From 40b7e590a36ad7385a842c235499422f5b28e972 Mon Sep 17 00:00:00 2001 From: tdv Date: Wed, 15 Oct 2025 19:16:16 +0300 Subject: [PATCH] changes in nginx config, couse i retarded enough to do it in one approach --- docker-compose.yaml | 6 ++--- nginx/dev.conf | 43 +++++++++++++++++++++++++------ server/internal/handlers/certs.go | 3 ++- 3 files changed, 40 insertions(+), 12 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 9d8d118..17eae61 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -44,9 +44,9 @@ services: args: APP_DIR: ${API_APP_DIR:-./cmd/api} environment: - VAULT_ADDR: "http://vault:8200" - VAULT_TOKEN: "root" - VAULT_KV_PATH: "kv/data/snoop" + VAULT_ADDR: "http://host.docker.internal:8200" + VAULT_TOKEN: "hvs.tZ4eh9P18sCZ5c1PZIz59EmH" + # VAULT_KV_PATH: "kv/data/snoop" MINIO_ENDPOINT: "http://minio:9000" JWT_SECRET: ${JWT_SECRET} env_file: diff --git a/nginx/dev.conf b/nginx/dev.conf index aa80466..80850ed 100644 --- a/nginx/dev.conf +++ b/nginx/dev.conf @@ -6,6 +6,23 @@ map $http_upgrade $connection_upgrade { # Helpful for larger uploads via API (tweak as you wish) client_max_body_size 400m; +log_format mtls_debug ' +[$time_local] $remote_addr:$remote_port → $server_name:$server_port +"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" +TLS=$ssl_protocol/$ssl_cipher +ClientVerify=$ssl_client_verify +ClientSerial=$ssl_client_serial +ClientSubject="$ssl_client_s_dn" +ClientIssuer="$ssl_client_i_dn" +RequestTime=$request_time +ProxyUpstreamAddr=$upstream_addr +ProxyStatus=$upstream_status +'; + +# Default access & error logs for both 80 and 443 servers +access_log /var/log/nginx/access.log mtls_debug; +error_log /var/log/nginx/error.log warn; + server { listen 80; server_name _; @@ -60,6 +77,9 @@ server { listen 443 ssl http2; server_name _; + access_log /var/log/nginx/access.log mtls_debug; + error_log /var/log/nginx/error.log info; + ssl_certificate /etc/nginx/ssl/certs/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/certs/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; @@ -98,25 +118,28 @@ server { } # ---- mTLS-protected paths ---- - location ^~ /api/records { + location ^~ /api/records/upload { if ($ssl_client_verify != SUCCESS) { return 495; } - proxy_pass http://snoop-api:8080/; + rewrite ^/api/(.*)$ /$1 break; + proxy_pass http://snoop-api:8080; } location ^~ /api/tasks { if ($ssl_client_verify != SUCCESS) { return 495; } - proxy_pass http://snoop-api:8080/; + rewrite ^/api/(.*)$ /$1 break; + proxy_pass http://snoop-api:8080; } location ^~ /api/renew { if ($ssl_client_verify != SUCCESS) { return 495; } - proxy_pass http://snoop-api:8080/; + rewrite ^/api/(.*)$ /$1 break; + proxy_pass http://snoop-api:8080; } # MediaMTX HLS @@ -128,13 +151,17 @@ server { } # MediaMTX WebRTC (WHIP/WHEP/test) - location ^~ /webrtc/ { + location ^~ /whip/ { if ($ssl_client_verify != SUCCESS) { return 495; } - proxy_pass http://mediamtx:8889/; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + proxy_pass http://mediamtx:8889; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_request_buffering off; + client_max_body_size 35m; + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; } # MQTT WS entry points (guarded by mTLS) diff --git a/server/internal/handlers/certs.go b/server/internal/handlers/certs.go index 62fba28..ff63bcf 100644 --- a/server/internal/handlers/certs.go +++ b/server/internal/handlers/certs.go @@ -5,6 +5,7 @@ import ( "crypto/x509" "encoding/pem" "errors" + "fmt" "io" "net/http" "net/url" @@ -108,7 +109,7 @@ func (h *CertsHandler) Enroll(c *gin.Context) { defer cancel() sign, err := h.pki.SignCSR(ctx, csr, "urn:device:"+guid, h.ttl) if err != nil { - c.JSON(http.StatusBadGateway, gin.H{"error": "vault sign failed"}) + c.JSON(http.StatusBadGateway, gin.H{"error": fmt.Sprintf("vault sign failed: %s", err)}) return }