diff --git a/README.md b/README.md
index 3d3e8f0..6f2f21c 100644
--- a/README.md
+++ b/README.md
@@ -16,24 +16,28 @@ rc-service postgresql start
### 2) Crear BD y usuario
```bash
su - postgres
-psql -c "CREATE USER saludut_user WITH PASSWORD 'TU_PASSWORD_FUERTE';"
+psql -c "CREATE USER saludut_user WITH PASSWORD 'jhyutfgv7745676tfbhjgf687yu87';"
psql -c "CREATE DATABASE saludut_db OWNER saludut_user;"
exit
+psql -U postgres -d postgres -c "ALTER ROLE postgres WITH PASSWORD 'JKHUG9876hBhjhvjjhldfuy345trgfdf';"
+HBA=$(psql -U postgres -d postgres -Atc "show hba_file"); cp "$HBA" "$HBA.bak"; sed -i 's/\btrust\b/scram-sha-256/g' "$HBA"; rc-service postgresql reload
```
### 3) Subir codigo
```bash
-mkdir -p /opt/saludut/backend /opt/saludut/frontend
-tar -czf saludut-backend.tar.gz --exclude="node_modules" --exclude=".env" backend
-tar -czf saludut-frontend.tar.gz --exclude="node_modules" saludut-inpec
-scp -C saludut-backend.tar.gz root@autorizacion.saludut.com:/opt/saludut/
-scp -C saludut-frontend.tar.gz root@autorizacion.saludut.com:/opt/saludut/
+mkdir -p /opt/saludut/backend
+tar -czf backend.tar.gz \
+ --exclude="node_modules" \
+ --exclude=".env" \
+ --exclude="backend.tar.gz" \
+ .
+
+scp -C backend.tar.gz root@autorizacion.saludut.com:/opt/saludut/
```
En el servidor:
```bash
-tar -xzf /opt/saludut/saludut-backend.tar.gz -C /opt/saludut/
-tar -xzf /opt/saludut/saludut-frontend.tar.gz -C /opt/saludut/
+tar -xzf /opt/saludut/backend.tar.gz -C /opt/saludut/
```
### 4) Inicializar esquema minimo
@@ -65,16 +69,16 @@ Crear `backend/.env` en el servidor:
DB_HOST=127.0.0.1
DB_PORT=5432
DB_USER=saludut_user
-DB_PASSWORD=TU_PASSWORD_FUERTE
+DB_PASSWORD=jhyutfgv7745676tfbhjgf687yu87
DB_NAME=saludut_db
-JWT_SECRET=CAMBIA_ESTE_SECRETO
+JWT_SECRET=jhyutfgv7745676tfbhjgf687yu87
JWT_EXPIRES_IN=24h
PORT=3000
SOFFICE_PATH=/usr/bin/soffice
PYTHON_PATH=python3
ADMIN_USER=admin
ADMIN_PASS=admin123
-ADMIN_EMAIL=admin@saludut.gov.co
+ADMIN_EMAIL=admin@saludut.com
ADMIN_NAME=Administrador Sistema
```
@@ -113,71 +117,113 @@ rc-update add saludut-backend default
rc-service saludut-backend start
```
-### 8) Frontend (build)
+### Frontend
+
```bash
-cd /opt/saludut/saludut-inpec
-npm ci
-npm run build
-```
+sed -i 's/#Port 22/Port 48952/g' /etc/ssh/sshd_config
+rc-service sshd restart
+ssh -p 48952 root@autorizacion.saludut.com
+apk add nginx certbot certbot-nginx nftables rsync
-El build queda en `saludut-inpec/dist/saludut-inpec/`.
