PhuongDM/TTMT.ManageWebGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: PhuongDM:1b7d65b15534b1a70b83b3cafc23c74367f2d2c0
Branches Tags
PhuongDM:main
PhuongDM:fix/meshRedirect
PhuongDM:newRemoteUI
PhuongDM:HttpsUpgrade
PhuongDM:httpsImplement
PhuongDM:feat/meshUI
PhuongDM:feat/meshcentral
PhuongDM:feature_update_button
..
compare: PhuongDM:b785516d2c3e1d60ca09ac9dfe70136a755d82ff
Branches Tags
PhuongDM:main
PhuongDM:fix/meshRedirect
PhuongDM:newRemoteUI
PhuongDM:HttpsUpgrade
PhuongDM:httpsImplement
PhuongDM:feat/meshUI
PhuongDM:feat/meshcentral
PhuongDM:feature_update_button

No commits in common. "1b7d65b15534b1a70b83b3cafc23c74367f2d2c0" and "b785516d2c3e1d60ca09ac9dfe70136a755d82ff" have entirely different histories.
1b7d65b155 ... b785516d2c

1 changed files with 40 additions and 87 deletions
Show Stats Expand all files Collapse all files

127
nginx/nginx.conf
View File

@ -3,127 +3,81 @@
# server 127.0.0.1:8080; # server 127.0.0.1:8080;
# server 172.18.10.8:8080; # server 172.18.10.8:8080;
# } # }
server { server {
listen 80; listen 80;
server_name comp.soict.io; server_name comp.soict.io;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /var/www/certbot; root /var/www/certbot;
} }
location / { location / {
# root /usr/share/nginx/html;
# index index.html index.htm;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
} }
server { server{
listen 443 ssl; listen 443 ssl;
server_name comp.soict.io; server_name comp.soict.io;
ssl_certificate /etc/letsencrypt/live/comp.soict.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/comp.soict.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/comp.soict.io/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/comp.soict.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers HIGH:!aNULL:!MD5;
# MeshCentral proxied flow can set sizable auth cookies.
client_header_buffer_size 16k;
large_client_header_buffers 8 32k;
# Required when proxy_pass uses variables.
# In Docker, 127.0.0.11 is the embedded DNS resolver.
resolver 127.0.0.11 valid=30s ipv6=off;
resolver_timeout 5s;
set $backend_server 172.18.10.8:8080; set $backend_server 172.18.10.8:8080;
# Internal MeshCentral hop to avoid upstream TLS handshake instability. set $meshserver 172.18.10.8:8082;
set $meshserver meshcentral:8082; # MeshCentral traffic should go through backend proxy controller
# Public host MeshCentral expects in Host header. # (api/meshcentral/proxy/*) for consistent auth/cookie/header handling.
set $meshhost soict-overleaf.tailc51e09.ts.net;
root /usr/share/nginx/html; root /usr/share/nginx/html;
# Default file to serve for directory requests
index index.html index.htm; index index.html index.htm;
# MeshCentral auth entrypoint. If iframe/browser lands on /login due to
# redirect, keep it on MeshCentral instead of frontend routing.
location = /login {
proxy_pass http://$meshserver;
proxy_http_version 1.1;
proxy_set_header Host $meshhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_buffering off;
}
# MeshCentral may redirect to "/" with remote params after login.
# Detect those requests and proxy them to MeshCentral instead of SPA.
location = / {
if ($arg_node != "") {
rewrite ^ /__mesh_root_proxy__ last;
}
if ($arg_viewmode != "") {
rewrite ^ /__mesh_root_proxy__ last;
}
if ($arg_gotonode != "") {
rewrite ^ /__mesh_root_proxy__ last;
}
try_files $uri $uri/ /index.html;
}
location = /__mesh_root_proxy__ {
proxy_pass http://$meshserver;
proxy_http_version 1.1;
proxy_set_header Host $meshhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_buffering off;
}
location / { location / {
# Try to serve the requested file directly ($uri)
# If it's a directory, try serving the index file ($uri/)
# If neither exists, fall back to serving /index.html
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
