EZSCALE/website
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ff3048dd3c97ef6cd836def78537415a847608ec55fc1f5e8b4f0a34db2c48f
website/helm/ezscale-website/templates/configmap-nginx.yaml
Andrew 4ff3048dd3 fix(helm): hardening from review 
- _helpers.tpl: required guard on image.tag — silent empty deploys can
  no longer happen; helm fails fast with a clear message.
- configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only
  sees HTTPS when X-Forwarded-Proto is actually present.
- deployment-app: add startupProbe with 100s budget so first-boot cache
  warmup doesn't trip liveness.
- deployment-horizon: failureThreshold=5 on the horizon:status probe;
  transient Valkey blips no longer cause restart loops.
- job-migrate: mount oauth-keys so seeders that touch Passport clients
  don't silently fail.
- statefulset-valkey: replace separate password Secret with a
  requirePassword toggle that reads REDIS_PASSWORD from the main chart
  Secret (same Secret app/horizon/scheduler already mount). Liveness
  probe authenticates with the password when set.
- values-us-prod: enable valkey.requirePassword.
- README: add REDIS_PASSWORD to bootstrap procedure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 23:08:10 -04:00

52 lines
1.7 KiB
YAML
Raw Blame History

apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "ezscale-website.fullname" . }}-nginx
labels: {{- include "ezscale-website.labels" . | nindent 4 }}
data:
default.conf: |
server {
listen 80 default_server;
server_name _;
root /var/www/html/public;
index index.php index.html;
client_max_body_size 50M;
charset utf-8;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param HTTP_PROXY "";
# Pass HTTPS to PHP only when X-Forwarded-Proto is non-empty.
# if_not_empty avoids the param being set to "" when the header
# is missing (which would falsely satisfy isset($_SERVER['HTTPS'])).
fastcgi_param HTTPS $http_x_forwarded_proto if_not_empty;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 300;
}
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
}
Reference in New Issue View Git Blame Copy Permalink