+14
-7
@@ -1,14 +1,20 @@
|
||||
FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
|
||||
ARG BUILD_CONFIGURATION=Release
|
||||
WORKDIR /src/api
|
||||
WORKDIR /src
|
||||
|
||||
# Copy the project file and restore first to leverage Docker layer caching
|
||||
COPY api.csproj ./
|
||||
RUN dotnet restore api.csproj
|
||||
COPY api/api.csproj api/
|
||||
COPY api-models/api-models.csproj api-models/
|
||||
COPY cv-matcher-api-models/cv-matcher-api-models.csproj cv-matcher-api-models/
|
||||
COPY startup-helpers/startup-helpers.csproj startup-helpers/startup-helpers/
|
||||
|
||||
# Copy only the api project files to avoid bringing other projects into the build context
|
||||
COPY . ./
|
||||
RUN dotnet publish api.csproj -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
|
||||
RUN dotnet restore api/api.csproj
|
||||
|
||||
COPY api/ api/
|
||||
COPY api-models/ api-models/
|
||||
COPY cv-matcher-api-models/ cv-matcher-api-models/
|
||||
COPY startup-helpers/ startup-helpers/
|
||||
|
||||
RUN dotnet publish api/api.csproj -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
|
||||
|
||||
FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS final
|
||||
WORKDIR /app
|
||||
@@ -16,4 +22,5 @@ EXPOSE 8080
|
||||
ENV ASPNETCORE_URLS=http://0.0.0.0:8080
|
||||
|
||||
COPY --from=build /app/publish .
|
||||
|
||||
ENTRYPOINT ["dotnet", "api.dll"]
|
||||
+24
-335
@@ -1,75 +1,27 @@
|
||||
using Models.Settings;
|
||||
using System.Reflection;
|
||||
using Api.Services;
|
||||
using Api.Services.Contracts;
|
||||
using Azure.Identity;
|
||||
using Microsoft.AspNetCore.HttpOverrides;
|
||||
using Serilog;
|
||||
using System.Reflection;
|
||||
using System.Threading.RateLimiting;
|
||||
using Models.Settings;
|
||||
using Refit;
|
||||
using Serilog;
|
||||
using StartupHelpers;
|
||||
|
||||
StartupExtensions.LoadDotEnvFile();
|
||||
|
||||
// Load .env file if it exists (for local development)
|
||||
DotNetEnv.Env.Load();
|
||||
const string ServiceName = "api";
|
||||
var appVersion = StartupExtensions.GetApplicationVersion(Assembly.GetExecutingAssembly());
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
var appVersion =
|
||||
Assembly.GetExecutingAssembly()
|
||||
.GetCustomAttribute<AssemblyInformationalVersionAttribute>()?
|
||||
.InformationalVersion
|
||||
?? Assembly.GetExecutingAssembly().GetName().Version?.ToString()
|
||||
?? "unknown";
|
||||
|
||||
builder.ConfigureJsonSerilog(ServiceName, appVersion);
|
||||
Log.Information("Starting {Service} version {AppVersion}", ServiceName, appVersion);
|
||||
|
||||
builder.Host.UseSerilog((context, services, configuration) =>
|
||||
{
|
||||
configuration
|
||||
.ReadFrom.Configuration(context.Configuration)
|
||||
.ReadFrom.Services(services)
|
||||
.Enrich.FromLogContext()
|
||||
.Enrich.WithMachineName()
|
||||
.Enrich.WithEnvironmentName()
|
||||
.Enrich.WithProperty("AppVersion", appVersion)
|
||||
.WriteTo.Console(new Serilog.Formatting.Json.JsonFormatter());
|
||||
});
|
||||
builder.AddAzureKeyVaultIfConfigured();
|
||||
|
||||
Log.Information("Starting API version {AppVersion}", appVersion);
|
||||
|
||||
// --------------------
|
||||
// Azure Key Vault Configuration
|
||||
// --------------------
|
||||
var keyVaultUri = builder.Configuration["KeyVault:VaultUri"];
|
||||
