soroushdes/flatrender
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
flatrender/deploy/mirror-nginx-flatrender.conf
T
soroush.asadi ec51e87d2d feat(payment): standalone ZarinPal broker on pay.flatrender.ir 
A generic multi-client payment gateway so FlatRender, meezi.ir and
bargevasat.ir can all pay through ZarinPal's single verified callback
domain (pay.flatrender.ir).

New Go service services/payment (clones the notification skeleton +
vendored deps):
- migration 31_payment_broker.sql — `payment` schema: client_apps,
  transactions, webhook_deliveries.
- ZarinPal v4 client ported from the proven identity PaymentService
  (request.json -> StartPay -> verify.json; codes 100/101).
- client API: POST /v1/pay/request + /v1/pay/inquiry, authed by
  X-Api-Key + HMAC body signature; GET /callback/zarinpal (the single
  verified endpoint) verifies, then 302s the user back to the site's
  return_url (signed) and fires a signed, retried webhook.
- per-client ZarinPal merchant override (default = shared merchant);
  amount stored canonically in Rial, unit to ZarinPal env-configurable.
- admin API /v1/admin/* (FlatRender admin JWT): client-app CRUD +
  key issue/rotate + transactions list.

Deploy wiring: payment-svc in docker-compose.v2.yml (host port 1607),
pay.flatrender.ir server block in mirror-nginx conf, ENV_FILE +
README updates (cert SAN + manual migration note).

Admin UI: src/components/admin/PaymentsAdmin.tsx (client apps with
one-time key reveal + rotate, transactions table) + /admin/payments
page + nav link + fa/en strings; pay-admin proxy route to payment-svc.

Docs/SDK: deploy/PAYMENTS.md (integration contract) + deploy/sdk/flatpay.js
(zero-dep Node client + webhook verifier) for meezi/any site.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 23:59:54 +03:30

110 lines
5.1 KiB
Plaintext
Raw Permalink Blame History

# ==========================================================================
# FlatRender — flatrender.ir (add inside the http{} block of mirror-nginx)
#
# Routes the three public domains to the FlatRender host ports on 171.22.25.73
# (FRONTEND_PORT / GATEWAY_PORT / MINIO_PORT from the deploy ENV_FILE).
#
# The mirror-nginx config file lives on the HOST at /root/mirror-server/nginx/nginx.conf
# (bind-mounted read-only into the container). Add these blocks there.
#
# ⚠️ CERT-MOUNT TRAP: mirror-nginx mounts cert dirs INDIVIDUALLY
# (/etc/ssl/{soroushasadi,meezi,...}). A new /etc/ssl/soroushasadi/flatrender/ on the host is
# INVISIBLE inside the container → nginx -t "cannot load certificate". So NEST the
# flatrender cert under an already-mounted dir:
# mkdir -p /etc/ssl/soroushasadi/flatrender
# cp <cert>/fullchain.pem <cert>/privateKey.pem /etc/ssl/soroushasadi/flatrender/
# The cert must cover flatrender.ir + api. + storage. (wildcard *.flatrender.ir + apex,
# or a SAN cert).
#
# ⚠️ After editing nginx.conf with `sed -i` (which replaces the file inode), the
# running container keeps the OLD inode → you must RESTART, not just reload:
# docker restart mirror-nginx # ~3s blip for all sites
# A plain edit that keeps the inode + reload is fine:
# docker exec mirror-nginx nginx -t && docker exec mirror-nginx nginx -s reload
#
# Test routing locally (bypasses DNS):
# curl -sk --resolve flatrender.ir:443:127.0.0.1 https://flatrender.ir/ | head -c 60
# # must show: <!DOCTYPE html><html lang="fa" dir="rtl">
# ==========================================================================
server {
listen 80;
server_name flatrender.ir www.flatrender.ir api.flatrender.ir storage.flatrender.ir pay.flatrender.ir;
return 301 https://$host$request_uri;
}
# ── Site (Next.js frontend → FRONTEND_PORT) ───────────────────────────────
server {
listen 443 ssl; http2 on;
server_name flatrender.ir www.flatrender.ir;
client_max_body_size 25m;
ssl_certificate /etc/ssl/soroushasadi/flatrender/fullchain.pem;
ssl_certificate_key /etc/ssl/soroushasadi/flatrender/privateKey.pem;
location / {
proxy_pass http://171.22.25.73:1600;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
# ── API gateway (→ GATEWAY_PORT) ──────────────────────────────────────────
server {
listen 443 ssl; http2 on;
server_name api.flatrender.ir;
client_max_body_size 512m; # large uploads routed through the gateway
ssl_certificate /etc/ssl/soroushasadi/flatrender/fullchain.pem;
ssl_certificate_key /etc/ssl/soroushasadi/flatrender/privateKey.pem;
location / {
proxy_pass http://171.22.25.73:1605;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade; # render-progress WebSocket
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 3600s;
}
}
# ── MinIO storage (→ MINIO_PORT) ──────────────────────────────────────────
server {
listen 443 ssl; http2 on;
server_name storage.flatrender.ir;
client_max_body_size 512m;
ssl_certificate /etc/ssl/soroushasadi/flatrender/fullchain.pem;
ssl_certificate_key /etc/ssl/soroushasadi/flatrender/privateKey.pem;
location / {
proxy_pass http://171.22.25.73:1610;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# ── Payment broker (→ PAY_PORT) — pay.flatrender.ir ───────────────────────
# The single ZarinPal-verified callback domain. ZarinPal redirects users to
# pay.flatrender.ir/callback/zarinpal; the broker then bounces them to the
# originating site's return_url. Must NOT be cached by any upstream CDN.
server {
listen 443 ssl; http2 on;
server_name pay.flatrender.ir;
client_max_body_size 5m;
ssl_certificate /etc/ssl/soroushasadi/flatrender/fullchain.pem;
ssl_certificate_key /etc/ssl/soroushasadi/flatrender/privateKey.pem;
location / {
proxy_pass http://171.22.25.73:1607;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Reference in New Issue View Git Blame Copy Permalink