Skip to content

Commit aeaf8cb

Browse files
christopherldochristopherldo
committed
feat(deployment): add SSL support with automated certificate management
- Introduce production Docker Compose override for SSL port and volume mapping - Add Nginx SSL template configuration with security headers and proxy settings - Create setup script for Certbot installation, certificate generation, and cron-based renewal - Enable HTTPS redirection and secure API/socket.io routing
1 parent 796535f commit aeaf8cb

3 files changed

Lines changed: 113 additions & 0 deletions

File tree

apps/web/nginx-ssl.template.conf

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
server {
2+
listen 80;
3+
server_name YOUR_DOMAIN;
4+
return 301 https://$host$request_uri;
5+
}
6+
7+
server {
8+
listen 443 ssl;
9+
server_name YOUR_DOMAIN;
10+
11+
ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
12+
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
13+
14+
# Configurações de Segurança SSL
15+
ssl_protocols TLSv1.2 TLSv1.3;
16+
ssl_prefer_server_ciphers on;
17+
ssl_ciphers HIGH:!aNULL:!MD5;
18+
19+
root /usr/share/nginx/html;
20+
index index.html;
21+
22+
location = / {
23+
try_files /index.html =404;
24+
add_header Cache-Control "public, max-age=300, must-revalidate";
25+
}
26+
27+
location / {
28+
try_files $uri $uri/ /spa.html;
29+
add_header Cache-Control "public, max-age=300, must-revalidate";
30+
}
31+
32+
location /api/ {
33+
proxy_pass http://api:3000/;
34+
proxy_http_version 1.1;
35+
proxy_set_header Host $host;
36+
proxy_set_header X-Real-IP $remote_addr;
37+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
38+
proxy_set_header X-Forwarded-Proto $scheme;
39+
}
40+
41+
location /socket.io/ {
42+
proxy_pass http://api:3000/socket.io/;
43+
proxy_http_version 1.1;
44+
proxy_set_header Upgrade $http_upgrade;
45+
proxy_set_header Connection "Upgrade";
46+
proxy_set_header Host $host;
47+
proxy_set_header X-Real-IP $remote_addr;
48+
}
49+
}

docker-compose.prod.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
services:
2+
web:
3+
ports:
4+
- "443:443"
5+
volumes:
6+
- /etc/letsencrypt:/etc/letsencrypt:ro
7+
- ./apps/web/nginx-prod.conf:/etc/nginx/conf.d/default.conf:ro

scripts/setup-ssl.sh

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
#!/bin/bash
2+
3+
DOMAIN=$1
4+
EMAIL=$2
5+
6+
if [ -z "$DOMAIN" ] || [ -z "$EMAIL" ]; then
7+
echo "Uso: bash scripts/setup-ssl.sh <seu-dominio.com> <seu-email@exemplo.com>"
8+
exit 1
9+
fi
10+
11+
echo "=========================================="
12+
echo "1. Instalando Certbot no Amazon Linux 2023"
13+
echo "=========================================="
14+
sudo dnf install -y python3 augeas-libs
15+
sudo python3 -m venv /opt/certbot/
16+
sudo /opt/certbot/bin/pip install --upgrade pip
17+
sudo /opt/certbot/bin/pip install certbot
18+
sudo ln -sf /opt/certbot/bin/certbot /usr/bin/certbot
19+
20+
echo "=========================================="
21+
echo "2. Parando o servidor web para liberar a porta 80"
22+
echo "=========================================="
23+
docker compose stop web
24+
25+
echo "=========================================="
26+
echo "3. Gerando certificado SSL para $DOMAIN"
27+
echo "=========================================="
28+
# O Certbot vai subir um servidor temporário na porta 80 para validar o domínio
29+
sudo certbot certonly --standalone -d $DOMAIN -m $EMAIL --agree-tos --non-interactive
30+
31+
if [ ! -d "/etc/letsencrypt/live/$DOMAIN" ]; then
32+
echo "❌ Falha ao gerar o certificado SSL. Verifique se o DNS propagou."
33+
docker compose start web
34+
exit 1
35+
fi
36+
37+
echo "=========================================="
38+
echo "4. Configurando Nginx para usar SSL"
39+
echo "=========================================="
40+
# Substitui o domínio no template de configuração e gera o arquivo de produção
41+
sed "s/YOUR_DOMAIN/$DOMAIN/g" apps/web/nginx-ssl.template.conf > apps/web/nginx-prod.conf
42+
43+
echo "=========================================="
44+
echo "5. Iniciando os containers com suporte a SSL"
45+
echo "=========================================="
46+
docker compose -f docker-compose.yaml -f docker-compose.prod.yaml up -d
47+
48+
echo "=========================================="
49+
echo "6. Configurando renovação automática (Cron)"
50+
echo "=========================================="
51+
# O cron rodará todo dia de madrugada, parando o container apenas se for renovar, e depois ligando novamente.
52+
CRON_CMD="0 3 * * * root /opt/certbot/bin/certbot renew -q --pre-hook \"cd $(pwd) && docker compose stop web\" --post-hook \"cd $(pwd) && docker compose -f docker-compose.yaml -f docker-compose.prod.yaml start web\""
53+
echo "$CRON_CMD" | sudo tee /etc/cron.d/certbot-renew > /dev/null
54+
55+
echo "=========================================="
56+
echo "✅ SSL configurado com sucesso para https://$DOMAIN!"
57+
echo "=========================================="

0 commit comments

Comments
 (0)