diff --git a/data/sites-enabled/adminer.conf b/data/sites-enabled/adminer.conf new file mode 100644 index 0000000..651e671 --- /dev/null +++ b/data/sites-enabled/adminer.conf @@ -0,0 +1,63 @@ +upstream adminer_backend { + server adminer:8080; + # Keep up to 16 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 80; + listen [::]:80; + server_name adminer.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name adminer.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined; + error_log /var/log/nginx/adminer.novicelab.io_error.log debug; + + # set $adminer_backend adminer:8080; + + location / { + proxy_pass http://adminer_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + } +} \ No newline at end of file diff --git a/data/sites-enabled/auth.conf b/data/sites-enabled/auth.conf new file mode 100644 index 0000000..6e624a1 --- /dev/null +++ b/data/sites-enabled/auth.conf @@ -0,0 +1,70 @@ +upstream keycloak_backend { + server keycloak:80; + # Keep up to 16 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name auth.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name auth.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/auth.novicelab.io_access.log json_combined; + error_log /var/log/nginx/auth.novicelab.io_error.log debug; + + # set $keycloak_backend keycloak:80; + + location / { + proxy_pass http://keycloak_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_set_header Accept-Encoding ""; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + } +} \ No newline at end of file diff --git a/data/sites-enabled/book.conf b/data/sites-enabled/book.conf new file mode 100644 index 0000000..a28fecc --- /dev/null +++ b/data/sites-enabled/book.conf @@ -0,0 +1,64 @@ +upstream bookstack_backend { + server bookstack:80; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +# # Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name book.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name book.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/book.novicelab.io_access.log json_combined; + error_log /var/log/nginx/book.novicelab.io_error.log debug; + + # set $bookstack_backend bookstack:80; + + location / { + proxy_pass http://bookstack_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + } +} \ No newline at end of file diff --git a/data/sites-enabled/cluster.conf b/data/sites-enabled/cluster.conf new file mode 100644 index 0000000..473b5dc --- /dev/null +++ b/data/sites-enabled/cluster.conf @@ -0,0 +1,60 @@ +upstream haproxy_backend { + server 10.0.0.20:80; + keepalive 32; + keepalive_timeout 60s; + keepalive_requests 100; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name *.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/*.novicelab.io_access.log json_combined; + error_log /var/log/nginx/*.novicelab.io_error.log debug; + + location / { + proxy_pass http://10.0.0.20:80; + # proxy_pass http://haproxy_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + + # Performance optimizations + proxy_buffering off; + proxy_request_buffering off; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + + client_max_body_size 0; + } +} \ No newline at end of file diff --git a/data/sites-enabled/drone.conf b/data/sites-enabled/drone.conf new file mode 100644 index 0000000..440cdbd --- /dev/null +++ b/data/sites-enabled/drone.conf @@ -0,0 +1,68 @@ +upstream drone_backend { + server drone:80; + + # Keep up to 32 idle connections per worker + keepalive 16; + + # Maximum time a connection can be idle + keepalive_timeout 60s; + + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 80; + server_name drone.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name drone.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/drone.novicelab.io_access.log; + error_log /var/log/nginx/drone.novicelab.io_error.log; + + # set $drone_backend drone:80; + + location / { + proxy_pass http://drone_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } +} \ No newline at end of file diff --git a/data/sites-enabled/gitea.conf b/data/sites-enabled/gitea.conf new file mode 100644 index 0000000..c5c8d64 --- /dev/null +++ b/data/sites-enabled/gitea.conf @@ -0,0 +1,63 @@ +upstream gitea_backend { + server gitea:3000; + + # Keep up to 32 idle connections per worker + keepalive 16; + + # Maximum time a connection can be idle + keepalive_timeout 60s; + + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name gitea.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined; + error_log /var/log/nginx/gitea.novicelab.io_error.log debug; + + # set $gitea_backend gitea:3000; + + location / { + proxy_pass http://gitea_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } + +} \ No newline at end of file diff --git a/data/sites-enabled/goaccess.conf b/data/sites-enabled/goaccess.conf new file mode 100644 index 0000000..ac88cc7 --- /dev/null +++ b/data/sites-enabled/goaccess.conf @@ -0,0 +1,84 @@ +# upstream goaccess_backend { +# server goaccess:7890; +# +# # Keep up to 32 idle connections per worker +# keepalive 16; +# +# # Maximum time a connection can be idle +# keepalive_timeout 60s; +# +# # Maximum requests per keepalive connection +# keepalive_requests 100; +# } + +server { + listen 80; + listen [::]:80; + server_name goaccess.