diff --git a/data/conf.d/adminer.conf b/data/conf.d/adminer.conf deleted file mode 100644 index 79f4cf4..0000000 --- a/data/conf.d/adminer.conf +++ /dev/null @@ -1,71 +0,0 @@ -upstream adminer_backend { - server adminer:8080; - - # Keep up to 16 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -server { - listen 80; - listen [::]:80; - server_name adminer.novicelab.io; - - # ACME challenge for Let's Encrypt certificate renewal - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name adminer.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined; - error_log /var/log/nginx/adminer.novicelab.io_error.log debug; - - # set $adminer_backend adminer:8080; - - location / { - proxy_pass http://adminer_backend; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} \ No newline at end of file diff --git a/data/conf.d/auth.conf b/data/conf.d/auth.conf deleted file mode 100644 index 8eff435..0000000 --- a/data/conf.d/auth.conf +++ /dev/null @@ -1,85 +0,0 @@ -upstream keycloak_backend { - server keycloak:80; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -# Redirect HTTP to HTTPS -server { - listen 80; - listen [::]:80; - server_name auth.novicelab.io; - - # ACME challenge for Let's Encrypt certificate renewal - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; # - server_name auth.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/auth.novicelab.io_access.log json_combined; - error_log /var/log/nginx/auth.novicelab.io_error.log debug; - - # set $keycloak_backend keycloak:80; - - location / { - # proxy_pass http://10.0.0.253:8085/auth/; - proxy_pass http://keycloak_backend; - - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Scheme $scheme; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header Accept-Encoding ""; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_http_version 1.1; - } -} \ No newline at end of file diff --git a/data/conf.d/book.conf b/data/conf.d/book.conf deleted file mode 100644 index 2daf294..0000000 --- a/data/conf.d/book.conf +++ /dev/null @@ -1,76 +0,0 @@ -upstream bookstack_backend { - # server 10.0.0.251:6875/; - server bookstack:80; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -# # Redirect HTTP to HTTPS -server { - listen 80; - listen [::]:80; - server_name book.novicelab.io; - - # ACME challenge for Let's Encrypt certificate renewal - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name book.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/book.novicelab.io_access.log json_combined; - error_log /var/log/nginx/book.novicelab.io_error.log debug; - - # set $bookstack_backend bookstack:80; - - location / { - proxy_pass http://bookstack_backend; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - } -} \ No newline at end of file diff --git a/data/conf.d/cluster.conf b/data/conf.d/cluster.conf deleted file mode 100644 index 0436f79..0000000 --- a/data/conf.d/cluster.conf +++ /dev/null @@ -1,65 +0,0 @@ -upstream haproxy_backend { - server 10.0.0.20:80; - keepalive 32; - keepalive_timeout 60s; - keepalive_requests 100; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name *.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/*.novicelab.io_access.log json_combined; - error_log /var/log/nginx/*.novicelab.io_error.log debug; - - location / { - proxy_pass http://10.0.0.20:80; - # proxy_pass http://haproxy_backend; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Performance optimizations - proxy_buffering off; - proxy_request_buffering off; - # Timeouts - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - - client_max_body_size 0; - } -} \ No newline at end of file diff --git a/data/conf.d/drone.conf b/data/conf.d/drone.conf deleted file mode 100644 index 9945a81..0000000 --- a/data/conf.d/drone.conf +++ /dev/null @@ -1,63 +0,0 @@ -upstream drone_backend { - server drone:80; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -server { - listen 80; - server_name drone.novicelab.io; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - server_name drone.novicelab.io; - - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_session_cache shared:SSL:10m; - - # Logging - access_log /var/log/nginx/drone.novicelab.io_access.log; - error_log /var/log/nginx/drone.novicelab.io_error.log; - - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # set $drone_backend drone:80; - - location / { - proxy_pass http://drone_backend; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # WebSocket support for real-time updates - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Timeouts - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - } -} \ No newline at end of file diff --git a/data/conf.d/gitea.conf b/data/conf.d/gitea.conf deleted file mode 100644 index 3954c49..0000000 --- a/data/conf.d/gitea.conf +++ /dev/null @@ -1,71 +0,0 @@ -upstream gitea_backend { - server gitea:3000; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; # - server_name gitea.