feat(docker): add optional TLS/HTTPS support (#1896)

docker-compose.yml

@@ -156,6 +156,13 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    volumes:
+      # Override nginx config at runtime (default: HTTP-only)
+      # For TLS: set AUTOBOT_NGINX_CONF=./docker/nginx/nginx-ssl.conf in .env
+      - ${AUTOBOT_NGINX_CONF:-./docker/nginx/nginx.conf}:/etc/nginx/nginx.conf:ro
+      # TLS certificates directory (mounted read-only)
+      # Generate dev certs: bash docker/certs/generate-self-signed.sh
+      - ${AUTOBOT_TLS_CERT_DIR:-./docker/certs}:/etc/nginx/certs:ro
     depends_on:
       - autobot-backend
       - autobot-slm

docker/.env.docker

@@ -81,5 +81,10 @@ AUTOBOT_DB_USER=autobot
 AUTOBOT_DB_PASSWORD=autobot
 AUTOBOT_DB_NAME=autobot_slm
 
+# --- TLS (optional) ---
+# To enable HTTPS, uncomment and run: bash docker/certs/generate-self-signed.sh
+# AUTOBOT_NGINX_CONF=./docker/nginx/nginx-ssl.conf
+# AUTOBOT_TLS_CERT_DIR=./docker/certs
+
 # --- Logging ---
 AUTOBOT_LOG_LEVEL=INFO

docker/certs/.gitignore

@@ -0,0 +1,5 @@
+# Generated TLS certificates — do not commit
+*.crt
+*.key
+*.pem
+!.gitignore

docker/certs/generate-self-signed.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# AutoBot - Self-Signed TLS Certificate Generator (#1896)
+# For development/testing only. Use proper CA certs in production.
+#
+# AutoBot - AI-Powered Automation Platform
+# Copyright (c) 2025 mrveiss
+# Author: mrveiss
+
+set -e
+
+CERT_DIR="$(cd "$(dirname "$0")" && pwd)"
+CERT_FILE="$CERT_DIR/autobot.crt"
+KEY_FILE="$CERT_DIR/autobot.key"
+
+if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then
+    echo "Certificates already exist at $CERT_DIR"
+    echo "  Delete them first to regenerate."
+    exit 0
+fi
+
+echo "Generating self-signed TLS certificate..."
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -keyout "$KEY_FILE" \
+    -out "$CERT_FILE" \
+    -subj "/C=US/ST=Local/L=Local/O=AutoBot/CN=localhost" \
+    -addext "subjectAltName=DNS:localhost,DNS:autobot,IP:127.0.0.1"
+
+chmod 600 "$KEY_FILE"
+chmod 644 "$CERT_FILE"
+
+echo "Certificate generated:"
+echo "  Cert: $CERT_FILE"
+echo "  Key:  $KEY_FILE"

docker/nginx/nginx-ssl.conf

@@ -0,0 +1,134 @@
+# AutoBot nginx Configuration — TLS/HTTPS (#1896)
+# Use with: AUTOBOT_NGINX_CONF=./docker/nginx/nginx-ssl.conf
+#
+# AutoBot - AI-Powered Automation Platform
+# Copyright (c) 2025 mrveiss
+# Author: mrveiss
+
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent"';
+
+    access_log /var/log/nginx/access.log main;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    client_max_body_size 100M;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript
+               text/xml application/xml application/xml+rss text/javascript
+               image/svg+xml;
+
+    # Upstream services
+    upstream backend {
+        server autobot-backend:8000;
+    }
+
+    upstream slm {
+        server autobot-slm:8000;
+    }
+
+    # HTTP -> HTTPS redirect
+    server {
+        listen 80;
+        server_name _;
+        return 301 https://$host$request_uri;
+    }
+
+    # HTTPS server
+    server {
+        listen 443 ssl;
+        server_name _;
+
+        ssl_certificate /etc/nginx/certs/autobot.crt;
+        ssl_certificate_key /etc/nginx/certs/autobot.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+
+        # Security headers
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options nosniff always;
+        add_header X-Frame-Options SAMEORIGIN always;
+        add_header X-XSS-Protection "1; mode=block" always;
+
+        root /usr/share/nginx/html;
+        index index.html;
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        location /api/ {
+            proxy_pass http://backend/api/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 300s;
+            proxy_send_timeout 300s;
+        }
+
+        location /ws {
+            proxy_pass http://backend/ws;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_read_timeout 86400s;
+        }
+
+        location /slm/ {
+            proxy_pass http://slm/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location /slm/api/ {
+            proxy_pass http://slm/api/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 300s;
+        }
+
+        location /health {
+            access_log off;
+            return 200 '{"status":"ok"}';
+            add_header Content-Type application/json;
+        }
+
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+            try_files $uri =404;
+        }
+    }
+}