var keyVaultEnabled = builder.Configuration.GetValue<bool>("KeyVault:Enabled");
|
||||
|
||||
if (keyVaultEnabled && !string.IsNullOrWhiteSpace(keyVaultUri))
|
||||
{
|
||||
Log.Information("Loading configuration from Azure Key Vault: {VaultUri}", keyVaultUri);
|
||||
|
||||
try
|
||||
{
|
||||
builder.Configuration.AddAzureKeyVault(
|
||||
new Uri(keyVaultUri),
|
||||
new DefaultAzureCredential());
|
||||
|
||||
Log.Information("Azure Key Vault configuration loaded successfully");
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Log.Warning(ex, "Failed to load Azure Key Vault configuration. Continuing with other configuration sources.");
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
Log.Information("Azure Key Vault is disabled or not configured");
|
||||
}
|
||||
|
||||
// Controllers
|
||||
builder.Services.AddControllers();
|
||||
|
||||
// Options
|
||||
builder.Services.Configure<GoogleSettings>(builder.Configuration.GetSection("Google"));
|
||||
builder.Services.Configure<ContactSettings>(builder.Configuration.GetSection("Contact"));
|
||||
builder.Services.Configure<SubscribeSettings>(builder.Configuration.GetSection("Subscribe"));
|
||||
@@ -77,18 +29,19 @@ try
|
||||
builder.Services.Configure<CaptchaSettings>(builder.Configuration.GetSection("Captcha"));
|
||||
builder.Services.Configure<FileStorageSettings>(builder.Configuration.GetSection("FileStorage"));
|
||||
|
||||
// Services
|
||||
builder.Services.AddHttpClient<ICaptchaVerifier, RecaptchaVerifier>();
|
||||
builder.Services.AddSingleton<IEmailSender, SmtpEmailSender>();
|
||||
builder.Services.AddSingleton<Microsoft.AspNetCore.StaticFiles.IContentTypeProvider, Microsoft.AspNetCore.StaticFiles.FileExtensionContentTypeProvider>();
|
||||
|
||||
// Refit client for CvMatcher API
|
||||
builder.Services.AddRefitClient<Api.Clients.Api.Contracts.ICvMatcherApi>()
|
||||
.ConfigureHttpClient((sp, client) =>
|
||||
{
|
||||
var config = sp.GetRequiredService<IConfiguration>();
|
||||
var baseUrl = config["CvMatcherApi:BaseUrl"] ?? string.Empty;
|
||||
if (!string.IsNullOrWhiteSpace(baseUrl)) client.BaseAddress = new Uri(baseUrl.TrimEnd('/') + "/");
|
||||
if (!string.IsNullOrWhiteSpace(baseUrl))
|
||||
{
|
||||
client.BaseAddress = new Uri(baseUrl.TrimEnd('/') + "/");
|
||||
}
|
||||
|
||||
var key = config["CvMatcherApi:InternalApiKey"];
|
||||
if (!string.IsNullOrWhiteSpace(key) && !client.DefaultRequestHeaders.Contains("X-Internal-Api-Key"))
|
||||
@@ -97,299 +50,35 @@ try
|
||||
}
|
||||
});
|
||||
|
||||
// Swagger
|
||||
builder.Services.AddEndpointsApiExplorer();
|
||||
builder.Services.AddSwaggerGen(options =>
|
||||
{
|
||||
// Include XML comments (enable <GenerateDocumentationFile> in csproj)
|
||||
var xmlFile = (Assembly.GetExecutingAssembly().GetName().Name ?? "Api") + ".xml";
|
||||
var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
|
||||
if (File.Exists(xmlPath)) options.IncludeXmlComments(xmlPath);
|
||||
|
||||
// Enable annotations like [SwaggerOperation], [SwaggerResponse]
|
||||
options.EnableAnnotations();
|
||||
});
|
||||
|
||||
// If you're behind Caddy / reverse proxy
|
||||
builder.Services.Configure<ForwardedHeadersOptions>(options =>
|
||||
{
|
||||
options.ForwardedHeaders =
|
||||
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
|
||||
|
||||
// use the normalized header Caddy sends upstream.
