novicelab.io/nginx
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Set defaults for directives add_header and proxy_set_header

Browse Source
This commit is contained in:
kbrianngeno
2026-03-21 09:48:26 +00:00
parent 17a8b6bce2
commit 8296b58bd3
20 changed files with 1603 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
data/sites-enabled/adminer.conf Normal file
View File

@@ -0,0 +1,63 @@
upstream adminer_backend {
server adminer:8080;
# Keep up to 16 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
listen [::]:80;
server_name adminer.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name adminer.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined;
error_log /var/log/nginx/adminer.novicelab.io_error.log debug;
# set $adminer_backend adminer:8080;
location / {
proxy_pass http://adminer_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
}

70
data/sites-enabled/auth.conf Normal file
View File

@@ -0,0 +1,70 @@
upstream keycloak_backend {
server keycloak:80;
# Keep up to 16 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name auth.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name auth.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/auth.novicelab.io_access.log json_combined;
error_log /var/log/nginx/auth.novicelab.io_error.log debug;
# set $keycloak_backend keycloak:80;
location / {
proxy_pass http://keycloak_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Accept-Encoding "";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}

64
data/sites-enabled/book.conf Normal file
View File

@@ -0,0 +1,64 @@
upstream bookstack_backend {
server bookstack:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name book.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name book.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/book.novicelab.io_access.log json_combined;
error_log /var/log/nginx/book.novicelab.io_error.log debug;
# set $bookstack_backend bookstack:80;
location / {
proxy_pass http://bookstack_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
}

60
data/sites-enabled/cluster.conf Normal file
View File

@@ -0,0 +1,60 @@
upstream haproxy_backend {
server 10.0.0.20:80;
keepalive 32;
keepalive_timeout 60s;
keepalive_requests 100;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name *.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/*.novicelab.io_access.log json_combined;
error_log /var/log/nginx/*.novicelab.io_error.log debug;
location / {
proxy_pass http://10.0.0.20:80;
# proxy_pass http://haproxy_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
# Performance optimizations
proxy_buffering off;
proxy_request_buffering off;
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 0;
}
}

68
data/sites-enabled/drone.conf Normal file
View File

@@ -0,0 +1,68 @@
upstream drone_backend {
server drone:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name drone.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name drone.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/drone.novicelab.io_access.log;
error_log /var/log/nginx/drone.novicelab.io_error.log;
# set $drone_backend drone:80;
location / {
proxy_pass http://drone_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

63
data/sites-enabled/gitea.conf Normal file
View File

@@ -0,0 +1,63 @@
upstream gitea_backend {
server gitea:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gitea.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined;
error_log /var/log/nginx/gitea.novicelab.io_error.log debug;
# set $gitea_backend gitea:3000;
location / {
proxy_pass http://gitea_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

84
data/sites-enabled/goaccess.conf Normal file
View File

@@ -0,0 +1,84 @@
# upstream goaccess_backend {
# server goaccess:7890;
#
# # Keep up to 32 idle connections per worker
# keepalive 16;
#
# # Maximum time a connection can be idle
# keepalive_timeout 60s;
#
# # Maximum requests per keepalive connection
# keepalive_requests 100;
# }
server {
listen 80;
listen [::]:80;
server_name goaccess.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Server block for GoAccess dashboard
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name goaccess.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined;
error_log /var/log/nginx/goaccess.novicelab.io_error.log debug;
set $goaccess_backend goaccess:7890;
root /usr/share/nginx/html;
index report.html;
location / {
try_files $uri $uri/ =404;
}
location /ws {
proxy_pass http://$goaccess_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
#enable ws upgrade
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

107
data/sites-enabled/harbor.conf Normal file
View File

@@ -0,0 +1,107 @@
upstream harbor_backend {
# server harbor-nginx:8080; # Harbor is in its own network
server 10.0.0.250:3200;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name harbor.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined;
error_log /var/log/nginx/harbor.novicelab.io_error.log debug;
# set $harbor_backend 10.0.0.251:3200;
# set $harbor_backend harbor-nginx:8080;
client_max_body_size 0;
# Disable absolute redirects which often cause 301 loops
absolute_redirect off;
# Docker registry specific headers
chunked_transfer_encoding on;
location / {
proxy_pass http://harbor_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 0;
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
# Performance optimizations
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
# Optional: Increase buffers for large tokens/cookies
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
}
location /v2/ {
# Do not allow Nginx to add/remove trailing slashes here
proxy_pass http://harbor_backend;
proxy_set_header Host $http_host; # Important for Registry
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Increase body size for image uploads
client_max_body_size 0;
}
}

82
data/sites-enabled/hugo.conf Normal file
View File

@@ -0,0 +1,82 @@
upstream hugo_backend {
server hugo:1313;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name novicelab.io www.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
# Redirect www to non-www
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# logging
error_log /var/log/nginx/error.log debug;
return 301 https://novicelab.io$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/novicelab.io_access.log json_combined;
error_log /var/log/nginx/novicelab.io_error.log debug;
# set $hugo_backend hugo:1313;
location / {
proxy_pass http://hugo_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
}

