cloud-pi-native · iliesmrf · May 20, 2026 · May 20, 2026
diff --git a/.github/workflows/job-lint.yml b/.github/workflows/job-lint.yml
@@ -61,18 +61,32 @@ jobs:
           sudo apt-get update -qq
           sudo apt-get install -y --no-install-recommends nginx gettext-base
           # Préparer un répertoire de test isolé avec la config substituée
-          mkdir -p /tmp/nginx-test/conf.d /tmp/nginx-test/logs
+          mkdir -p /tmp/nginx-test/server_blocks /tmp/nginx-test/logs
           envsubst '${LEGACY_UPSTREAM} ${NESTJS_UPSTREAM}' \
             < apps/nginx-strangler/conf.d/routing.conf \
-            > /tmp/nginx-test/conf.d/routing.conf
-          # Adapter nginx.conf pour l'environnement CI (user www-data, paths accessibles)
-          sed \
-            -e 's|^user .*|user www-data;|' \
-            -e 's|pid .*|pid /tmp/nginx-test/nginx.pid;|' \
-            -e 's|error_log .*|error_log /tmp/nginx-test/logs/error.log notice;|' \
-            -e 's|access_log .*|access_log /tmp/nginx-test/logs/access.log main;|' \
-            -e 's|include /etc/nginx/conf\.d/\*\.conf|include /tmp/nginx-test/conf.d/*.conf|' \
-            apps/nginx-strangler/nginx.conf > /tmp/nginx-test/nginx.conf
+            > /tmp/nginx-test/server_blocks/routing.conf
+          # Créer un nginx.conf minimal pour la validation
+          cat > /tmp/nginx-test/nginx.conf <<'EOF'
+          user www-data;
+          worker_processes auto;
+          pid /tmp/nginx-test/nginx.pid;
+          error_log /tmp/nginx-test/logs/error.log notice;
+          events {
+              worker_connections 1024;
+          }
+          http {
+              include /etc/nginx/mime.types;
+              default_type application/octet-stream;
+              log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                              '$status $body_bytes_sent "$http_referer" '
+                              '"$http_user_agent" "$http_x_forwarded_for" '
+                              'upstream=$upstream_addr rt=$request_time';
+              access_log /tmp/nginx-test/logs/access.log main;
+              sendfile on;
+              keepalive_timeout 65;
+              include /tmp/nginx-test/server_blocks/*.conf;
+          }
+          EOF
           nginx -t -c /tmp/nginx-test/nginx.conf
         env:
           LEGACY_UPSTREAM: "127.0.0.1:8080"

diff --git a/apps/nginx-strangler/Dockerfile b/apps/nginx-strangler/Dockerfile
@@ -1,36 +1,13 @@
-FROM nginx:1.27-alpine AS prod
+FROM docker.io/bitnamilegacy/nginx:1.29.1 AS prod
 
-# envsubst est inclus dans nginx:alpine via le paquet gettext
-# On supprime la config par défaut
-RUN rm /etc/nginx/conf.d/default.conf
-
-# Config principale
-COPY apps/nginx-strangler/nginx.conf /etc/nginx/nginx.conf
+USER 0
 
 # Template de routing (sera substitué au démarrage)
-COPY apps/nginx-strangler/conf.d/routing.conf /etc/nginx/templates/routing.conf.template
-
-# Donner à l'utilisateur nginx les droits d'écriture sur conf.d/ (pour envsubst au démarrage)
-# et sur les répertoires de logs/pid nécessaires en mode non-root
-RUN chown -R nginx:nginx \
-      /etc/nginx/nginx.conf \
-      /etc/nginx/conf.d \
-      /etc/nginx/templates \
-      /etc/nginx/mime.types \
-      /var/cache/nginx \
-      /var/log/nginx \
-    && touch /var/run/nginx.pid \
-    && chown nginx:nginx /var/run/nginx.pid
-
-USER nginx
+COPY --chown=1001:0 --chmod=660 apps/nginx-strangler/conf.d/routing.conf /opt/bitnami/nginx/conf/server_blocks/routing.conf.template
 
-HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
-  CMD wget -qO- http://127.0.0.1:8080/health || exit 1
+# Script d'entrypoint pour substitution des variables
+COPY --chown=1001:0 --chmod=770 apps/nginx-strangler/entrypoint.sh /docker-entrypoint-initdb.d/load-routing.sh
 
-# Entrypoint : envsubst substitue les variables d'env dans les templates,
-# puis démarre nginx en foreground
-# Les variables substituées : LEGACY_UPSTREAM, NESTJS_UPSTREAM
-CMD ["/bin/sh", "-c", \
-  "envsubst '${LEGACY_UPSTREAM} ${NESTJS_UPSTREAM}' < /etc/nginx/templates/routing.conf.template > /etc/nginx/conf.d/routing.conf && nginx -t && nginx -g 'daemon off;'"]
+USER 1001
 
 EXPOSE 8080
diff --git a/apps/nginx-strangler/conf.d/routing.conf b/apps/nginx-strangler/conf.d/routing.conf
@@ -31,6 +31,9 @@ upstream server-nestjs {
 server {
     listen 8080;
 
+    # Taille des headers (nécessaire pour les tokens Keycloak)
+    large_client_header_buffers 4 32k;
+
     # Healthcheck de nginx-strangler lui-même
     location = /health {
       access_log off;

diff --git a/apps/nginx-strangler/entrypoint.sh b/apps/nginx-strangler/entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Substitue les variables d'environnement dans le template de routing
+# Les variables substituées : LEGACY_UPSTREAM, NESTJS_UPSTREAM
+envsubst '${LEGACY_UPSTREAM} ${NESTJS_UPSTREAM}' \
+  < /opt/bitnami/nginx/conf/server_blocks/routing.conf.template \
+  > /opt/bitnami/nginx/conf/server_blocks/routing.conf
+
+echo "Routing configuration generated with:"
+echo "  LEGACY_UPSTREAM=${LEGACY_UPSTREAM}"
+echo "  NESTJS_UPSTREAM=${NESTJS_UPSTREAM}"
diff --git a/apps/nginx-strangler/nginx.conf b/apps/nginx-strangler/nginx.conf