feat: nginx + deployment

Author: minhhoccode111

.github/workflows/deploy.yml

@@ -0,0 +1,59 @@
+name: Deploy Realworld React
+
+on:
+  push:
+    branches: [release]
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/realworld-react:latest
+            ${{ secrets.DOCKERHUB_USERNAME }}/realworld-react:${{ github.sha }}
+          target: builder
+
+      - name: Deploy to VPS
+        env:
+          VITE_APP_API_URL: ${{ secrets.VITE_APP_API_URL }}
+          VITE_APP_APP_URL: ${{ secrets.VITE_APP_APP_URL }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+
+          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no deploy@$VPS_HOST << EOF
+            # Pull latest image
+            docker pull $DOCKERHUB_USERNAME/realworld-react:latest
+
+            # Extract build artifacts
+            docker run --rm -v /tmp/react-build:/output \
+              $DOCKERHUB_USERNAME/realworld-react:latest \
+              sh -c "cp -r /app/dist/* /output/"
+
+            # Copy to web directory
+            sudo rm -rf /var/www/realworld-react/*
+            sudo cp -r /tmp/react-build/* /var/www/realworld-react/
+            sudo chown -R www-data:www-data /var/www/realworld-react
+
+            # Cleanup
+            rm -rf /tmp/react-build
+          EOF

nginx/nginx.conf

@@ -0,0 +1,141 @@
+# SSL Certificate Setup Instructions:
+#
+# 1. Install certbot:
+#    sudo apt update && sudo apt install certbot python3-certbot-nginx
+#
+# 2. Create a temporary nginx config to get certificates (HTTP-01 challenge):
+#    sudo nano /etc/nginx/sites-available/temp
+#
+#    server {
+#        listen 80;
+#        server_name realworld.minhhoccode111.com;
+#        location / {
+#            return 200 "ACME challenge ready";
+#        }
+#    }
+#
+# 3. Enable and test the temporary config:
+#    sudo ln -s /etc/nginx/sites-available/temp /etc/nginx/sites-enabled/temp
+#    sudo nginx -t && sudo systemctl reload nginx
+#
+# 4. Obtain SSL certificate:
+#    sudo certbot certonly --nginx -d realworld.minhhoccode111.com
+#
+# 5. Setup auto-renewal:
+#    sudo certbot renew --dry-run
+#    # Certbot automatically sets up a cron job or systemd timer
+#    sudo systemctl list-timers | grep certbot
+#
+# 6. After obtaining certs, replace temporary config with this full config:
+#    sudo rm /etc/nginx/sites-enabled/temp
+#    sudo cp nginx.conf /etc/nginx/nginx.conf (or add to sites-enabled)
+#    sudo nginx -t && sudo systemctl reload nginx
+#
+# Certificate files will be located at:
+# - /etc/letsencrypt/live/realworld.minhhoccode111.com/fullchain.pem
+# - /etc/letsencrypt/live/realworld.minhhoccode111.com/privkey.pem
+#
+# To test SSL configuration:
+# https://www.ssllabs.com/ssltest/analyze.html?d=realworld.minhhoccode111.com
+#
+# To renew certificates manually:
+# sudo certbot renew --force-renewal
+# sudo systemctl reload nginx
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    sendfile on;
+    sendfile_max_chunk 1m;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+
+    open_file_cache max=1000 inactive=20s;
+    open_file_cache_valid 30;
+    open_file_cache_min_uses 2;
+
+    # Logging
+    # access_log /var/log/nginx/access.log main;
+    error_log /var/log/nginx/error.log;
+
+    # Rate Limit
+    limit_req_zone $binary_remote_addr zone=static_limit:10m rate=30r/s;
+    limit_req_status 429;
+
+    # Compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types
+        text/plain
+        text/css
+        application/json
+        application/javascript
+        text/xml
+        application/xml
+        image/svg+xml;
+
+    # Redirect HTTP to HTTPS
+    server {
+        listen 80;
+        server_name realworld.minhhoccode111.com;
+        return 301 https://$server_name$request_uri;
+    }
+
+    # Frontend static serving
+    server {
+        listen 443 ssl http2;
+        server_name realworld.minhhoccode111.com;
+
+        # TLS certificates
+        ssl_certificate /etc/letsencrypt/live/realworld.minhhoccode111.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/realworld.minhhoccode111.com/privkey.pem;
+
+        # Strong TLS settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers off;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+
+        # Path to your React 'dist' or 'build' folder
+        root /var/www/realworld-react/dist;
+        index index.html;
+
+        # React Router Fix: Fallback to index.html for SPA routing
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        # Static Assets Caching
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
+            limit_req zone=static_limit burst=20 nodelay;
+
+            etag on;
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+            access_log off;
+        }
+
+        # Security Headers
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
+
+        # Health check
+        location /health {
+            access_log off;
+            return 200 "healthy\n";
+            add_header Content-Type text/plain;
+        }
+    }
+}