nessi/NexaPG
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases 14 Activity
Files
6093c5dea8da83b80dbecd94fa977444c23c6d5c
NexaPG/ops/scripts/validate_proxy_profile.sh
nessi 6093c5dea8
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m40s
Details
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
Details
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 8s
Details
Proxy Profile Validation / validate (push) Successful in 3s
Details
[NX-203 Issue] Add production proxy profile with validation and documentation 
Introduced a secure, repeatable production proxy profile for reverse proxy and HTTPS deployment, including NGINX configuration, environment variables, and CORS guidance. Added CI workflow for static validation of proxy guardrails and detailed documentation to ensure best practices in deployment.
2026-02-15 12:10:41 +01:00

39 lines
1.4 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
echo "[proxy-profile] validating reverse-proxy and mixed-content guardrails"
require_pattern() {
local file="$1"
local pattern="$2"
local message="$3"
if ! grep -Eq "$pattern" "$file"; then
echo "[proxy-profile] FAIL: $message ($file)"
exit 1
fi
}
# Frontend should default to relative API base in container builds.
require_pattern "frontend/Dockerfile" "ARG VITE_API_URL=/api/v1" \
"VITE_API_URL default must be relative (/api/v1)"
# Frontend runtime proxy should forward /api with forward headers.
require_pattern "frontend/nginx.conf" "location /api/" \
"frontend nginx must proxy /api/"
require_pattern "frontend/nginx.conf" "proxy_set_header X-Forwarded-Proto" \
"frontend nginx must set X-Forwarded-Proto"
require_pattern "frontend/nginx.conf" "proxy_set_header X-Forwarded-For" \
"frontend nginx must set X-Forwarded-For"
require_pattern "frontend/nginx.conf" "proxy_set_header Host" \
"frontend nginx must forward Host"
# Mixed-content guard in frontend API client.
require_pattern "frontend/src/api.js" "window\\.location\\.protocol === \"https:\".*parsed\\.protocol === \"http:\"" \
"frontend api client must contain HTTPS mixed-content protection"
# Production profile must not use wildcard CORS.
require_pattern "ops/profiles/prod/.env.production.example" "^CORS_ORIGINS=https://[^*]+$" \
"production profile must use explicit HTTPS CORS origins"
echo "[proxy-profile] PASS"
Reference in New Issue View Git Blame Copy Permalink