Fix CAA production deployment with SSL/TLS configuration

- Add nginx reverse proxy with SSL termination (nginx/nginx.conf)
- Create production docker-compose with certbot for auto-renewal
- Fix insecure CORS policy (wildcards -> configurable origins)
- Add security headers middleware (HSTS, CSP, X-Frame-Options, etc.)
- Add trusted host middleware to prevent host header attacks
- Create comprehensive SSL/CAA setup documentation
- Update .env.example with production security variables
- Add .gitignore entries to protect SSL certificates

.env.example

@@ -41,6 +41,19 @@ VECTOR_DB_TYPE=pinecone
 API_HOST=0.0.0.0
 API_PORT=8000
 
+# Production SSL/Security Configuration
+# Set these for production deployment (see docs/markdowns/SSL_CAA_SETUP.md)
+PRODUCTION=false
+HTTPS_ONLY=false
+
+# Domain configuration - comma-separated list of allowed hosts
+# Example: TRUSTED_HOSTS=yourdomain.com,www.yourdomain.com
+TRUSTED_HOSTS=*
+
+# CORS Origins - comma-separated list of allowed origins
+# Example: ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
+ALLOWED_ORIGINS=*
+
 # Disable telemetry and warnings
 TOKENIZERS_PARALLELISM=false
 ANONYMIZED_TELEMETRY=false

.gitignore

@@ -33,4 +33,16 @@ venv/
 env/
 ENV/
 data/hackathon_data
-docs/beatbyteai_id_rsa
+docs/beatbyteai_id_rsa
+
+# SSL Certificates (never commit actual certs)
+nginx/ssl/*.pem
+nginx/ssl/*.crt
+nginx/ssl/*.key
+nginx/ssl/live/
+nginx/ssl/archive/
+!nginx/ssl/.gitkeep
+
+# Certbot data
+certbot/conf/
+!certbot/www/.gitkeep

app/main.py

@@ -17,8 +17,11 @@ import fitz  # PyMuPDF
 from PIL import Image
 from fastapi import FastAPI, HTTPException, File, UploadFile, Request
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
+from fastapi.responses import Response
+from starlette.middleware.base import BaseHTTPMiddleware
 from pydantic import BaseModel
 from dotenv import load_dotenv
 from openai import AzureOpenAI
@@ -35,13 +38,42 @@ app = FastAPI(
     version="1.0.0"
 )
 
-# CORS middleware
+# Security Headers Middleware for production
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    """Add security headers to all responses for production deployment."""
+
+    async def dispatch(self, request: Request, call_next):
+        response = await call_next(request)
+
+        # Only add security headers in production (when HTTPS is enabled)
+        if os.getenv("PRODUCTION", "false").lower() == "true":
+            response.headers["Strict-Transport-Security"] = "max-age=63072000; includeSubDomains; preload"
+            response.headers["X-Content-Type-Options"] = "nosniff"
+            response.headers["X-Frame-Options"] = "SAMEORIGIN"
+            response.headers["X-XSS-Protection"] = "1; mode=block"
+            response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+            response.headers["Permissions-Policy"] = "geolocation=(), microphone=(), camera=()"
+
+        return response
+
+# Add security headers middleware
+app.add_middleware(SecurityHeadersMiddleware)
+
+# Trusted Host Middleware for production (prevents host header attacks)
+trusted_hosts = os.getenv("TRUSTED_HOSTS", "*").split(",")
+if trusted_hosts != ["*"]:
+    app.add_middleware(TrustedHostMiddleware, allowed_hosts=trusted_hosts)
+
+# CORS middleware - configurable for production
+# In production, set ALLOWED_ORIGINS environment variable to your domain(s)
+# Example: ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
+allowed_origins = os.getenv("ALLOWED_ORIGINS", "*").split(",")
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=allowed_origins if allowed_origins != ["*"] else ["*"],
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "OPTIONS"],
+    allow_headers=["Content-Type", "Authorization", "X-Requested-With"],
 )
 
