feat: CI/CD pipeline setup complete - Ansible playbooks updated, secrets configured, workflow ready

docker/nginx/default.traefik.conf

@@ -0,0 +1,114 @@
+# Nginx Configuration for Traefik Integration
+# Traefik handles SSL termination - this listens on HTTP:80 only
+
+upstream php-upstream {
+    server 127.0.0.1:9000;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    root /var/www/html/public;
+    index index.php index.html;
+
+    # Security headers (Traefik may add more)
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
+    # Gzip
+    gzip on;
+    gzip_vary on;
+    gzip_types text/css application/javascript application/json image/svg+xml;
+    gzip_comp_level 5;
+
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+
+    # Static assets with caching
+    location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        try_files $uri =404;
+    }
+
+    location ~* \.(css|js|map)$ {
+        expires 1w;
+        add_header Cache-Control "public, max-age=604800";
+        try_files $uri =404;
+    }
+
+    # Service Worker
+    location = /sw.js {
+        alias /var/www/html/public/sw.js;
+        add_header Cache-Control "no-cache, must-revalidate";
+        add_header Service-Worker-Allowed "/";
+    }
+
+    location = /js/sw-push.js {
+        alias /var/www/html/public/js/sw-push.js;
+        add_header Cache-Control "no-cache, must-revalidate";
+        add_header Service-Worker-Allowed "/";
+        add_header Content-Type "application/javascript; charset=utf-8";
+    }
+
+    # Main application
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+        autoindex off;
+    }
+
+    # PHP-FPM
+    location ~ \.php$ {
+        try_files $uri =404;
+        include fastcgi_params;
+        fastcgi_pass php-upstream;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_param APP_ENV production;
+
+        # Traefik terminates SSL, but tell app it's HTTPS
+        fastcgi_param HTTPS $http_x_forwarded_proto;
+        fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
+
+        fastcgi_read_timeout 60s;
+        fastcgi_connect_timeout 60s;
+        fastcgi_send_timeout 60s;
+        fastcgi_buffer_size 128k;
+        fastcgi_buffers 4 256k;
+        fastcgi_busy_buffers_size 256k;
+        fastcgi_keep_conn on;
+        fastcgi_hide_header X-Powered-By;
+    }
+
+    # Deny access to hidden files
+    location ~ /\.(?!well-known).* {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Prevent PHP execution in uploads
+    location ~* /(?:uploads|files)/.*\.php$ {
+        deny all;
+    }
+
+    # Error pages
+    error_page 404 /errors/404.html;
+    error_page 403 /errors/403.html;
+    error_page 500 502 503 504 /errors/50x.html;
+
+    location /errors/ {
+        internal;
+    }
+
+    server_tokens off;
+}