Initial commit - WASL Digital Wallet

2026-06-20 21:55:06 +03:00
commit 7306c47368
61 changed files with 4157 additions and 0 deletions
--- a/Backend/docker/nginx/default.conf
+++ b/Backend/docker/nginx/default.conf
@@ -0,0 +1,95 @@
+# ─────────────────────────────────────────────────────────────
+# WASL — Nginx server block (API)
+# Proxies to Laravel Octane (Swoole) on app:8000
+# ─────────────────────────────────────────────────────────────
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    root /var/www/html/public;
+    index index.php;
+
+    charset utf-8;
+
+    # ── Health check endpoint ──
+    location = /up {
+        access_log off;
+        proxy_pass http://wasl_octane;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+    }
+
+    # ── Block sensitive files ──
+    location ~ /\.(?!well-known).* {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~* ^/(?:storage|app|bootstrap|config|database|resources|routes|tests|vendor|docker)(/.*)?$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # ── Static assets (cached) ──
+    location ~* \.(?:css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        access_log off;
+        log_not_found off;
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        try_files $uri =404;
+    }
+
+    # ── API rate limits (login & transfers throttled harder) ──
+    location ~ ^/api/(auth|otp|login) {
+        limit_req zone=login burst=5 nodelay;
+        limit_req_status 429;
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    location ~ ^/api/(transfers|wallets/.*/transfer) {
+        limit_req zone=transfer burst=3 nodelay;
+        limit_req_status 429;
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # ── General API + app ──
+    location / {
+        limit_req zone=api burst=30 nodelay;
+        limit_req_status 429;
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # ── PHP via Octane (Swoole) ──
+    location ~ \.php$ {
+        proxy_pass http://wasl_octane;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_read_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_connect_timeout 5s;
+
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
+
+    # ── Custom error pages ──
+    error_page 404 /index.php;
+    error_page 429 = @ratelimit;
+    location @ratelimit {
+        default_type application/json;
+        return 429 '{"success":false,"message":"Too many requests. Please slow down.","code":"RATE_LIMITED"}';
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+}
--- a/Backend/docker/nginx/nginx.conf
+++ b/Backend/docker/nginx/nginx.conf
@@ -0,0 +1,74 @@
+# ─────────────────────────────────────────────────────────────
+# WASL — Nginx main config
+# Hardened reverse proxy in front of Laravel Octane (Swoole)
+# ─────────────────────────────────────────────────────────────
+
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 65535;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 4096;
+    multi_accept on;
+    use epoll;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # ── Logging ──
+    log_format main '$remote_addr - $remote_user [$time_local] '
+                    '"$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent" '
+                    'rt=$request_time urt=$upstream_response_time';
+    access_log /var/log/nginx/access.log main;
+
+    # ── Performance ──
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    keepalive_requests 1000;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    # ── Client body limits (KYC docs up to ~10MB) ──
+    client_max_body_size 15m;
+    client_body_buffer_size 128k;
+    client_body_timeout 30s;
+    client_header_timeout 30s;
+
+    # ── Gzip ──
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    # ── Security headers ──
+    server_tokens off;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+    # ── Rate limiting zones ──
+    limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;
+    limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
+    limit_req_zone $binary_remote_addr zone=transfer:10m rate=10r/m;
+
+    # ── Upstream to Octane (Swoole) ──
+    upstream wasl_octane {
+        server app:8000 max_fails=3 fail_timeout=5s;
+        keepalive 64;
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+}