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined; - error_log /var/log/nginx/gitea.novicelab.io_error.log debug; - - # set $gitea_backend gitea:3000; - - location / { - proxy_pass http://gitea_backend; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # WebSocket support for real-time updates - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Timeouts - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - } - -} \ No newline at end of file diff --git a/data/conf.d/goaccess.conf b/data/conf.d/goaccess.conf deleted file mode 100644 index a0b1bd2..0000000 --- a/data/conf.d/goaccess.conf +++ /dev/null @@ -1,76 +0,0 @@ -# upstream goaccess_backend { -# server goaccess:7890; -# -# # Keep up to 32 idle connections per worker -# keepalive 16; -# -# # Maximum time a connection can be idle -# keepalive_timeout 60s; -# -# # Maximum requests per keepalive connection -# keepalive_requests 100; -# } - -server { - listen 80; - listen [::]:80; - server_name goaccess.novicelab.io; - - # ACME challenge for Let's Encrypt certificate renewal - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -# Server block for GoAccess dashboard -server { - listen 443 ssl; # http2; - server_name goaccess.novicelab.io; - - # SSL configuration - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_protocols TLSv1.3; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Logging - access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined; - error_log /var/log/nginx/goaccess.novicelab.io_error.log debug; - - set $goaccess_backend goaccess:7890; - - root /usr/share/nginx/html; - index report.html; - - location / { - try_files $uri $uri/ =404; - } - - location /ws { - proxy_pass http://$goaccess_backend; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - #enable ws upgrade - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } -} \ No newline at end of file diff --git a/data/conf.d/harbor.conf b/data/conf.d/harbor.conf deleted file mode 100644 index 6a64e6e..0000000 --- a/data/conf.d/harbor.conf +++ /dev/null @@ -1,109 +0,0 @@ -# upstream harbor_backend { -# server nginx-harbor:80; -# -# # Keep up to 32 idle connections per worker -# keepalive 16; -# -# # Maximum time a connection can be idle -# keepalive_timeout 60s; -# -# # Maximum requests per keepalive connection -# keepalive_requests 100; -# } - -server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; - server_name harbor.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined; - error_log /var/log/nginx/harbor.novicelab.io_error.log debug; - - # set $harbor_backend 10.0.0.251:9090; - set $harbor_backend nginx-harbor:80; - - client_max_body_size 0; - - # Disable absolute redirects which often cause 301 loops - absolute_redirect off; - - # Docker registry specific headers - chunked_transfer_encoding on; - - location / { - proxy_pass http://$harbor_backend; - proxy_set_header Host $http_host; - - # WebSocket support for real-time updates - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - client_max_body_size 0; - - # Timeouts - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - - proxy_set_header Authorization $http_authorization; - proxy_pass_header Authorization; - - # Performance optimizations - proxy_request_buffering off; - - proxy_buffering off; - proxy_set_header Referer $http_referer; - proxy_redirect off; - - proxy_set_header Cookie $http_cookie; - - - # Optional: Increase buffers for large tokens/cookies - proxy_busy_buffers_size 512k; - proxy_buffers 4 512k; - proxy_buffer_size 256k; - } - - location /v2/ { - # Do not allow Nginx to add/remove trailing slashes here - proxy_pass http://$harbor_backend; - - proxy_set_header Host $http_host; # Important for Registry - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Increase body size for image uploads - client_max_body_size 0; - } -} \ No newline at end of file diff --git a/data/conf.d/hugo.conf b/data/conf.d/hugo.conf deleted file mode 100644 index 454ae79..0000000 --- a/data/conf.d/hugo.conf +++ /dev/null @@ -1,93 +0,0 @@ -upstream hugo_backend { - # server hugo:1313; - server 10.0.0.250:8000; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -# # Redirect HTTP to HTTPS -server { - listen 80; - listen [::]:80; - server_name novicelab.io www.novicelab.io x.y.novicelab.io; - - # ACME challenge for Let's Encrypt certificate renewal - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; # - server_name novicelab.io www.novicelab.io x.y.