+#Ejecutar publishNftables.sh
+head -n1 ./scripts/publishNftables.sh | cat -A
+sed -i 's/\r$//' ./scripts/publishNftables.sh
+sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publishNftables.sh
+chmod +x ./scripts/publishNftables.sh
+file ./scripts/publishNftables.sh
+bash ./scripts/publishNftables.sh
-### 9) Configurar API base (sin localhost)
-El frontend lee la base desde `window.__SALUDUT_CONFIG__`:
-```html
-
-```
+#Ejecutar publish.sh
+head -n1 ./scripts/publish.sh | cat -A
+sed -i 's/\r$//' ./scripts/publish.sh
+sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publish.sh
+chmod +x ./scripts/publish.sh
+file ./scripts/publish.sh
+bash ./scripts/publish.sh
-Si no usas proxy y expones el puerto directo:
-```html
-
-```
+#Ejecutar el nginx de autorizacion.saludut.com
+scp -P 48952 scripts/vhost/autorizacion.saludut.com.conf root@autorizacion.saludut.com:/etc/nginx/http.d/
-### 10) Nginx + SSL (ejemplo)
-```nginx
server {
listen 80;
+ listen [::]:80;
+
server_name autorizacion.saludut.com;
- root /var/www/saludut;
+ client_max_body_size 60m;
+
+ root /var/www/autorizacion.saludut.com/htdocs;
index index.html;
location / {
- try_files $uri /index.html;
+ try_files $uri $uri/ /index.html;
}
location /api/ {
- proxy_pass http://127.0.0.1:3000/;
+ client_max_body_size 60m;
+
+ proxy_pass http://127.0.0.1:3000;
+ proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 600;
+ proxy_send_timeout 600;
}
+
+ error_page 404 /index.html;
}
-```
-Luego:
-```bash
rc-service nginx start
-certbot --nginx -d autorizacion.saludut.com
-```
+sudo certbot --nginx -d autorizacion.saludut.com
-## Desarrollo
-```bash
-cd backend
-npm install
-node src/server.js
-```
+scp -P 48952 scripts/vhost/autorizacion.saludut.com.conf root@autorizacion.saludut.com:/etc/nginx/http.d/
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name autorizacion.saludut.com;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ http2 on;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name autorizacion.saludut.com;
+
+ client_max_body_size 60m;
+
+ # ✅ Angular está dentro de /browser
+ root /var/www/autorizacion.saludut.com/htdocs/browser;
+ index index.html;
+
+ location / {
+ try_files $uri $uri/ /index.html;
+ }
+
+ location /api/ {
+ client_max_body_size 60m;
+
+ proxy_pass http://127.0.0.1:3000;
+ proxy_http_version 1.1;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 600;
+ proxy_send_timeout 600;
+ }
+
+ error_page 404 /index.html;
+
+ ssl_certificate /etc/letsencrypt/live/autorizacion.saludut.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/autorizacion.saludut.com/privkey.pem;
+}
+
+nginx -t && rc-service nginx restart
-```bash
-cd saludut-inpec
-npm install
-npm run start
```
diff --git a/backend.tar.gz b/backend.tar.gz
new file mode 100644
index 0000000..9b1114d
Binary files /dev/null and b/backend.tar.gz differ
diff --git a/saludut-inpec/scripts/nftables/nftables.conf b/saludut-inpec/scripts/nftables/nftables.conf
new file mode 100644
index 0000000..8af88f1
--- /dev/null
+++ b/saludut-inpec/scripts/nftables/nftables.conf
@@ -0,0 +1,154 @@
+#!/usr/sbin/nft -f
+
+#--- Hook order is: ingress -> prerouting -> input/output/forward -> postrouting
+
+#--- Flush previous rules
+flush ruleset
+
+#--- Definitions
+define wan = eth0
+define vpn = wg0
+define vpn_net = 10.16.40.1/22 #---VPN_NETWORK
+#define ipsec_remote = 10.0.0.0/24
+
+#--- "inet" say that this table will handle both ipv4 (ip) and ipv6 (ip6).
+table inet firewall {
+ #--- TCP ports to allow (ssh, http and https).
+ set tcp_accepted {
+ #--- "inet_service" are for tcp/udp ports, "flags interval" allows to set intervals.
+ type inet_service; flags interval;
+ elements = {80,443,5000,5222,5269,5280,5281,5347,5582,48952} #---OpenTCPports/
+ }
+
+ #--- UDP ports to allow WireGuard.
+ set udp_accepted {
+ type inet_service; flags interval;
+ elements = {500,4500,14801} #---OpenUDPports
+ }
+
+ chain incoming {
+ type filter hook input priority 0; policy drop;
+
+ # Drop invalid packets.
+ ct state invalid drop
+
+ # Drop none SYN packets.
+ tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
+
+ # Limit ping requests.
+ ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
+ ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
+
+ # Allow all incmming established and related traffic.
+ ct state established,related accept
+
+ # Allow loopback.
+ iif lo accept
+
+ # Allow certain inbound ICMP types (ping, traceroute).
+ ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
+ # Without the nd-* ones ipv6 will not work.
+ ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
+
+ # Allow needed tcp and udp ports.
+ iifname $wan tcp dport @tcp_accepted ct state new accept
+ iifname $wan udp dport @udp_accepted ct state new accept
+ iifname $vpn tcp dport @tcp_accepted ct state new accept
+ iifname $vpn udp dport @udp_accepted ct state new accept
+
+ # Allow all incoming traffic from vpn
+ iifname $vpn ct state new accept
+
+ # Allow WireGuard clients to access DNS and services.
+ iifname $vpn udp dport 53 ct state new accept
+
+ # Allow VPN clients to communicate with each other.
