bis.org
Reference in New Issue View Git Blame Copy Permalink