|
||||
options.ForwardedForHeaderName = "X-Real-IP";
|
||||
|
||||
options.KnownIPNetworks.Clear();
|
||||
options.KnownProxies.Clear();
|
||||
|
||||
options.ForwardLimit = 1;
|
||||
});
|
||||
|
||||
// --------------------
|
||||
// CORS (lock it down)
|
||||
// --------------------
|
||||
// Configure allowed origins via config/env var.
|
||||
// Example env var in Docker: Cors__AllowedOrigins__0=https://app.yourdomain.com
|
||||
var allowedOrigins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
|
||||
|
||||
builder.Services.AddCors(options =>
|
||||
{
|
||||
options.AddPolicy("FrontendOnly", policy =>
|
||||
{
|
||||
// If none configured, fail closed: allow nothing.
|
||||
if (allowedOrigins.Length > 0)
|
||||
{
|
||||
policy.WithOrigins(allowedOrigins)
|
||||
.WithMethods("POST", "OPTIONS") // contact form only
|
||||
.WithHeaders("Content-Type") // keep minimal
|
||||
.SetPreflightMaxAge(TimeSpan.FromHours(1));
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
// --------------------
|
||||
// Rate Limiting
|
||||
// --------------------
|
||||
// Two layers:
|
||||
// 1) A global limiter (keeps random traffic sane).
|
||||
// 2) A stricter policy for /api/contact.
|
||||
builder.Services.AddRateLimiter(options =>
|
||||
{
|
||||
// Global: per IP, moderate
|
||||
options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
|
||||
{
|
||||
var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
|
||||
return RateLimitPartition.GetFixedWindowLimiter(
|
||||
partitionKey: ip,
|
||||
factory: _ => new FixedWindowRateLimiterOptions
|
||||
{
|
||||
PermitLimit = 120, // 120 req
|
||||
Window = TimeSpan.FromMinutes(1), // per minute
|
||||
QueueLimit = 0,
|
||||
AutoReplenishment = true
|
||||
}
|
||||
);
|
||||
});
|
||||
|
||||
// Policy: contact endpoint, stricter (per IP)
|
||||
options.AddPolicy("contact", httpContext =>
|
||||
{
|
||||
var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
|
||||
return RateLimitPartition.GetFixedWindowLimiter(
|
||||
partitionKey: ip,
|
||||
factory: _ => new FixedWindowRateLimiterOptions
|
||||
{
|
||||
PermitLimit = 5, // 5 submits
|
||||
Window = TimeSpan.FromMinutes(1), // per minute per IP
|
||||
QueueLimit = 0,
|
||||
AutoReplenishment = true
|
||||
}
|
||||
);
|
||||
});
|
||||
|
||||
// Policy: CV matcher, expensive because it calls AI APIs.
|
||||
options.AddPolicy("cv-matcher", httpContext =>
|
||||
{
|
||||
var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
|
||||
return RateLimitPartition.GetFixedWindowLimiter(
|
||||
partitionKey: ip,
|
||||
factory: _ => new FixedWindowRateLimiterOptions
|
||||
{
|
||||
PermitLimit = 10,
|
||||
Window = TimeSpan.FromMinutes(10),
|
||||
QueueLimit = 0,
|
||||
AutoReplenishment = true
|
||||
}
|
||||
);
|
||||
});
|
||||
|
||||
options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
|
||||
|
||||
options.OnRejected = async (context, ct) =>
|
||||
{
|
||||
var logger = context.HttpContext.RequestServices
|
||||
.GetRequiredService<ILogger<Program>>();
|
||||
|
||||
var ip = context.HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
|
||||
var endpoint = context.HttpContext.Request.Path;
|
||||
|
||||
logger.LogWarning(
|
||||
"Rate limit exceeded for {Endpoint} from IP {IP}",
|
||||
endpoint, ip
|
||||
);
|
||||
|
||||
// Small, bot-unfriendly response
|
||||
context.HttpContext.Response.ContentType = "application/json";
|
||||
await context.HttpContext.Response.WriteAsync(
|
||||
"""{"error":"Too many requests. Try again later."}""",
|
||||
ct
|
||||
);
|
||||
};
|
||||
});
|
||||