+ iifname $vpn oifname $vpn ct state new accept
+
+ # Allows IPSEC StrongSwan trafic.
+ # ip protocol { ah, esp } accept
+
+ # meta ipsec exists accept # toma los paquetes de ipsec existentes de la metadata
+ #ipsec in ip saddr $ipsec_remote accept #source addres acepta el rango de conexiones de tipo ipsec
+
+
+ }
+
+ chain forwarding { #crea una cadena llamada forwarding
+ type filter hook forward priority 0; policy drop; #crea uun gancho de tipo filtro capacidad forward
+ # a la politica dejelo caer
+ # Drop invalid packets.
+ ct state invalid drop
+
+ # Forward all established and related traffic.
+ ct state established,related accept #paquetes reenviados
+
+ # Forward WireGuard traffic.
+ # Allow WireGuard traffic to access the internet via wan.
+ iifname $vpn oifname $wan ct state new accept # permitir el trafico para salir a internet
+
+ # Allow VPN clients to communicate with each other.
+ iifname $vpn oifname $vpn accept
+
+ }
+
+ chain outgoing {
+ type filter hook output priority 0; policy drop;
+
+ # Drop invalid packets.
+ ct state invalid drop
+
+ # Allow all other outgoing traffic.
+ # For some reason ipv6 ICMP needs to be explicitly allowed here.
+ ip6 nexthdr ipv6-icmp accept
+ ct state new,established,related accept
+ }
+}
+
+# Separate table for hook pre- and postrouting.
+# If using kernel 5.2 or later you can replace "ip" with "inet" to also filter IPv6 traffic.
+table ip router {
+ # With kernel 4.17 or earlier both need to be set even when one is empty.
+ chain prerouting {
+ type nat hook prerouting priority -100; #nat network address translation ipv4
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 100; #despues de todas las reglas que se han definido
+
+ # Masquerade WireGuard traffic.
+ # All WireGuard traffic will look like it comes from the servers IP address.
+ oifname $wan ip saddr $vpn_net masquerade #cambia tu ip privada por una publica
+ }
+}
+
+# Separate table for hook ingress to filter bad packets early.
+table netdev filter {
+ # List of ipv4 addresses to block.
+ set blocklist_v4 {
+ # The "ipv4_addr" are for ipv4 addresses and "flags interval" allows to set intervals.
+ type ipv4_addr; flags interval;
+ elements = {172.16.254.1,172.16.254.2} #---BloquedIPs
+ }
+
+ chain ingress {
+ # For some reason the interface must be hardcoded here, variable do not work.
+ type filter hook ingress device $wan priority -500;
+
+ # Drop all fragments.
+ ip frag-off & 0x1fff != 0 counter drop
+
+ # Drop bad addresses.
+ ip saddr @blocklist_v4 counter drop
+
+ # Drop XMAS packets.
+ tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
+
+ # Drop NULL packets.
+ tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
+
+ # Drop uncommon MSS values.
+ tcp flags syn tcp option maxseg size 1-535 counter drop
+ }
+}
+
diff --git a/saludut-inpec/scripts/nftables/nftables_autorizacion.saludut.com.conf b/saludut-inpec/scripts/nftables/nftables_autorizacion.saludut.com.conf
new file mode 100644
index 0000000..4d70b7c
--- /dev/null
+++ b/saludut-inpec/scripts/nftables/nftables_autorizacion.saludut.com.conf
@@ -0,0 +1,154 @@
+#!/usr/sbin/nft -f
+
+#--- Hook order is: ingress -> prerouting -> input/output/forward -> postrouting
+
+#--- Flush previous rules
+flush ruleset
+
+#--- Definitions
+define wan = eth0
+define vpn = wg0
+define vpn_net = 10.16.76.1/22 #---VPN_NETWORK
+#define ipsec_remote = 10.0.0.0/24
+
+#--- "inet" say that this table will handle both ipv4 (ip) and ipv6 (ip6).
+table inet firewall {
+ #--- TCP ports to allow (ssh, http and https).
+ set tcp_accepted {
+ #--- "inet_service" are for tcp/udp ports, "flags interval" allows to set intervals.
+ type inet_service; flags interval;
+ elements = {80,443,48952} #---OpenTCPports/
+ }
+
+ #--- UDP ports to allow WireGuard.
+ set udp_accepted {
+ type inet_service; flags interval;
+ elements = {53,500,4500,25237} #---OpenUDPports
+ }
+
+ chain incoming {
+ type filter hook input priority 0; policy drop;
+
+ # Drop invalid packets.
+ ct state invalid drop
+
+ # Drop none SYN packets.
+ tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
+
+ # Limit ping requests.
+ ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
+ ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
+
+ # Allow all incmming established and related traffic.