 # Mount static files and templates

certbot/www/.gitkeep

@@ -0,0 +1,2 @@
+# Certbot webroot directory for ACME challenges
+# This directory is used by Let's Encrypt for domain validation

docker-compose.prod.yml

@@ -0,0 +1,96 @@
+# SOCAR AI System - Production Docker Compose with SSL/TLS Support
+# This configuration includes nginx reverse proxy with SSL termination
+#
+# Prerequisites:
+# 1. Set up CAA DNS records for your domain (see docs/markdowns/SSL_CAA_SETUP.md)
+# 2. Generate SSL certificates using certbot or your CA
+# 3. Copy certificates to ./nginx/ssl/
+#
+# Usage:
+#   docker-compose -f docker-compose.prod.yml up -d
+
+version: '3.8'
+
+services:
+  # Nginx reverse proxy with SSL termination
+  nginx:
+    image: nginx:alpine
+    container_name: socar-nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./nginx/ssl:/etc/nginx/ssl:ro
+      - ./certbot/www:/var/www/certbot:ro
+    depends_on:
+      socar-ai-system:
+        condition: service_healthy
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:80/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    networks:
+      - socar-network
+    labels:
+      - "com.socar.service=nginx-proxy"
+      - "com.socar.ssl=enabled"
+
+  # Certbot for automatic SSL certificate renewal (Let's Encrypt)
+  certbot:
+    image: certbot/certbot:latest
+    container_name: socar-certbot
+    volumes:
+      - ./nginx/ssl:/etc/letsencrypt:rw
+      - ./certbot/www:/var/www/certbot:rw
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    networks:
+      - socar-network
+    labels:
+      - "com.socar.service=certbot"
+      - "com.socar.purpose=ssl-renewal"
+
+  # Main SOCAR AI System
+  socar-ai-system:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: socar-ai-system
+    # Only expose internally to nginx (not to host)
+    expose:
+      - "8000"
+    env_file:
+      - .env
+    environment:
+      - PYTHONUNBUFFERED=1
+      - PRODUCTION=true
+      - HTTPS_ONLY=true
+      - TRUSTED_HOSTS=${TRUSTED_HOSTS:-localhost}
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    networks:
+      - socar-network
+    labels:
+      - "com.socar.description=SOCAR Historical Documents AI System"
+      - "com.socar.features=OCR,LLM,Frontend"
+      - "com.socar.version=1.0.0"
+      - "com.socar.environment=production"
+
+networks:
+  socar-network:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.28.0.0/16
+
+# Volume for persistent SSL certificates
+volumes:
+  ssl-certs:
+    driver: local

nginx/nginx.conf

@@ -0,0 +1,102 @@
+# SOCAR AI System - Production Nginx Configuration with SSL/TLS
+# This configuration provides SSL termination and reverse proxy for production
+
+upstream socar_backend {
+    server socar-ai-system:8000;
+    keepalive 32;
+}
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    # ACME challenge location for Let's Encrypt/certbot
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# HTTPS server block
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name _;
+
+    # SSL Certificate Configuration
+    # For production: Use Let's Encrypt or your CA certificates
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+    # SSL Configuration - Modern settings for security
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # SSL Session settings
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;" always;
+
+    # Logging
+    access_log /var/log/nginx/socar_access.log;
+    error_log /var/log/nginx/socar_error.log;
+
+    # Client settings
+    client_max_body_size 100M;
+    client_body_buffer_size 10M;
+
+    # Proxy settings for API
+    location / {
+        proxy_pass http://socar_backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeouts for long-running LLM requests
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 120s;
+        proxy_read_timeout 120s;
+    }
+
+    # Static files with caching
+    location /static/ {
+        proxy_pass http://socar_backend;
+        proxy_cache_valid 200 1d;
+        add_header Cache-Control "public, max-age=86400";
+    }
+
+    # Health check endpoint (no caching)
+    location /health {
+        proxy_pass http://socar_backend;
+        proxy_cache_bypass 1;
+        add_header Cache-Control "no-cache, no-store, must-revalidate";
+    }
+}

nginx/ssl/.gitkeep

@@ -0,0 +1,8 @@
+# SSL certificates directory
+# Place your SSL certificates here:
+# - fullchain.pem: Your full certificate chain
+# - privkey.pem: Your private key
+#
+# See docs/markdowns/SSL_CAA_SETUP.md for setup instructions
+#
+# IMPORTANT: Never commit actual certificate files to git!