builder.Services.AddSwaggerWithXmlComments(Assembly.GetExecutingAssembly(), "API");
|
||||
builder.Services.ConfigureCaddyForwardedHeaders();
|
||||
builder.Services.AddFrontendCorsFromConfiguration(builder.Configuration);
|
||||
builder.Services.AddPublicApiRateLimiting();
|
||||
|
||||
var app = builder.Build();
|
||||
|
||||
var logger = app.Services.GetRequiredService<ILogger<Program>>();
|
||||
logger.LogInformation("API starting up...");
|
||||
logger.LogInformation("Environment: {Environment}", app.Environment.EnvironmentName);
|
||||
app.LogStartupDiagnostics(ServiceName);
|
||||
|
||||
// Log all environment variables and configuration settings at startup
|
||||
// Can be controlled via appsettings: "LogEnvironmentOnStartup": true
|
||||
var logEnvironmentOnStartup = app.Configuration.GetValue<bool>("LogEnvironmentOnStartup", defaultValue: true);
|
||||
if (logEnvironmentOnStartup)
|
||||
{
|
||||
LogEnvironmentSettings(logger, app.Configuration, app.Environment);
|
||||
}
|
||||
|
||||
// Forwarded headers must be early in the pipeline
|
||||
app.UseForwardedHeaders();
|
||||
|
||||
// Add Serilog request logging
|
||||
app.UseSerilogRequestLogging(options =>
|
||||
{
|
||||
options.MessageTemplate =
|
||||
"HTTP {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms";
|
||||
|
||||
options.EnrichDiagnosticContext = (diagnosticContext, httpContext) =>
|
||||
{
|
||||
diagnosticContext.Set("RequestHost", httpContext.Request.Host.Value);
|
||||
diagnosticContext.Set("RequestScheme", httpContext.Request.Scheme);
|
||||
diagnosticContext.Set("RemoteIP", httpContext.Connection.RemoteIpAddress?.ToString());
|
||||
diagnosticContext.Set("UserAgent", httpContext.Request.Headers.UserAgent.ToString());
|
||||
diagnosticContext.Set("XRealIP", httpContext.Request.Headers["X-Real-IP"].ToString());
|
||||
diagnosticContext.Set("XForwardedFor", httpContext.Request.Headers["X-Forwarded-For"].ToString());
|
||||
};
|
||||
});
|
||||
|
||||
// Swagger (typically only in Development)
|
||||
if (app.Environment.IsDevelopment())
|
||||
{
|
||||
app.UseSwagger();
|
||||
app.UseSwaggerUI(options =>
|
||||
{
|
||||
options.DocumentTitle = "API";
|
||||
options.SwaggerEndpoint("/swagger/v1/swagger.json", "API v1");
|
||||
options.RoutePrefix = "swagger"; // /swagger
|
||||
});
|
||||
}
|
||||
app.UseDefaultSerilogRequestLogging(includeProxyHeaders: true);
|
||||
app.UseSwaggerInDevelopment("API", "API");
|
||||
|
||||
app.UseHttpsRedirection();
|
||||
|
||||
app.UseAuthorization();
|
||||
|
||||
app.UseRouting();
|
||||
|
||||
app.UseCors("FrontendOnly");
|
||||
|
||||
app.UseRateLimiter();
|
||||
|
||||
app.MapControllers();
|
||||
|
||||
logger.LogInformation("API startup complete. Listening for requests...");
|
||||
|
||||
Log.Information("{Service} startup complete. Listening for requests...", ServiceName);
|
||||
app.Run();
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Log.Fatal(ex, "Application terminated unexpectedly");
|
||||
Log.Fatal(ex, "{Service} terminated unexpectedly", ServiceName);
|
||||
}
|
||||
finally
|
||||
{
|
||||
Log.Information("Shutting down API...");
|
||||
Log.Information("Shutting down {Service}", ServiceName);
|
||||
Log.CloseAndFlush();
|
||||
}
|
||||
|
||||
static void LogEnvironmentSettings(Microsoft.Extensions.Logging.ILogger logger, IConfiguration configuration, IWebHostEnvironment environment)
|
||||
{
|
||||
logger.LogInformation("==================== ENVIRONMENT SETTINGS ====================");
|
||||
|
||||
// Environment Information
|
||||
logger.LogInformation("Application Name: {ApplicationName}", environment.ApplicationName);