+ ct state established,related accept
+
+ # Allow loopback.
+ iif lo accept
+
+ # Allow certain inbound ICMP types (ping, traceroute).
+ ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
+ # Without the nd-* ones ipv6 will not work.
+ ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
+
+ # Allow needed tcp and udp ports.
+ iifname $wan tcp dport @tcp_accepted ct state new accept
+ iifname $wan udp dport @udp_accepted ct state new accept
+ #iifname $vpn tcp dport @tcp_accepted ct state new accept
+ #iifname $vpn udp dport @udp_accepted ct state new accept
+
+ # Allow all incoming traffic from vpn
+ iifname $vpn ct state new accept
+
+ # Allow WireGuard clients to access DNS and services.
+ iifname $vpn udp dport 53 ct state new accept
+
+ # Allow VPN clients to communicate with each other.
+ iifname $vpn oifname $vpn ct state new accept
+
+ # Allows IPSEC StrongSwan trafic.
+ ip protocol { ah, esp } accept
+
+ meta ipsec exists accept
+ #ipsec in ip saddr $ipsec_remote accept
+
+
+ }
+
+ chain forwarding {
+ type filter hook forward priority 0; policy drop;
+
+ # Drop invalid packets.
+ ct state invalid drop
+
+ # Forward all established and related traffic.
+ ct state established,related accept
+
+ # Forward WireGuard traffic.
+ # Allow WireGuard traffic to access the internet via wan.
+ iifname $vpn oifname $wan ct state new accept
+
+ # Allow VPN clients to communicate with each other.
+ iifname $vpn oifname $vpn accept
+
+ }
+
+ chain outgoing {
+ type filter hook output priority 0; policy drop;
+
+ # Drop invalid packets.
+ ct state invalid drop
+
+ # Allow all other outgoing traffic.
+ # For some reason ipv6 ICMP needs to be explicitly allowed here.
+ ip6 nexthdr ipv6-icmp accept
+ ct state new,established,related accept
+ }
+}
+
+# Separate table for hook pre- and postrouting.
+# If using kernel 5.2 or later you can replace "ip" with "inet" to also filter IPv6 traffic.
+table ip router {
+ # With kernel 4.17 or earlier both need to be set even when one is empty.
+ chain prerouting {
+ type nat hook prerouting priority -100;
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 100;
+
+ # Masquerade WireGuard traffic.
+ # All WireGuard traffic will look like it comes from the servers IP address.
+ oifname $wan ip saddr $vpn_net masquerade
+ }
+}
+
+# Separate table for hook ingress to filter bad packets early.
+table netdev filter {
+ # List of ipv4 addresses to block.
+ set blocklist_v4 {
+ # The "ipv4_addr" are for ipv4 addresses and "flags interval" allows to set intervals.
+ type ipv4_addr; flags interval;
+ elements = {172.16.254.1,172.16.254.2} #---BloquedIPs
+ }
+
+ chain ingress {
+ # For some reason the interface must be hardcoded here, variable do not work.
+ type filter hook ingress device $wan priority -500;
+
+ # Drop all fragments.
+ ip frag-off & 0x1fff != 0 counter drop
+
+ # Drop bad addresses.
+ ip saddr @blocklist_v4 counter drop
+
+ # Drop XMAS packets.
+ tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
+
+ # Drop NULL packets.
+ tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
+
+ # Drop uncommon MSS values.