58
data/sites-enabled/kimai.conf Normal file
View File

@@ -0,0 +1,58 @@
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name kimai.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name kimai.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/kimai.novicelab.io_access.log;
error_log /var/log/nginx/kimai.novicelab.io_error.log;
set $kimai_backend kimai:8001;
location / {
proxy_pass http://10.0.0.250:8400;
# proxy_pass http://$kimai_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
# proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
# Redirect HTTP to HTTPS, in case an invalid (plain HTTP) request was sent to port 443
error_page 497 https://$host:$server_port$request_uri;
}

58
data/sites-enabled/mailcow.conf Normal file
View File

@@ -0,0 +1,58 @@
server {
listen 80;
server_name mailcow.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name mailcow.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/mailcow.novicelab.io_access.log;
error_log /var/log/nginx/mailcow.novicelab.io_error.log;
location /Microsoft-Server-ActiveSync {
proxy_pass https://10.0.0.251:7443/Microsoft-Server-ActiveSync;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 75;
proxy_send_timeout 3650;
proxy_read_timeout 3650;
# proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
client_body_buffer_size 512k;
client_max_body_size 0;
}
location / {
proxy_pass https://10.0.0.251:7443/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
# The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
# Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
# proxy_buffer_size 128k;
proxy_buffers 64 512k;
proxy_busy_buffers_size 512k;
}
}

128
data/sites-enabled/minio.conf Normal file
View File

@@ -0,0 +1,128 @@
upstream minio_backend {
server minio:9001;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
upstream s3_backend {
server minio:9000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name minio.novicelab.io;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name minio.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/minio.novicelab.io_access.log json_combined;
error_log /var/log/nginx/minio.novicelab.io_error.log debug;
# set $minio_backend minio:9001;
location / {
proxy_pass http://minio_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https;
# proxy_set_header X-NginX-Proxy true;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 500M;
}
}
server {
listen 80;
server_name s3.novicelab.io;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name s3.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/s3.novicelab.io_access.log json_combined;
error_log /var/log/nginx/s3.novicelab.io_error.log debug;
# set $s3_backend minio:9000;
location / {
proxy_pass http://s3_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

91
data/sites-enabled/mkdocs.conf Normal file
View File

@@ -0,0 +1,91 @@
# # # Redirect HTTP to HTTPS
# # server {
# # listen 80;
# # listen [::]:80;
# # server_name novicelab.io;
# # # ACME challenge for Let's Encrypt certificate renewal
# # location /.well-known/acme-challenge/ {
# # root /var/www/certbot;
# # }
# # location / {
# # return 301 https://$server_name$request_uri;
# # }
# # }
# server {
# listen 443 ssl; #http2;
# listen [::]:443 ssl; # http2;
# server_name novicelab.io;
# # SSL Certificate paths
# ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# # Trusted certificate for OCSP stapling
# # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# # Cloudflare Origin CA certificate for client verification
# # Cloudflare Origin CA for authenticated origin pulls (optional)
# # Only enable if you want to restrict to Cloudflare only
# # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# # ssl_verify_client on;
# # SSL Protocol - TLS 1.2 and 1.3 only
# ssl_protocols TLSv1.2 TLSv1.3;
# # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
# ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# ssl_prefer_server_ciphers off;
# # SSL session configuration
# ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:10m;
# ssl_session_tickets off;
# # OCSP Stapling
# # ssl_stapling on;
# # ssl_stapling_verify on;
# resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
# # Security Headers
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-XSS-Protection "1; mode=block" always;
# add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# # Diffie-Hellman parameter for DHE ciphersuites
# # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# # Logging
# access_log /var/log/nginx/example.com_access.log;
# error_log /var/log/nginx/example.com_error.log;
# # Root and index
# # root /var/www/html;
# # index index.html index.htm;
# # include /etc/letsencrypt/options-ssl-nginx.conf;
# set $mkdocs_backend mkdocs:8000;
# location / {
# # proxy_pass http://10.0.0.251:9200/;
# proxy_pass http://$mkdocs_backend;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto https; # $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_buffering off;
# proxy_set_header Referer $http_referer;
# proxy_redirect off;
# proxy_set_header Cookie $http_cookie;
# }
# }

73
data/sites-enabled/opencloud.conf Normal file
View File

@@ -0,0 +1,73 @@
upstream opencloud_backend {
server 10.0.0.250:9200;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name opencloud.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name opencloud.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud.novicelab.io_error.log debug;
client_max_body_size 10M;
# Disable buffering - essential for SSE
proxy_buffering off;
proxy_request_buffering off;
# Extend timeouts for long connections
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
keepalive_requests 100000;
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
# set $opencloud_backend 10.0.0.251:9200;
# Prevent nginx from trying other upstreams
proxy_next_upstream off;
location / {
proxy_pass http://opencloud_backend;
# proxy_pass http://opencloud_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