} }
# Optional: Add cache control headers for static assets for better performance
location ~* \.(?:css|js|jpg|jpeg|gif|png|ico|svg|webp)$ { location ~* \.(?:css|js|jpg|jpeg|gif|png|ico|svg|webp)$ {
expires 1y; expires 1y;
add_header Cache-Control "public"; add_header Cache-Control "public";
access_log off; access_log off; # Optional: Don't log accesses for static files
} }
location /api/ { location /api/ {
proxy_pass http://$backend_server; proxy_pass http://$backend_server;
# Cho phép upload file lớn (vd: 200MB)
client_max_body_size 200M; client_max_body_size 200M;
# Truyền thẳng stream sang backend
proxy_request_buffering off; proxy_request_buffering off;
# Tăng timeout khi upload
proxy_read_timeout 300s; proxy_read_timeout 300s;
proxy_connect_timeout 300s; proxy_connect_timeout 300s;
proxy_send_timeout 300s; proxy_send_timeout 300s;
# CORS headers - Comment vi da xu ly o backend C#
# add_header 'Access-Control-Allow-Origin' '*' always;
# add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
# add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;
if ($request_method = OPTIONS) { if ($request_method = OPTIONS) {
return 204; return 204;
} }
} }
location /api/Sse/events { location /api/Sse/events {
proxy_pass http://$backend_server/api/Sse/events; proxy_pass http://$backend_server/api/Sse/events;
proxy_http_version 1.1; proxy_http_version 1.1;
# cần thiết cho SSE
proxy_set_header Connection ''; proxy_set_header Connection '';
proxy_buffering off; proxy_buffering off;
proxy_cache off; proxy_cache off;
@ -131,15 +85,18 @@ server {
} }
# MeshCentral client builds WebSocket URL from current location, # MeshCentral client builds WebSocket URL from current location,
# e.g. wss://comp.soict.io/control.ashx. # e.g. wss://comp.soict.io/control.ashx. Route these root endpoints
# to meshserver so browser URL stays on comp.soict.io while upstream
# is forced to 172.18.10.8:8082.
location ~ ^/(control|meshrelay|commander|mesh)\.ashx$ { location ~ ^/(control|meshrelay|commander|mesh)\.ashx$ {
proxy_pass http://$meshserver; proxy_pass https://$meshserver;
proxy_ssl_verify off;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_set_header Host $meshhost; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
@ -155,22 +112,18 @@ server {
} }
location ^~ /api/meshcentral/proxy/ { location ^~ /api/meshcentral/proxy/ {
# Forward directly to MeshCentral, but strip proxy prefix first. # Forward to backend MeshCentralProxyController (api/meshcentral/proxy/*)
# Without this, upstream sees /api/meshcentral/proxy/* and can redirect-loop. # so backend can handle MeshCentral auth/session consistently.
rewrite ^/api/meshcentral/proxy/(.*)$ /$1 break; proxy_pass http://$backend_server;
proxy_pass http://$meshserver;
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None"; proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
proxy_set_header Host $meshhost; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
# Keep browser navigation under /api/meshcentral/proxy/*. # Cấu hình WebSocket/SSE cho MeshCentral
proxy_redirect ~^https?://[^/]+(/.*)$ /api/meshcentral/proxy$1;
proxy_redirect ~^(/.*)$ /api/meshcentral/proxy$1;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
@ -184,7 +137,7 @@ server {
return 301 /meshapi/api/meshcentral/proxy/; return 301 /meshapi/api/meshcentral/proxy/;
} }
location ^~ /meshapi/api/meshcentral/proxy/ { location ^~ /meshapi/api/meshcentral/proxy/ {
# Legacy frontend path -> backend MeshCentralProxyController # Legacy frontend path -> backend MeshCentralProxyController
rewrite ^/meshapi/api/meshcentral/proxy/(.*)$ /$1 break; rewrite ^/meshapi/api/meshcentral/proxy/(.*)$ /$1 break;
proxy_pass http://$backend_server; proxy_pass http://$backend_server;