+ tcp flags syn tcp option maxseg size 1-535 counter drop
+ }
+}
+
diff --git a/saludut-inpec/scripts/paginaweb b/saludut-inpec/scripts/paginaweb
new file mode 100644
index 0000000..9805efc
--- /dev/null
+++ b/saludut-inpec/scripts/paginaweb
@@ -0,0 +1,27 @@
+sed -i 's/#Port 22/Port 48952/g' /etc/ssh/sshd_config
+rc-service sshd restart
+ssh -p 48952 root@autorizacion.saludut.com
+apk add nginx certbot certbot-nginx nftables rsync
+
+#Ejecutar publishNftables.sh
+head -n1 ./scripts/publishNftables.sh | cat -A
+sed -i 's/\r$//' ./scripts/publishNftables.sh
+sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publishNftables.sh
+chmod +x ./scripts/publishNftables.sh
+file ./scripts/publishNftables.sh
+bash ./scripts/publishNftables.sh
+
+#Ejecutar publish.sh
+head -n1 ./scripts/publish.sh | cat -A
+sed -i 's/\r$//' ./scripts/publish.sh
+sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publish.sh
+chmod +x ./scripts/publish.sh
+file ./scripts/publish.sh
+bash ./scripts/publish.sh
+
+#Ejecutar el nginx de autorizacion.saludut.com
+scp -P 48952 scripts/vhost/autorizacion.saludut.com.conf root@autorizacion.saludut.com:/etc/nginx/http.d/
+rc-service nginx start
+sudo certbot --nginx -d autorizacion.saludut.com
+
+
diff --git a/saludut-inpec/scripts/publish.sh b/saludut-inpec/scripts/publish.sh
new file mode 100755
index 0000000..b15a44f
--- /dev/null
+++ b/saludut-inpec/scripts/publish.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+
+#ssh -p 48952 root@autorizacion.saludut.com
+
+echo "Preparando proyacto para produccion"
+ng build
+
+echo "Crear el directorio de destino en el servidor"
+SSH_PORT=48952
+SERVER_IP4="172.238.203.98"
+SERVER_HOSTNAME=autorizacion.saludut.com
+
+REMOTE_USER=root
+
+SITE_NAME="autorizacion.saludut.com"
+SITE_DOMAINS="autorizacion.saludut.com"
+PROJECT_NAME="saludut-inpec"
+
+#DEPLOYED_TMP_FOLDER="/tmp/www.calacloud.com"
+#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_DATA_FOLDER};chgrp -R deploy ${DEPLOYED_DATA_FOLDER};chmod -R 770 ${DEPLOYED_DATA_FOLDER}'"
+#DEPLOYED_DATA_FOLDER="/var/www/static/${SITE_NAME}"
+
+
+DEPLOYED_WEB_DOMAIN_FOLDER=/var/www/${SITE_NAME}
+DEPLOYED_WEB_DOMAIN_FOLDER=/var/www/autorizacion.saludut.com
+DEPLOYED_WEB_DATA_FOLDER=/var/www/autorizacion.saludut.com/htdocs
+DEPLOYED_WEB_DATA_FOLDER="${DEPLOYED_WEB_DOMAIN_FOLDER}/htdocs"
+
+#Inicio de fase de DATA
+echo "Se preparan los directorios de destino"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_WEB_DOMAIN_FOLDER};chown -R ${REMOTE_USER}:${REMOTE_USER} ${DEPLOYED_WEB_DOMAIN_FOLDER};chmod -R 775 ${DEPLOYED_WEB_DOMAIN_FOLDER}'"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_WEB_DATA_FOLDER};chown -R ${REMOTE_USER}:www-data ${DEPLOYED_WEB_DATA_FOLDER};chmod -R 775 ${DEPLOYED_WEB_DATA_FOLDER}'"
+
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 31756 root@172.238.203.98 "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p /var/www/autorizacion.saludut.com;chown -R root:root /var/www/autorizacion.saludut.com;chmod -R 775 /var/www/autorizacion.saludut.com/htdocs'"
+##ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_DATA_FOLDER};chgrp -R deploy ${DEPLOYED_DATA_FOLDER};chmod -R 770 ${DEPLOYED_DATA_FOLDER}'"
+#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_DATA_FOLDER};chown -R ${REMOTE_USER}:deploy ${DEPLOYED_DATA_FOLDER};chmod -R 775 ${DEPLOYED_DATA_FOLDER}'"
+
+echo "Subir los archivos en ${DEPLOYED_WEB_DATA_FOLDER}"
+DIST_FOLDER="dist/${PROJECT_NAME}"
+#echo "rsync -arvz ${DIST_FOLDER} -e \"ssh -p ${SSH_PORT}\" ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}"
+# rsync -arvz ${DIST_FOLDER} -e "ssh -p ${SSH_PORT}" ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}
+echo "rsync -arvz -e \"ssh -p ${SSH_PORT}\" --progress --delete ${DIST_FOLDER}/ ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}"
+ rsync -arvz -e "ssh -p ${SSH_PORT}" --progress --delete ${DIST_FOLDER}/ ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}
+
+#echo "scp -r -P ${SSH_PORT} ${DIST_FOLDER}/* ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}"
+#scp -r -P ${SSH_PORT} ${DIST_FOLDER}/* ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}
