feat: add Nginx reverse proxy and SSL configuration

- Introduce Nginx service in docker-compose for handling HTTP/HTTPS traffic. - Configure Nginx with SSL support and health checks for Grafana and Prometheus. - Update env.template to include SERVER_IP and STATUS_PAGE_PASSWORD variables. - Enhance Ansible playbook with tasks for Nginx installation, SSL certificate generation, and configuration management.
2025-09-16 18:31:51 +03:00
parent 30830c5bd9
commit f8d6b92fd2
8 changed files with 483 additions and 0 deletions
--- a/infra/nginx/conf.d/grafana.conf
+++ b/infra/nginx/conf.d/grafana.conf
@@ -0,0 +1,32 @@
+# Grafana reverse proxy configuration
+upstream grafana_backend {
+    server grafana:3000;
+    keepalive 32;
+}
+
+# Grafana proxy configuration
+location /grafana/ {
+    proxy_pass http://grafana_backend/;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Port $server_port;
+
+    # WebSocket support for Grafana
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    # Timeouts
+    proxy_connect_timeout 60s;
+    proxy_send_timeout 60s;
+    proxy_read_timeout 60s;
+
+    # Buffer settings
+    proxy_buffering on;
+    proxy_buffer_size 4k;
+    proxy_buffers 8 4k;
+    proxy_busy_buffers_size 8k;
+}
--- a/infra/nginx/conf.d/prometheus.conf
+++ b/infra/nginx/conf.d/prometheus.conf
@@ -0,0 +1,34 @@
+# Prometheus reverse proxy configuration
+upstream prometheus_backend {
+    server prometheus:9090;
+    keepalive 32;
+}
+
+# Prometheus proxy configuration
+location /prometheus/ {
+    proxy_pass http://prometheus_backend/;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Port $server_port;
+
+    # Timeouts
+    proxy_connect_timeout 30s;
+    proxy_send_timeout 30s;
+    proxy_read_timeout 30s;
+
+    # Buffer settings
+    proxy_buffering on;
+    proxy_buffer_size 4k;
+    proxy_buffers 8 4k;
+    proxy_busy_buffers_size 8k;
+}
+
+# Health check endpoint
+location /prometheus/-/healthy {
+    proxy_pass http://prometheus_backend/-/healthy;
+    proxy_set_header Host $host;
+    access_log off;
+}
--- a/infra/nginx/conf.d/status.conf
+++ b/infra/nginx/conf.d/status.conf
@@ -0,0 +1,24 @@
+# Status page configuration (for future uptime kuma integration)
+
+# Rate limiting for status page
+location /status {
+    # Basic authentication for status page
+    auth_basic "Status Page Access";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+    
+    # Placeholder for future uptime kuma integration
+    # For now, show nginx status
+    access_log off;
+    return 200 '{"status": "ok", "nginx": "running", "timestamp": "$time_iso8601"}';
+    add_header Content-Type application/json;
+}
+
+# Nginx status stub (for monitoring)
+location /nginx_status {
+    stub_status on;
+    access_log off;
+    allow 127.0.0.1;
+    allow 172.16.0.0/12;  # Docker networks
+    allow 192.168.0.0/16; # Private networks
+    deny all;
+}