# Infrastruktura produkcyjna ## Architektura ``` Internet → VPS (publiczne IP, nginx + SSL) ↕ WireGuard tunnel (szyfrowany, domowe IP ukryte) 192.168.2.66 (nginx, port 80) ↓ LAN 192.168.2.33 (docker-compose, port 80) ``` - Domowe IP nigdy nie jest widoczne publicznie - SSL terminuje na VPS - `.66` inicjuje połączenie WireGuard do VPS — zero port-forwardingu na domowym routerze --- ## 1. WireGuard ### Instalacja (VPS i .66) ```bash apt install wireguard ``` ### VPS — generowanie kluczy ```bash wg genkey | tee /etc/wireguard/vps_private.key | wg pubkey > /etc/wireguard/vps_public.key ``` ### .66 — generowanie kluczy ```bash wg genkey | tee /etc/wireguard/home_private.key | wg pubkey > /etc/wireguard/home_public.key ``` ### `/etc/wireguard/wg0.conf` na VPS ```ini [Interface] Address = 10.10.0.1/24 ListenPort = 51820 PrivateKey = [Peer] # .66 home server PublicKey = AllowedIPs = 10.10.0.2/32 ``` ### `/etc/wireguard/wg0.conf` na .66 ```ini [Interface] Address = 10.10.0.2/24 PrivateKey = [Peer] # VPS PublicKey = Endpoint = :51820 AllowedIPs = 10.10.0.1/32 PersistentKeepalive = 25 ``` > `PersistentKeepalive = 25` — utrzymuje tunel przez NAT domowego routera ### Uruchomienie (obie maszyny) ```bash systemctl enable --now wg-quick@wg0 ``` ### Weryfikacja ```bash wg show # status tunelu ping 10.10.0.1 # z .66 do VPS ping 10.10.0.2 # z VPS do .66 ``` --- ## 2. Nginx na VPS ### Certyfikat SSL ```bash apt install certbot python3-certbot-nginx certbot certonly --nginx -d q2dropzone.xyz ``` ### `/etc/nginx/sites-available/q2dropzone.xyz` ```nginx server { listen 80; server_name q2dropzone.xyz; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name q2dropzone.xyz; ssl_certificate /etc/letsencrypt/live/q2dropzone.xyz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/q2dropzone.xyz/privkey.pem; client_max_body_size 6g; proxy_read_timeout 3600s; proxy_send_timeout 3600s; proxy_connect_timeout 60s; location / { proxy_pass http://10.10.0.2:80; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_buffering off; proxy_request_buffering off; } } ``` ```bash ln -s /etc/nginx/sites-available/q2dropzone.xyz /etc/nginx/sites-enabled/ nginx -t && systemctl reload nginx ``` --- ## 3. Nginx na .66 ### `/etc/nginx/sites-available/q2dropzone.xyz` ```nginx server { listen 80; server_name q2dropzone.xyz; client_max_body_size 6g; proxy_read_timeout 3600s; proxy_send_timeout 3600s; proxy_connect_timeout 60s; location / { proxy_pass http://192.168.2.33:80; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_buffering off; proxy_request_buffering off; } } ``` ```bash ln -s /etc/nginx/sites-available/q2dropzone.xyz /etc/nginx/sites-enabled/ nginx -t && systemctl reload nginx ``` --- ## 4. Firewall ### VPS ```bash ufw allow 51820/udp # WireGuard ufw allow 80/tcp # HTTP (redirect do HTTPS) ufw allow 443/tcp # HTTPS ufw enable ``` ### .66 ```bash # port 80 tylko z WireGuard IP VPS-a ufw allow in on wg0 from 10.10.0.1 to any port 80 ufw deny 80 ufw enable ``` --- ## 5. .33 — uruchomienie aplikacji ```bash git clone q2dropzone && cd q2dropzone cp .env.example .env nano .env # uzupełnij DB_PASSWORD, JWT_SECRET, DISK_ROOT docker-compose up -d --build ``` --- ## DNS Rekord A dla `q2dropzone.xyz` → publiczne IP VPS (nie domowe). --- ## Przepływ requestu ``` klient → VPS:443 (SSL terminate, proxy_pass przez WireGuard) → .66:80 (proxy_pass przez LAN) → .33:80 (nginx w docker → backend Go) ``` Każdy nginx ma `proxy_buffering off` i `proxy_request_buffering off` — duże pliki streamowane bez buforowania na dysk.