+
+#exit 0 #HABILITARLO CUANDO LA PAGINA YA ESTE ARRIBA
+
+#rsync -arvz ${DIST_FOLDER} -e \"ssh -p ${SSH_PORT}\" ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_DATA_FOLDER}
+#scp -r -P ${SSH_PORT} ${DIST_FOLDER} ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_DATA_FOLDER}
+echo "Ajustando permisos web"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "\
+ chown -R root:root '${DEPLOYED_WEB_DOMAIN_FOLDER}' && \
+ find '${DEPLOYED_WEB_DOMAIN_FOLDER}' -type d -exec chmod 755 {} \; && \
+ find '${DEPLOYED_WEB_DOMAIN_FOLDER}' -type f -exec chmod 644 {} \; \
+"
+
+#Fin de fase de DATA
+
+VHOST_FILE="${SITE_NAME}"
+LOCAL_VHOST_FILE="scripts/${VHOST_FILE}"
+LOCAL_VHOST_TEMPLATE_FILE="scripts/virtualhost.template"
+TMP_VHOST_FILE="/tmp/${VHOST_FILE}"
+DEPLOYED_VHOST_FILE="/etc/nginx/http.d/${VHOST_FILE}"
+ENABLED_VHOST_FILE="/etc/nginx/http.d/${VHOST_FILE}"
+
+echo "preparando directorio de logs"
+#Inicio de fase LOGS
+LOGS_FOLDER="/var/www/log/${SITE_NAME}"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${LOGS_FOLDER};chown -R root:root ${LOGS_FOLDER};chmod -R 755 ${LOGS_FOLDER}'"
+#Fin de fase LOGS
+exit 0
+# EL EXIT VA HASTA ACA LA PRIMERA VEZ QUE VAYA A SUBIR LA MAQUINA
+
+#Inicio de fase VHOST
+echo "generando virtualhost: ${VHOST_FILE}"
+cat "${LOCAL_VHOST_TEMPLATE_FILE}" | sed "s/%SITE_NAME%/${SITE_NAME}/g" | sed "s/%SITE_DOMAINS%/${SITE_DOMAINS}/g" > "${TMP_VHOST_FILE}"
+
+echo "copiando vistualhost"
+scp -r -P ${SSH_PORT} ${TMP_VHOST_FILE} ${REMOTE_USER}@${SERVER_IP4}:${TMP_VHOST_FILE}
+rm "${TMP_VHOST_FILE}"
+
+#scp -r -P ${SSH_PORT} ${LOCAL_VHOST_FILE} ${REMOTE_USER}@${SERVER_IP4}:${TMP_VHOST_FILE}
+
+echo "instalando virtualhost"
+#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'cp ${TMP_VHOST_FILE} ${DEPLOYED_VHOST_FILE};ln -s ${DEPLOYED_VHOST_FILE} ${ENABLED_VHOST_FILE};systemctl reload nginx'"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'cp -n ${TMP_VHOST_FILE} ${DEPLOYED_VHOST_FILE};ln -s ${DEPLOYED_VHOST_FILE} ${ENABLED_VHOST_FILE};systemctl reload nginx'"
+#Fin de fase VHOST
+
+
+#echo "Copiar los archivos al servidor web"
+#REMOTE_SITE_DIR="/var/www/static/www.calacloud.net"
+#DEPLOYED_DIST_FOLDER="${DEPLOYED_DATA_FOLDER}/dist/calacloud"
+#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'cp -R ${DEPLOYED_DIST_FOLDER}/* ${REMOTE_SITE_DIR}'"
+
+
+echo "Cambios publicados en produccion"
diff --git a/saludut-inpec/scripts/publishNftables.sh b/saludut-inpec/scripts/publishNftables.sh
new file mode 100755
index 0000000..05e2aa3
--- /dev/null
+++ b/saludut-inpec/scripts/publishNftables.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+
+#ssh -p 48952 root@autorizacion.saludut.com
+
+
+echo "Crear el directorio de destino en el servidor"
+SSH_PORT=48952
+SERVER_IP4="172.238.203.98"
+
+REMOTE_USER=root
+SERVER_HOSTNAME=autorizacion.saludut.com
+
+scp -P $SSH_PORT scripts/nftables/nftables.conf $REMOTE_USER@$SERVER_HOSTNAME:/etc/nftables.nft
+
+echo "Cambios anviados a produccion"
diff --git a/saludut-inpec/scripts/publishVhost.sh b/saludut-inpec/scripts/publishVhost.sh
new file mode 100644
index 0000000..80319d6
--- /dev/null
+++ b/saludut-inpec/scripts/publishVhost.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+
+#ssh -p 31756 root@www.ajsystem23.com
+
+
+SSH_PORT=31756
+
+REMOTE_USER=root
+SERVER_HOSTNAME=www.ajsystem23.com
+
+SRC_VHOST=scripts/vhost/www.ajsystem23.com.conf
+SRC_SNIPPETS=scripts/vhost/snippets
+
+echo "Crear el VHOST en el servidor"
+scp -P $SSH_PORT $SRC_VHOST $REMOTE_USER@$SERVER_HOSTNAME:/etc/nginx/http.d/
+
+
+SNIPPETS_FOLDER=/etc/nginx/snippets
+echo "Subiendo snippets en el servidor"
+
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${SNIPPETS_FOLDER};chown -R ${REMOTE_USER}:${REMOTE_USER} ${SNIPPETS_FOLDER};chmod -R 775 ${SNIPPETS_FOLDER}'"
+
+echo "scp -P $SSH_PORT -r $SRC_SNIPPETS $REMOTE_USER@$SERVER_HOSTNAME:$SNIPPETS_FOLDER"
+scp -P $SSH_PORT -r $SRC_SNIPPETS $REMOTE_USER@$SERVER_HOSTNAME:$SNIPPETS_FOLDER
+
+echo "Cambios anviados a produccion"
diff --git a/saludut-inpec/scripts/unpublish.sh b/saludut-inpec/scripts/unpublish.sh