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - # OCSP Stapling - # ssl_stapling on; - # ssl_stapling_verify on; - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Diffie-Hellman parameter for DHE ciphersuites - # ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - # Logging - access_log /var/log/nginx/novicelab.io_access.log json_combined; - error_log /var/log/nginx/novicelab.io_error.log debug; - - # include /etc/letsencrypt/options-ssl-nginx.conf; - # set $hugo_backend hugo:1313; - - location / { - # proxy_pass http://10.0.0.250:8000/; - proxy_pass http://hugo_backend; - - proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Real-IP $http_cf_connecting_ip; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; # $scheme; - proxy_set_header X-Forwarded-Host $host; - - proxy_buffering off; - proxy_set_header Referer $http_referer; - proxy_redirect off; - - proxy_set_header Cookie $http_cookie; - } -} \ No newline at end of file diff --git a/data/conf.d/mailcow.conf b/data/conf.d/mailcow.conf deleted file mode 100644 index 5e0e410..0000000 --- a/data/conf.d/mailcow.conf +++ /dev/null @@ -1,55 +0,0 @@ -server { - listen 80; - server_name mailcow.novicelab.io; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - server_name mailcow.novicelab.io; - - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_timeout 1d; - # ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; - - # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations - # An example config is given below - # ssl_protocols TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA; - ssl_prefer_server_ciphers off; - - # Logging - access_log /var/log/nginx/mailcow.novicelab.io_access.log; - error_log /var/log/nginx/mailcow.novicelab.io_error.log; - - location /Microsoft-Server-ActiveSync { - proxy_pass https://10.0.0.251:7443/Microsoft-Server-ActiveSync; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_connect_timeout 75; - proxy_send_timeout 3650; - proxy_read_timeout 3650; - # proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo - client_body_buffer_size 512k; - client_max_body_size 0; - } - - location / { - proxy_pass https://10.0.0.251:7443/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - client_max_body_size 0; - # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update - # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537 - # proxy_buffer_size 128k; - proxy_buffers 64 512k; - proxy_busy_buffers_size 512k; - } -} \ No newline at end of file diff --git a/data/conf.d/minio.conf b/data/conf.d/minio.conf deleted file mode 100644 index d2bc7f1..0000000 --- a/data/conf.d/minio.conf +++ /dev/null @@ -1,160 +0,0 @@ -upstream minio_backend { - server minio:9001; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -upstream s3_backend { - server minio:9000; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -server { - listen 80; - server_name minio.novicelab.io; - return 301 https://$host$request_uri; # Redirect HTTP to HTTPS -} - -server { - listen 443 ssl; - listen [::]:443 ssl; # - server_name minio.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/minio.novicelab.io_access.log json_combined; - error_log /var/log/nginx/minio.novicelab.io_error.log debug; - - # resolver 127.0.0.11 valid=30s; - # set $minio_backend minio:9001; - - - location / { - proxy_pass http://minio_backend; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; #https; - # proxy_set_header X-NginX-Proxy true; - - # WebSocket support for real-time updates - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Timeouts - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - - client_max_body_size 0; - } -} - -server { - listen 80; - server_name s3.novicelab.io; - return 301 https://$host$request_uri; # Redirect HTTP to HTTPS -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name s3.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/s3.novicelab.io_access.log json_combined; - error_log /var/log/nginx/s3.novicelab.io_error.log debug; - - # resolver 127.0.0.11 valid=30s; - # set $s3_backend minio:9000; - - location / { - proxy_pass http://s3_backend; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # WebSocket support for real-time updates - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Timeouts - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - } - -} \ No newline at end of file diff --git a/data/conf.d/mkdocs.conf b/data/conf.d/mkdocs.conf deleted file mode 100644 index f18865c..0000000 --- a/data/conf.d/mkdocs.conf +++ /dev/null @@ -1,91 +0,0 @@ -# # # Redirect HTTP to HTTPS -# # server { -# # listen 80; -# # listen [::]:80; -# # server_name novicelab.io; - -# # # ACME challenge for Let's Encrypt certificate renewal -# # location /.well-known/acme-challenge/ { -# # root /var/www/certbot; -# # } - -# # location / { -# # return 301 https://$server_name$request_uri; -# # } -# # } - -# server { -# listen 443 ssl; #http2; -# listen [::]:443 ssl; # http2; -# server_name novicelab.io; - -# # SSL Certificate paths -# ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; -# ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - -# # Trusted certificate for OCSP stapling -# # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; - -# # Cloudflare Origin CA certificate for client verification -# # Cloudflare Origin CA for authenticated origin pulls (optional) -# # Only enable if you want to restrict to Cloudflare only -# # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; -# # ssl_verify_client on; - -# # SSL Protocol - TLS 1.2 and 1.3 only -# ssl_protocols TLSv1.2 TLSv1.3; - -# # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) -# ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; -# ssl_prefer_server_ciphers off; - -# # SSL session configuration -# ssl_session_timeout 1d; -# ssl_session_cache shared:SSL:10m; -# ssl_session_tickets off; - -# # OCSP Stapling -# # ssl_stapling on; -# # ssl_stapling_verify on; -# resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; -# resolver_timeout 5s; - -# # Security Headers -# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; -# add_header X-Frame-Options "SAMEORIGIN" always; -# add_header X-Content-Type-Options "nosniff" always; -# add_header X-XSS-Protection "1; mode=block" always; -# add_header Referrer-Policy "strict-origin-when-cross-origin" always; -# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - -# # Diffie-Hellman parameter for DHE ciphersuites -# # ssl_dhparam /etc/nginx/ssl/dhparam.pem; - -# # Logging -# access_log /var/log/nginx/example.com_access.log; -# error_log /var/log/nginx/example.com_error.log; - -# # Root and index -# # root /var/www/html; -# # index index.html index.htm; - -# # include /etc/letsencrypt/options-ssl-nginx.conf; -# set $mkdocs_backend mkdocs:8000; - -# location / { -# # proxy_pass http://10.0.0.251:9200/; -# proxy_pass http://$mkdocs_backend; - -# proxy_set_header Host $host; -# proxy_set_header X-Real-IP $remote_addr; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# proxy_set_header X-Forwarded-Proto https; # $scheme; -# proxy_set_header X-Forwarded-Host $host; - -# proxy_buffering off; -# proxy_set_header Referer $http_referer; -# proxy_redirect off; - -# proxy_set_header Cookie $http_cookie; -# } -# } \ No newline at end of file diff --git a/data/conf.d/opencloud.conf b/data/conf.d/opencloud.conf deleted file mode 100644 index a03b17e..0000000 --- a/data/conf.d/opencloud.conf +++ /dev/null @@ -1,76 +0,0 @@ -upstream opencloud_backend { - server 10.0.0.251:9200; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -server { - listen 80; - server_name opencloud.novicelab.io; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; # http2; - server_name opencloud.novicelab.io; - - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_session_cache shared:SSL:10m; - - # Logging - access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined; - error_log /var/log/nginx/opencloud.novicelab.io_error.log debug; - - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - client_max_body_size 10M; - - # Disable buffering - essential for SSE - proxy_buffering off; - proxy_request_buffering off; - - # Extend timeouts for long connections - proxy_read_timeout 3600s; - proxy_send_timeout 3600s; - keepalive_requests 100000; - keepalive_timeout 5m; - http2_max_concurrent_streams 512; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # set $opencloud_backend 10.0.0.251:9200; - # Prevent nginx from trying other upstreams - proxy_next_upstream off; - - - location / { - # Pass all other requests to CouchDB - proxy_pass http://10.0.0.250:9200; - # proxy_pass http://opencloud_backend/; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Headers for WebSocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - } -} \ No newline at end of file diff --git a/data/conf.d/plane.conf b/data/conf.d/plane.conf deleted file mode 100644 index c1b11b5..0000000 --- a/data/conf.d/plane.conf +++ /dev/null @@ -1,188 +0,0 @@ -upstream backend_web { - server plane-web:3000; - keepalive 16; - keepalive_timeout 60s; - keepalive_requests 100; -} -upstream backend_space { - server plane-space:3000; - keepalive 16; - keepalive_timeout 60s; - keepalive_requests 100; -} -upstream backend_admin { - server plane-admin:3000; - keepalive 16; - keepalive_timeout 60s; - keepalive_requests 100; -} -upstream backend_live { - server plane-live:3000; - keepalive 16; - keepalive_timeout 60s; - keepalive_requests 100; -} -upstream backend_api { - server plane-api:8000; - keepalive 16; - keepalive_timeout 60s; - keepalive_requests 100; -} -# upstream backend_minio { -# server minio:9000; -# keepalive 16; -# keepalive_timeout 60s; -# keepalive_requests 100; -# } - - -server { - listen 80; - server_name plane.novicelab.io; - if ($host = plane.novicelab.io) { - return 301 https://$host$request_uri; - } -} -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name plane.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/plane.novicelab.io_access.log json_combined; - error_log /var/log/nginx/plane.novicelab.io_error.log debug; - - # set $plane_backend 10.0.0.251:9020; - # set $backend_web plane-web:3000; - # set $backend_space plane-space:3000; - # set $backend_admin plane-admin:3000; - # set $backend_live plane-live:3000; - # set $backend_api plane-api:8000; - set $backend_minio minio:9000; - - - client_max_body_size 0; - # Set the bucket name as a variable for the regex location - set $bucket_name "plane"; - - # if ($http_x_forwarded_proto != "https") { - # return 301 https://$host$request_uri; - # } - - # --- Routes --- - - # Spaces - location = /spaces { - return 301 /spaces/; - } - location /spaces/ { - proxy_pass http://backend_space; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # God-Mode - location = /god-mode { - return 301 /god-mode/; - } - location /god-mode/ { - proxy_pass http://backend_admin; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Live - location /live/ { - proxy_pass http://backend_live; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # API & Auth - location /api/ { - proxy_pass http://backend_api; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - location /auth/ { - proxy_pass http://backend_api; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Minio (Bucket) - # Handles both /bucket and /bucket/* - # location ~ ^/${BUCKET_NAME}(/.