novicelab.io/nginx
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move site configs from conf.d to sites-enabled

Browse Source
This commit is contained in:
kbrianngeno
2026-03-21 09:53:35 +00:00
parent f4cba30f72
commit 693aa12720
17 changed files with 0 additions and 1528 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
data/conf.d/adminer.conf
View File

@@ -1,71 +0,0 @@
upstream adminer_backend {
server adminer:8080;
# Keep up to 16 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
listen [::]:80;
server_name adminer.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name adminer.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined;
error_log /var/log/nginx/adminer.novicelab.io_error.log debug;
# set $adminer_backend adminer:8080;
location / {
proxy_pass http://adminer_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

85
data/conf.d/auth.conf
View File

@@ -1,85 +0,0 @@
upstream keycloak_backend {
server keycloak:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name auth.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl; #
server_name auth.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/auth.novicelab.io_access.log json_combined;
error_log /var/log/nginx/auth.novicelab.io_error.log debug;
# set $keycloak_backend keycloak:80;
location / {
# proxy_pass http://10.0.0.253:8085/auth/;
proxy_pass http://keycloak_backend;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
}
}

76
data/conf.d/book.conf
View File

@@ -1,76 +0,0 @@
upstream bookstack_backend {
# server 10.0.0.251:6875/;
server bookstack:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name book.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name book.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/book.novicelab.io_access.log json_combined;
error_log /var/log/nginx/book.novicelab.io_error.log debug;
# set $bookstack_backend bookstack:80;
location / {
proxy_pass http://bookstack_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}

65
data/conf.d/cluster.conf
View File

@@ -1,65 +0,0 @@
upstream haproxy_backend {
server 10.0.0.20:80;
keepalive 32;
keepalive_timeout 60s;
keepalive_requests 100;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name *.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/*.novicelab.io_access.log json_combined;
error_log /var/log/nginx/*.novicelab.io_error.log debug;
location / {
proxy_pass http://10.0.0.20:80;
# proxy_pass http://haproxy_backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Performance optimizations
proxy_buffering off;
proxy_request_buffering off;
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 0;
}
}

63
data/conf.d/drone.conf
View File

@@ -1,63 +0,0 @@
upstream drone_backend {
server drone:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name drone.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name drone.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Logging
access_log /var/log/nginx/drone.novicelab.io_access.log;
error_log /var/log/nginx/drone.novicelab.io_error.log;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $drone_backend drone:80;
location / {
proxy_pass http://drone_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

71
data/conf.d/gitea.conf
View File

@@ -1,71 +0,0 @@
upstream gitea_backend {
server gitea:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 443 ssl;
listen [::]:443 ssl; #
server_name gitea.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined;
error_log /var/log/nginx/gitea.novicelab.io_error.log debug;
# set $gitea_backend gitea:3000;
location / {
proxy_pass http://gitea_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

76
data/conf.d/goaccess.conf
View File

@@ -1,76 +0,0 @@
# upstream goaccess_backend {
# server goaccess:7890;
#
# # Keep up to 32 idle connections per worker
# keepalive 16;
#
# # Maximum time a connection can be idle
# keepalive_timeout 60s;
#
# # Maximum requests per keepalive connection
# keepalive_requests 100;
# }
server {
listen 80;
listen [::]:80;
server_name goaccess.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Server block for GoAccess dashboard
server {
listen 443 ssl; # http2;
server_name goaccess.novicelab.io;
# SSL configuration
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Logging
access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined;
error_log /var/log/nginx/goaccess.novicelab.io_error.log debug;
set $goaccess_backend goaccess:7890;
root /usr/share/nginx/html;
index report.html;
location / {
try_files $uri $uri/ =404;
}
location /ws {
proxy_pass http://$goaccess_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#enable ws upgrade
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

109
data/conf.d/harbor.conf
View File

@@ -1,109 +0,0 @@
# upstream harbor_backend {
# server nginx-harbor:80;
#
# # Keep up to 32 idle connections per worker
# keepalive 16;
#
# # Maximum time a connection can be idle
# keepalive_timeout 60s;
#
# # Maximum requests per keepalive connection
# keepalive_requests 100;
# }
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name harbor.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined;
error_log /var/log/nginx/harbor.novicelab.io_error.log debug;
# set $harbor_backend 10.0.0.251:9090;
set $harbor_backend nginx-harbor:80;
client_max_body_size 0;
# Disable absolute redirects which often cause 301 loops
absolute_redirect off;
# Docker registry specific headers
chunked_transfer_encoding on;
location / {
proxy_pass http://$harbor_backend;
proxy_set_header Host $http_host;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 0;
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
# Performance optimizations
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
# Optional: Increase buffers for large tokens/cookies
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
}
location /v2/ {
# Do not allow Nginx to add/remove trailing slashes here
proxy_pass http://$harbor_backend;
proxy_set_header Host $http_host; # Important for Registry
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Increase body size for image uploads
client_max_body_size 0;
}
}