new file mode 100644
index 0000000..8ce5979
--- /dev/null
+++ b/saludut-inpec/scripts/unpublish.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+echo "Crear el directorio de destino en el servidor"
+SSH_PORT=19247
+SERVER_IP4="172.105.103.215"
+
+if [ $USER = "jorgeescallon" ]; then
+ REMOTE_USER="deeeijppnwkr"
+ REMOTE_PWD="jcapuQfNM6gYrZyX7Q991UWU"
+else
+ REMOTE_USER="sceovddutywx"
+ REMOTE_PWD="3tAcbDCqhV1a7n9fa6QZJXoO"
+fi
+
+SITE_NAME="www.calacloud.net"
+SITE_DOMAINS="calacloud.net www.calacloud.net"
+PROJECT_NAME="calacloud"
+
+DEPLOYED_DATA_FOLDER="/var/www/static/${SITE_NAME}"
+
+VHOST_FILE="${SITE_NAME}"
+TMP_VHOST_FILE="/tmp/${VHOST_FILE}"
+DEPLOYED_VHOST_FILE="/etc/nginx/sites-available/${VHOST_FILE}"
+ENABLED_VHOST_FILE="/etc/nginx/sites-enabled/${VHOST_FILE}"
+
+echo "retirando virtualhost"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'rm ${TMP_VHOST_FILE} ${DEPLOYED_VHOST_FILE} ${ENABLED_VHOST_FILE};systemctl reload nginx'"
+
+echo "retirando logs"
+LOGS_FOLDER="/var/www/log/${SITE_NAME}"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'rm -r ${LOGS_FOLDER}'"
+
+echo "Elimiando deployed data"
+ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'rm -r ${DEPLOYED_DATA_FOLDER}'"
+
+echo "Cambios aplicados en produccion. Se eliminó: ${SITE_NAME}"
diff --git a/saludut-inpec/scripts/vhost/autorizacion.saludut.com-origin.conf b/saludut-inpec/scripts/vhost/autorizacion.saludut.com-origin.conf
new file mode 100644
index 0000000..90193ab
--- /dev/null
+++ b/saludut-inpec/scripts/vhost/autorizacion.saludut.com-origin.conf
@@ -0,0 +1,106 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name ajsystem23.com www.ajsystem23.com;
+ return 301 https://$host$request_uri;
+
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ http2 on;
+ include snippets/self-signed.conf;
+ include snippets/ssl-params.conf;
+
+ server_name ajsystem23.com www.ajsystem23.com;
+
+ #resolver 8.8.8.8 8.8.4.4 valid=300s;
+ #resolver_timeout 5s;
+ #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
+ #ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Add some protection headers for ClickJacking
+ add_header X-Frame-Options SAMEORIGIN;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header 'Access-Control-Allow-Origin' '*';
+
+ # Configura http2
+ #http2_max_field_size 16k;
+ #http2_max_header_size 32k;
+ large_client_header_buffers 4 8k;
+ # Habilita compresion
+ gzip on;
+ gzip_comp_level 6;
+ gzip_vary on;
+ gzip_min_length 1000;
+ gzip_proxied any;
+ gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+ gzip_buffers 16 8k;
+
+ # Remove server identifiers to help against enumeration
+ server_tokens off;
+ root /var/www/www.ajsystem23.com/htdocs;
+ try_files $uri $uri/ /index.html;
+
+ location ~ \.svgz$ {
+ add_header Content-Encoding gzip;
+ }
+
+ error_page 404 /errors/404.html;
+ location = /errors/404.html {
+ #root /var/www/static/%SITE_NAME%/errors;
+ root /var/www/www.ajsystem23.com/errors;
+ internal;
+ }
+
+ access_log /var/www/log/www.ajsystem23.com/static.access.log;
+ error_log /var/www/log/www.ajsystem23.com/static.error.log;
+
+ index index.html index.htm;
+
+ #location ~* ^.+.(htm|html|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
+ location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
+ #access_log off;
+ expires max;
+ }
+ location ~* \.(json|html)$ {
+
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ #
+ # Om nom nom cookies
+ #
+ add_header 'Access-Control-Allow-Credentials' 'true';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ if ($request_method = 'POST') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Credentials' 'true';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+ if ($request_method = 'GET') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Credentials' 'true';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+ }
+ location ~ /\.ht {
+ deny all;
+
+ }
+}
diff --git a/saludut-inpec/scripts/vhost/autorizacion.saludut.com.conf b/saludut-inpec/scripts/vhost/autorizacion.saludut.com.conf
new file mode 100644
index 0000000..b5f039e
--- /dev/null