75
data/sites-enabled/opencloud_collabora.conf Normal file
View File

@@ -0,0 +1,75 @@
upstream collabora_backend {
server 10.0.0.250:9980;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name collabora.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name collabora.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/opencloud_collabora.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud_collabora.novicelab.io_error.log debug;
client_max_body_size 10M;
# Disable buffering - essential for SSE
proxy_buffering off;
proxy_request_buffering off;
# Extend timeouts for long connections
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
keepalive_requests 100000;
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $collabora_backend 10.0.0.251:9980;
# Prevent nginx from trying other upstreams
proxy_next_upstream off;
location / {
proxy_pass http://collabora_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

58
data/sites-enabled/opencloud_wopi.conf Normal file
View File

@@ -0,0 +1,58 @@
upstream wopi_backend {
server 10.0.0.250:9300;;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name wopi.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name wopi.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/opencloud_wopi.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud_wopi.novicelab.io_error.log debug;
# set $wopi_backend 10.0.0.251:9300;
location / {
# proxy_pass http://10.0.0.250:9300;
proxy_pass http://wopi_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

176
data/sites-enabled/plane.conf Normal file
View File

@@ -0,0 +1,176 @@
upstream backend_web {
server plane-web:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_space {
server plane-space:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_admin {
server plane-admin:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_live {
server plane-live:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_api {
server plane-api:8000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
# upstream backend_minio {
# server minio:9000;
# keepalive 16;
# keepalive_timeout 60s;
# keepalive_requests 100;
# }
server {
listen 80;
server_name plane.novicelab.io;
if ($host = plane.novicelab.io) {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name plane.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
error_log /var/log/nginx/plane.novicelab.io_error.log debug;
# set $plane_backend 10.0.0.251:9020;
# set $backend_web plane-web:3000;
# set $backend_space plane-space:3000;
# set $backend_admin plane-admin:3000;
# set $backend_live plane-live:3000;
# set $backend_api plane-api:8000;
set $backend_minio minio:9000;
# client_max_body_size 0;
# Set the bucket name as a variable for the regex location
set $bucket_name "plane";
# if ($http_x_forwarded_proto != "https") {
# return 301 https://$host$request_uri;
# }
# --- Routes ---
# Spaces
location = /spaces {
return 301 /spaces/;
}
location /spaces/ {
proxy_pass http://backend_space;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# God-Mode
location = /god-mode {
return 301 /god-mode/;
}
location /god-mode/ {
proxy_pass http://backend_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Live
location /live/ {
proxy_pass http://backend_live;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# API & Auth
location /api/ {
proxy_pass http://backend_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
proxy_pass http://backend_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Minio (Bucket)
# Handles both /bucket and /bucket/*
# location ~ ^/${BUCKET_NAME}(/.*)?$ {
location ~ ^/plane(/.*)?$ {
proxy_pass http://$backend_minio/plane;
proxy_set_header Host $host;
# Standard proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
if ($request_method = 'OPTIONS') {
return 204;
}
client_max_body_size 20M;
# proxy_pass https://s3.novicelab.io/plane;
}
# Web (Default catch-all)
location / {
proxy_pass http://backend_web;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

65
data/sites-enabled/portainer.conf Normal file
View File

@@ -0,0 +1,65 @@
upstream portainer_backend {
server portainer:9000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name portainer.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name portainer.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/portainer.novicelab.io_access.log;
error_log /var/log/nginx/portainer.novicelab.io_error.log;
# set $portainer_backend portainer:9000;
location / {
proxy_pass http://portainer_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
}
}

88
data/sites-enabled/umami.conf Normal file
View File

@@ -0,0 +1,88 @@
upstream umami_backend {
server umami:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name umami.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name umami.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/umami.novicelab.io_access.log json_combined;
error_log /var/log/nginx/umami.novicelab.io_error.log debug;
# set $umami_backend umami:3000;
location / {
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https ;
proxy_set_header X-Forwarded-Host $host;
# WebSocket support for real-time dashboard
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# 1. Allow public access to tracking scripts
location ~ ^/(script\.js|umami\.js)$ {
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https ;
proxy_set_header X-Forwarded-Host $host;
}
# 2. Allow public access to tracking API (metrics collection)
location /api/send {
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https ;
proxy_set_header X-Forwarded-Host $host;
}
}

72
data/sites-enabled/vault.conf Normal file
View File

@@ -0,0 +1,72 @@
upstream vault_backend {
server 10.0.0.250:8090;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vault.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vault.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/vault.novicelab.io_access.log json_combined;
error_log /var/log/nginx/vault.novicelab.io_error.log debug;
# set $vault_backend vaultwarden:443;
location / {
proxy_pass http://vault_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}