|
||||
logger.LogInformation("Environment Name: {EnvironmentName}", environment.EnvironmentName);
|
||||
logger.LogInformation("Content Root Path: {ContentRootPath}", environment.ContentRootPath);
|
||||
logger.LogInformation("Web Root Path: {WebRootPath}", environment.WebRootPath);
|
||||
|
||||
// Environment Variables
|
||||
logger.LogInformation("-------------- Environment Variables --------------");
|
||||
var envVars = Environment.GetEnvironmentVariables();
|
||||
var sortedEnvVars = new SortedDictionary<string, string?>();
|
||||
|
||||
foreach (System.Collections.DictionaryEntry entry in envVars)
|
||||
{
|
||||
var key = entry.Key?.ToString() ?? string.Empty;
|
||||
var value = entry.Value?.ToString() ?? string.Empty;
|
||||
|
||||
// Mask sensitive values (passwords, secrets, tokens, keys) but show last 4 characters
|
||||
if (IsSensitiveKey(key))
|
||||
{
|
||||
value = MaskValueWithLastChars(value);
|
||||
}
|
||||
|
||||
sortedEnvVars[key] = value;
|
||||
}
|
||||
|
||||
foreach (var kvp in sortedEnvVars)
|
||||
{
|
||||
logger.LogInformation(" {Key} = {Value}", kvp.Key, kvp.Value);
|
||||
}
|
||||
|
||||
// Configuration Settings
|
||||
logger.LogInformation("-------------- Configuration Settings --------------");
|
||||
LogConfigurationRecursive(logger, configuration.GetChildren(), "");
|
||||
|
||||
logger.LogInformation("===========================================================");
|
||||
}
|
||||
|
||||
static void LogConfigurationRecursive(Microsoft.Extensions.Logging.ILogger logger, IEnumerable<IConfigurationSection> sections, string prefix)
|
||||
{
|
||||
foreach (var section in sections)
|
||||
{
|
||||
var key = string.IsNullOrEmpty(prefix) ? section.Key : $"{prefix}:{section.Key}";
|
||||
|
||||
if (section.Value != null)
|
||||
{
|
||||
var value = section.Value;
|
||||
|
||||
// Mask sensitive configuration values but show last 4 characters
|
||||
if (IsSensitiveKey(key))
|
||||
{
|
||||
value = MaskValueWithLastChars(value);
|
||||
}
|
||||
|
||||
logger.LogInformation(" {Key} = {Value}", key, value);
|
||||
}
|
||||
|
||||
// Recurse into child sections
|
||||
if (section.GetChildren().Any())
|
||||
{
|
||||
LogConfigurationRecursive(logger, section.GetChildren(), key);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static bool IsSensitiveKey(string key)
|
||||
{
|
||||
return key.Contains("Password", StringComparison.OrdinalIgnoreCase) ||
|
||||
key.Contains("Secret", StringComparison.OrdinalIgnoreCase) ||
|
||||
key.Contains("Token", StringComparison.OrdinalIgnoreCase) ||
|
||||
key.Contains("Key", StringComparison.OrdinalIgnoreCase) ||
|
||||
key.Contains("ConnectionString", StringComparison.OrdinalIgnoreCase);
|
||||
}
|
||||
|
||||
static string MaskValueWithLastChars(string value)
|
||||
{
|
||||
if (string.IsNullOrEmpty(value))
|
||||
{
|
||||
return "***NOT SET***";
|
||||
}
|
||||
|
||||
// If value is too short, just mask it completely
|
||||
if (value.Length <= 4)
|
||||
{
|
||||
return "***MASKED***";
|
||||
}
|
||||
|
||||
// Show last 4 characters
|
||||
var lastChars = value.Substring(value.Length - 4);
|
||||
return $"***MASKED***...{lastChars}";
|
||||
}
|
||||
+2
-1
@@ -37,6 +37,7 @@
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\api-models\api-models.csproj" />
|
||||
<ProjectReference Include="..\cv-matcher-api-models\cv-matcher-api-models.csproj" />
|
||||
</ItemGroup>
|
||||
<ProjectReference Include="..\startup-helpers\startup-helpers.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
||||
Reference in New Issue
Block a user