+++ b/saludut-inpec/scripts/vhost/autorizacion.saludut.com.conf
@@ -0,0 +1,44 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name autorizacion.saludut.com;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ http2 on;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name autorizacion.saludut.com;
+
+ client_max_body_size 60m;
+
+ # ✅ Angular está dentro de /browser
+ root /var/www/autorizacion.saludut.com/htdocs/browser;
+ index index.html;
+
+ location / {
+ try_files $uri $uri/ /index.html;
+ }
+
+ location /api/ {
+ client_max_body_size 60m;
+
+ proxy_pass http://127.0.0.1:3000;
+ proxy_http_version 1.1;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 600;
+ proxy_send_timeout 600;
+ }
+
+ error_page 404 /index.html;
+
+ ssl_certificate /etc/letsencrypt/live/autorizacion.saludut.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/autorizacion.saludut.com/privkey.pem;
+}
+
diff --git a/saludut-inpec/scripts/vhost/snippets/self-signed.conf b/saludut-inpec/scripts/vhost/snippets/self-signed.conf
new file mode 100644
index 0000000..39332d7
--- /dev/null
+++ b/saludut-inpec/scripts/vhost/snippets/self-signed.conf
@@ -0,0 +1,2 @@
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
\ No newline at end of file
diff --git a/saludut-inpec/scripts/vhost/snippets/ssl-params.conf b/saludut-inpec/scripts/vhost/snippets/ssl-params.conf
new file mode 100644
index 0000000..ba017c1
--- /dev/null
+++ b/saludut-inpec/scripts/vhost/snippets/ssl-params.conf
@@ -0,0 +1,18 @@
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+#ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now. You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
\ No newline at end of file
diff --git a/saludut-inpec/scripts/virtualhost.template b/saludut-inpec/scripts/virtualhost.template
new file mode 100644
index 0000000..608f932
--- /dev/null
+++ b/saludut-inpec/scripts/virtualhost.template
@@ -0,0 +1,103 @@
+server {
+ listen 80;
+ #listen [::]:80;
+ server_name %SITE_DOMAINS%;
+ return 301 https://%SITE_NAME%request_uri;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ include snippets/self-signed.conf;
+ include snippets/ssl-params.conf;
+
+ server_name %SITE_DOMAINS%;
+
+ #resolver 8.8.8.8 8.8.4.4 valid=300s;
+ #resolver_timeout 5s;
+ #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
+ #ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Add some protection headers for ClickJacking
+ add_header X-Frame-Options SAMEORIGIN;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header 'Access-Control-Allow-Origin' '*';
+
+ # Configura http2
+ #http2_max_field_size 16k;
+ #http2_max_header_size 32k;
+ large_client_header_buffers 4 8k;
+ # Habilita compresion
+ gzip on;
+ gzip_comp_level 6;
+ gzip_vary on;
+ gzip_min_length 1000;
+ gzip_proxied any;
+ gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+ gzip_buffers 16 8k;
+
+ # Remove server identifiers to help against enumeration
+ server_tokens off;
+ root /var/www/static/%SITE_NAME%;
+ try_files $uri $uri/ /index.html;
+
+ location ~ \.svgz$ {
+ add_header Content-Encoding gzip;
+ }
+
+ error_page 404 /errors/404.html;
+ location = /errors/404.html {
+ root /var/www/static/%SITE_NAME%/errors;
+ internal;
+ }
+
+ access_log /var/www/log/%SITE_NAME%/static.access.log;
+ error_log /var/www/log/%SITE_NAME%/static.error.log;
+
+ index index.html index.htm;
+
+ #location ~* ^.+.(htm|html|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
+ location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
+ #access_log off;
+ expires max;
+ }
+ location ~* \.(json|html)$ {
+
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ #
+ # Om nom nom cookies
+ #
+ add_header 'Access-Control-Allow-Credentials' 'true';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ if ($request_method = 'POST') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Credentials' 'true';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+ if ($request_method = 'GET') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Credentials' 'true';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+ }
+ location ~ /\.ht {
+ deny all;
+
+ }
+}
\ No newline at end of file