93
data/conf.d/hugo.conf
View File

@@ -1,93 +0,0 @@
upstream hugo_backend {
# server hugo:1313;
server 10.0.0.250:8000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name novicelab.io www.novicelab.io x.y.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl; #
server_name novicelab.io www.novicelab.io x.y.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging
access_log /var/log/nginx/novicelab.io_access.log json_combined;
error_log /var/log/nginx/novicelab.io_error.log debug;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# set $hugo_backend hugo:1313;
location / {
# proxy_pass http://10.0.0.250:8000/;
proxy_pass http://hugo_backend;
proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $http_cf_connecting_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
}

55
data/conf.d/mailcow.conf
View File

@@ -1,55 +0,0 @@
server {
listen 80;
server_name mailcow.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name mailcow.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
# An example config is given below
# ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
ssl_prefer_server_ciphers off;
# Logging
access_log /var/log/nginx/mailcow.novicelab.io_access.log;
error_log /var/log/nginx/mailcow.novicelab.io_error.log;
location /Microsoft-Server-ActiveSync {
proxy_pass https://10.0.0.251:7443/Microsoft-Server-ActiveSync;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 75;
proxy_send_timeout 3650;
proxy_read_timeout 3650;
# proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
client_body_buffer_size 512k;
client_max_body_size 0;
}
location / {
proxy_pass https://10.0.0.251:7443/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
# The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
# Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
# proxy_buffer_size 128k;
proxy_buffers 64 512k;
proxy_busy_buffers_size 512k;
}
}

160
data/conf.d/minio.conf
View File

@@ -1,160 +0,0 @@
upstream minio_backend {
server minio:9001;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
upstream s3_backend {
server minio:9000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name minio.novicelab.io;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
listen [::]:443 ssl; #
server_name minio.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# # SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/minio.novicelab.io_access.log json_combined;
error_log /var/log/nginx/minio.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s;
# set $minio_backend minio:9001;
location / {
proxy_pass http://minio_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https;
# proxy_set_header X-NginX-Proxy true;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 0;
}
}
server {
listen 80;
server_name s3.novicelab.io;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name s3.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/s3.novicelab.io_access.log json_combined;
error_log /var/log/nginx/s3.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s;
# set $s3_backend minio:9000;
location / {
proxy_pass http://s3_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

91
data/conf.d/mkdocs.conf
View File

@@ -1,91 +0,0 @@
# # # Redirect HTTP to HTTPS
# # server {
# # listen 80;
# # listen [::]:80;
# # server_name novicelab.io;
# # # ACME challenge for Let's Encrypt certificate renewal
# # location /.well-known/acme-challenge/ {
# # root /var/www/certbot;
# # }
# # location / {
# # return 301 https://$server_name$request_uri;
# # }
# # }
# server {
# listen 443 ssl; #http2;
# listen [::]:443 ssl; # http2;
# server_name novicelab.io;
# # SSL Certificate paths
# ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# # Trusted certificate for OCSP stapling
# # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# # Cloudflare Origin CA certificate for client verification
# # Cloudflare Origin CA for authenticated origin pulls (optional)
# # Only enable if you want to restrict to Cloudflare only
# # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# # ssl_verify_client on;
# # SSL Protocol - TLS 1.2 and 1.3 only
# ssl_protocols TLSv1.2 TLSv1.3;
# # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
# ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# ssl_prefer_server_ciphers off;
# # SSL session configuration
# ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:10m;
# ssl_session_tickets off;
# # OCSP Stapling
# # ssl_stapling on;
# # ssl_stapling_verify on;
# resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
# # Security Headers
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-XSS-Protection "1; mode=block" always;
# add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# # Diffie-Hellman parameter for DHE ciphersuites
# # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# # Logging
# access_log /var/log/nginx/example.com_access.log;
# error_log /var/log/nginx/example.com_error.log;
# # Root and index
# # root /var/www/html;
# # index index.html index.htm;
# # include /etc/letsencrypt/options-ssl-nginx.conf;
# set $mkdocs_backend mkdocs:8000;
# location / {
# # proxy_pass http://10.0.0.251:9200/;
# proxy_pass http://$mkdocs_backend;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto https; # $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_buffering off;
# proxy_set_header Referer $http_referer;
# proxy_redirect off;
# proxy_set_header Cookie $http_cookie;
# }
# }

