nessi/NexaPG
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases 14 Activity

[NX-203 Issue] Add production proxy profile with validation and documentation
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m40s
Details
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
Details
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 8s
Details
Proxy Profile Validation / validate (push) Successful in 3s
Details

Browse Source 
Introduced a secure, repeatable production proxy profile for reverse proxy and HTTPS deployment, including NGINX configuration, environment variables, and CORS guidance. Added CI workflow for static validation of proxy guardrails and detailed documentation to ensure best practices in deployment.
This commit is contained in:
Sascha Nesterovic
2026-02-15 12:10:41 +01:00
parent 84bc7b0384
commit 6093c5dea8
8 changed files with 266 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
docs/deployment/proxy-production-profile.md Normal file
View File

@@ -0,0 +1,78 @@
# Production Proxy Profile (HTTPS)
This profile defines a secure and repeatable NexaPG deployment behind a reverse proxy.
## Included Profile Files
- `ops/profiles/prod/.env.production.example`
- `ops/profiles/prod/nginx/nexapg.conf`
## CORS Recommendations by Environment
| Environment | Recommended `CORS_ORIGINS` | Notes |
|---|---|---|
| `dev` | `*` or local explicit origins | `*` is acceptable only for local/dev usage. |
| `staging` | Exact staging UI origins | Example: `https://staging-monitor.example.com` |
| `prod` | Exact production UI origin(s) only | No wildcard; use comma-separated HTTPS origins if needed. |
Examples:
```env
# dev only
CORS_ORIGINS=*
# staging
CORS_ORIGINS=https://staging-monitor.example.com
# prod
CORS_ORIGINS=https://monitor.example.com
```
## Reverse Proxy Requirements
For stable auth, CORS, and request context handling, forward these headers to backend:
- `Host`
- `X-Real-IP`
- `X-Forwarded-For`
- `X-Forwarded-Proto`
- `X-Forwarded-Host`
- `X-Forwarded-Port`
Also forward API paths:
- `/api/` -> backend service (`:8000`)
## Mixed-Content Prevention
NexaPG frontend is designed to avoid mixed-content in HTTPS mode:
- Build/runtime default API base is relative (`/api/v1`)
- `frontend/src/api.js` upgrades `http` API URL to `https` when page runs on HTTPS
Recommended production setting:
```env
VITE_API_URL=/api/v1
```
## Validation Checklist
1. Open app over HTTPS and verify:
- login request is `https://.../api/v1/auth/login`
- no browser mixed-content errors in console
2. Verify CORS behavior:
- allowed origin works
- unknown origin is blocked
3. Verify backend receives forwarded protocol:
- proxied responses succeed with no redirect/proto issues
## CI Validation
`Proxy Profile Validation` workflow runs static guardrail checks:
- relative `VITE_API_URL` default
- required API proxy path in frontend NGINX config
- required forwarded headers
- HTTPS mixed-content guard in frontend API resolver
- production profile forbids wildcard CORS