*)?$ { - location ~ ^/plane(/.*)?$ { - proxy_pass http://$backend_minio/plane; - proxy_set_header Host $host; - - # Standard proxy headers - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; - - if ($request_method = 'OPTIONS') { - return 204; - } - - client_max_body_size 0; - # proxy_pass https://s3.novicelab.io/plane; - } - - # Web (Default catch-all) - location / { - proxy_pass http://backend_web; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} \ No newline at end of file diff --git a/data/conf.d/umami.conf b/data/conf.d/umami.conf deleted file mode 100644 index 96ced33..0000000 --- a/data/conf.d/umami.conf +++ /dev/null @@ -1,119 +0,0 @@ -upstream umami_backend { - server umami:3000; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -# # Redirect HTTP to HTTPS -server { - listen 80; - listen [::]:80; - server_name umami.novicelab.io; - - # ACME challenge for Let's Encrypt certificate renewal - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; - server_name umami.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/umami.novicelab.io_access.log json_combined; - error_log /var/log/nginx/umami.novicelab.io_error.log debug; - - # set $umami_backend umami:3000; - - location / { - # proxy_pass http://$umami_backend; - proxy_pass http://umami_backend; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Host $host; - - proxy_buffering off; - proxy_set_header Referer $http_referer; - proxy_redirect off; - - proxy_set_header Cookie $http_cookie; - } - # 1. Allow public access to tracking scripts - location ~ ^/(script\.js|umami\.js)$ { - # proxy_pass http://$umami_backend; - proxy_pass http://umami_backend; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; # $scheme; - proxy_set_header X-Forwarded-Host $host; - - proxy_buffering off; - proxy_set_header Referer $http_referer; - proxy_redirect off; - - proxy_set_header Cookie $http_cookie; - } - - # 2. Allow public access to tracking API (metrics collection) - location /api/send { - # proxy_pass http://$umami_backend; - proxy_pass http://umami_backend; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; # $scheme; - proxy_set_header X-Forwarded-Host $host; - - proxy_buffering off; - proxy_set_header Referer $http_referer; - proxy_redirect off; - - proxy_set_header Cookie $http_cookie; - } -} \ No newline at end of file diff --git a/data/conf.d/vault.conf b/data/conf.d/vault.conf deleted file mode 100644 index fdaa69e..0000000 --- a/data/conf.d/vault.conf +++ /dev/null @@ -1,87 +0,0 @@ -upstream vault_backend { - server 10.0.0.250:8090; - - # Keep up to 32 idle connections per worker - keepalive 16; - - # Maximum time a connection can be idle - keepalive_timeout 60s; - - # Maximum requests per keepalive connection - keepalive_requests 100; -} - -# Redirect HTTP to HTTPS -server { - listen 80; - listen [::]:80; - server_name vault.novicelab.io; - - # ACME challenge for Let's Encrypt certificate renewal - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; - server_name vault.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/vault.novicelab.io_access.log json_combined; - error_log /var/log/nginx/vault.novicelab.io_error.log debug; - - # set $vault_backend vaultwarden:443; - - location / { - # proxy_pass http://$vault_backend; - proxy_pass http://vault_backend; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # WebSocket support for real-time updates - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Timeouts - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - } -} \ No newline at end of file diff --git a/data/conf.d/wopi.conf b/data/conf.d/wopi.conf deleted file mode 100644 index 8dfee34..0000000 --- a/data/conf.d/wopi.conf +++ /dev/null @@ -1,43 +0,0 @@ -server { - listen 80; - server_name wopi.novicelab.io; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; # http2; - server_name wopi.novicelab.io; - - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_session_cache shared:SSL:10m; - - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # set $opencloud_backend 10.0.0.251:9300; - - - location / { - proxy_pass http://10.0.0.251:9300; - #proxy_pass http://$opencloud_backend/; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Headers for WebSocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - } -} \ No newline at end of file