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# Server block for GoAccess dashboard +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name goaccess.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined; + error_log /var/log/nginx/goaccess.novicelab.io_error.log debug; + + set $goaccess_backend goaccess:7890; + + root /usr/share/nginx/html; + index report.html; + + location / { + try_files $uri $uri/ =404; + } + + location /ws { + proxy_pass http://$goaccess_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + #enable ws upgrade + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } +} \ No newline at end of file diff --git a/data/sites-enabled/harbor.conf b/data/sites-enabled/harbor.conf new file mode 100644 index 0000000..a3bc39c --- /dev/null +++ b/data/sites-enabled/harbor.conf @@ -0,0 +1,107 @@ +upstream harbor_backend { + # server harbor-nginx:8080; # Harbor is in its own network + server 10.0.0.250:3200; + + # Keep up to 32 idle connections per worker + keepalive 16; + + # Maximum time a connection can be idle + keepalive_timeout 60s; + + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name harbor.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined; + error_log /var/log/nginx/harbor.novicelab.io_error.log debug; + + # set $harbor_backend 10.0.0.251:3200; + # set $harbor_backend harbor-nginx:8080; + + client_max_body_size 0; + + # Disable absolute redirects which often cause 301 loops + absolute_redirect off; + + # Docker registry specific headers + chunked_transfer_encoding on; + + location / { + proxy_pass http://harbor_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + client_max_body_size 0; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + + proxy_set_header Authorization $http_authorization; + proxy_pass_header Authorization; + + # Performance optimizations + proxy_request_buffering off; + + proxy_buffering off; + proxy_set_header Referer $http_referer; + proxy_redirect off; + + proxy_set_header Cookie $http_cookie; + + + # Optional: Increase buffers for large tokens/cookies + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; + } + + location /v2/ { + # Do not allow Nginx to add/remove trailing slashes here + proxy_pass http://harbor_backend; + + proxy_set_header Host $http_host; # Important for Registry + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Increase body size for image uploads + client_max_body_size 0; + } +} \ No newline at end of file diff --git a/data/sites-enabled/hugo.conf b/data/sites-enabled/hugo.conf new file mode 100644 index 0000000..8f9049a --- /dev/null +++ b/data/sites-enabled/hugo.conf @@ -0,0 +1,82 @@ +upstream hugo_backend { + server hugo:1313; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name novicelab.io www.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +# Redirect www to non-www +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name www.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # logging + error_log /var/log/nginx/error.log debug; + return 301 https://novicelab.io$request_uri; +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/novicelab.io_access.log json_combined; + error_log /var/log/nginx/novicelab.io_error.log debug; + + # set $hugo_backend hugo:1313; + + location / { + proxy_pass http://hugo_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + } +} \ No newline at end of file diff --git a/data/sites-enabled/kimai.conf b/data/sites-enabled/kimai.conf new file mode 100644 index 0000000..f103e10 --- /dev/null +++ b/data/sites-enabled/kimai.conf @@ -0,0 +1,58 @@ +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name kimai.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name kimai.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + # Logging + access_log /var/log/nginx/kimai.novicelab.io_access.log; + error_log /var/log/nginx/kimai.novicelab.io_error.log; + + set $kimai_backend kimai:8001; + + location / { + proxy_pass http://10.0.0.250:8400; + # proxy_pass http://$kimai_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + # proxy_set_header X-Forwarded-Host $host:$server_port; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + } + # Redirect HTTP to HTTPS, in case an invalid (plain HTTP) request was sent to port 443 + error_page 497 https://$host:$server_port$request_uri; +} \ No newline at end of file diff --git a/data/sites-enabled/mailcow.conf b/data/sites-enabled/mailcow.conf new file mode 100644 index 0000000..4e01d74 --- /dev/null +++ b/data/sites-enabled/mailcow.conf @@ -0,0 +1,58 @@ +server { + listen 80; + server_name mailcow.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name mailcow.