76
data/conf.d/opencloud.conf
View File

@@ -1,76 +0,0 @@
upstream opencloud_backend {
server 10.0.0.251:9200;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name opencloud.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # http2;
server_name opencloud.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Logging
access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud.novicelab.io_error.log debug;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 10M;
# Disable buffering - essential for SSE
proxy_buffering off;
proxy_request_buffering off;
# Extend timeouts for long connections
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
keepalive_requests 100000;
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $opencloud_backend 10.0.0.251:9200;
# Prevent nginx from trying other upstreams
proxy_next_upstream off;
location / {
# Pass all other requests to CouchDB
proxy_pass http://10.0.0.250:9200;
# proxy_pass http://opencloud_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

188
data/conf.d/plane.conf
View File

@@ -1,188 +0,0 @@
upstream backend_web {
server plane-web:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_space {
server plane-space:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_admin {
server plane-admin:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_live {
server plane-live:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_api {
server plane-api:8000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
# upstream backend_minio {
# server minio:9000;
# keepalive 16;
# keepalive_timeout 60s;
# keepalive_requests 100;
# }
server {
listen 80;
server_name plane.novicelab.io;
if ($host = plane.novicelab.io) {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name plane.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
error_log /var/log/nginx/plane.novicelab.io_error.log debug;
# set $plane_backend 10.0.0.251:9020;
# set $backend_web plane-web:3000;
# set $backend_space plane-space:3000;
# set $backend_admin plane-admin:3000;
# set $backend_live plane-live:3000;
# set $backend_api plane-api:8000;
set $backend_minio minio:9000;
client_max_body_size 0;
# Set the bucket name as a variable for the regex location
set $bucket_name "plane";
# if ($http_x_forwarded_proto != "https") {
# return 301 https://$host$request_uri;
# }
# --- Routes ---
# Spaces
location = /spaces {
return 301 /spaces/;
}
location /spaces/ {
proxy_pass http://backend_space;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# God-Mode
location = /god-mode {
return 301 /god-mode/;
}
location /god-mode/ {
proxy_pass http://backend_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Live
location /live/ {
proxy_pass http://backend_live;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# API & Auth
location /api/ {
proxy_pass http://backend_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
proxy_pass http://backend_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Minio (Bucket)
# Handles both /bucket and /bucket/*
# location ~ ^/${BUCKET_NAME}(/.*)?$ {
location ~ ^/plane(/.*)?$ {
proxy_pass http://$backend_minio/plane;
proxy_set_header Host $host;
# Standard proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
if ($request_method = 'OPTIONS') {
return 204;
}
client_max_body_size 0;
# proxy_pass https://s3.novicelab.io/plane;
}
# Web (Default catch-all)
location / {
proxy_pass http://backend_web;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

119
data/conf.d/umami.conf
View File

@@ -1,119 +0,0 @@
upstream umami_backend {
server umami:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name umami.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name umami.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/umami.novicelab.io_access.log json_combined;
error_log /var/log/nginx/umami.novicelab.io_error.log debug;
# set $umami_backend umami:3000;
location / {
# proxy_pass http://$umami_backend;
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
# 1. Allow public access to tracking scripts
location ~ ^/(script\.js|umami\.js)$ {
# proxy_pass http://$umami_backend;
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
# 2. Allow public access to tracking API (metrics collection)
location /api/send {
# proxy_pass http://$umami_backend;
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
}

87
data/conf.d/vault.conf
View File

@@ -1,87 +0,0 @@
upstream vault_backend {
server 10.0.0.250:8090;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vault.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name vault.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/vault.novicelab.io_access.log json_combined;
error_log /var/log/nginx/vault.novicelab.io_error.log debug;
# set $vault_backend vaultwarden:443;
location / {
# proxy_pass http://$vault_backend;
proxy_pass http://vault_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

43
data/conf.d/wopi.conf
View File

@@ -1,43 +0,0 @@
server {
listen 80;
server_name wopi.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # http2;
server_name wopi.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $opencloud_backend 10.0.0.251:9300;
location / {
proxy_pass http://10.0.0.251:9300;
#proxy_pass http://$opencloud_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}