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/mailcow.novicelab.io_access.log; + error_log /var/log/nginx/mailcow.novicelab.io_error.log; + + location /Microsoft-Server-ActiveSync { + proxy_pass https://10.0.0.251:7443/Microsoft-Server-ActiveSync; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 75; + proxy_send_timeout 3650; + proxy_read_timeout 3650; + # proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo + client_body_buffer_size 512k; + client_max_body_size 0; + } + + location / { + proxy_pass https://10.0.0.251:7443/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size 0; + # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update + # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537 + # proxy_buffer_size 128k; + proxy_buffers 64 512k; + proxy_busy_buffers_size 512k; + } +} \ No newline at end of file diff --git a/data/sites-enabled/minio.conf b/data/sites-enabled/minio.conf new file mode 100644 index 0000000..d8a11d2 --- /dev/null +++ b/data/sites-enabled/minio.conf @@ -0,0 +1,128 @@ +upstream minio_backend { + server minio:9001; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +upstream s3_backend { + server minio:9000; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 80; + server_name minio.novicelab.io; + return 301 https://$host$request_uri; # Redirect HTTP to HTTPS +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name minio.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/minio.novicelab.io_access.log json_combined; + error_log /var/log/nginx/minio.novicelab.io_error.log debug; + + # set $minio_backend minio:9001; + + location / { + proxy_pass http://minio_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; #https; + # proxy_set_header X-NginX-Proxy true; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + + client_max_body_size 500M; + } +} + +server { + listen 80; + server_name s3.novicelab.io; + return 301 https://$host$request_uri; # Redirect HTTP to HTTPS +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name s3.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/s3.novicelab.io_access.log json_combined; + error_log /var/log/nginx/s3.novicelab.io_error.log debug; + + # set $s3_backend minio:9000; + + location / { + proxy_pass http://s3_backend; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } + +} \ No newline at end of file diff --git a/data/sites-enabled/mkdocs.conf b/data/sites-enabled/mkdocs.conf new file mode 100644 index 0000000..f18865c --- /dev/null +++ b/data/sites-enabled/mkdocs.conf @@ -0,0 +1,91 @@ +# # # Redirect HTTP to HTTPS +# # server { +# # listen 80; +# # listen [::]:80; +# # server_name novicelab.io; + +# # # ACME challenge for Let's Encrypt certificate renewal +# # location /.well-known/acme-challenge/ { +# # root /var/www/certbot; +# # } + +# # location / { +# # return 301 https://$server_name$request_uri; +# # } +# # } + +# server { +# listen 443 ssl; #http2; +# listen [::]:443 ssl; # http2; +# server_name novicelab.io; + +# # SSL Certificate paths +# ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + +# # Trusted certificate for OCSP stapling +# # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; + +# # Cloudflare Origin CA certificate for client verification +# # Cloudflare Origin CA for authenticated origin pulls (optional) +# # Only enable if you want to restrict to Cloudflare only +# # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; +# # ssl_verify_client on; + +# # SSL Protocol - TLS 1.2 and 1.3 only +# ssl_protocols TLSv1.2 TLSv1.3; + +# # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) +# ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; +# ssl_prefer_server_ciphers off; + +# # SSL session configuration +# ssl_session_timeout 1d; +# ssl_session_cache shared:SSL:10m; +# ssl_session_tickets off; + +# # OCSP Stapling +# # ssl_stapling on; +# # ssl_stapling_verify on; +# resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; +# resolver_timeout 5s; + +# # Security Headers +# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; +# add_header X-Frame-Options "SAMEORIGIN" always; +# add_header X-Content-Type-Options "nosniff" always; +# add_header X-XSS-Protection "1; mode=block" always; +# add_header Referrer-Policy "strict-origin-when-cross-origin" always; +# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + +# # Diffie-Hellman parameter for DHE ciphersuites +# # ssl_dhparam /etc/nginx/ssl/dhparam.pem; + +# # Logging +# access_log /var/log/nginx/example.com_access.log; +# error_log /var/log/nginx/example.com_error.log; + +# # Root and index +# # root /var/www/html; +# # index index.html index.htm; + +# # include /etc/letsencrypt/options-ssl-nginx.conf; +# set $mkdocs_backend mkdocs:8000; + +# location / { +# # proxy_pass http://10.0.0.251:9200/; +# proxy_pass http://$mkdocs_backend; + +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto https; # $scheme; +# proxy_set_header X-Forwarded-Host $host; + +# proxy_buffering off; +# proxy_set_header Referer $http_referer; +# proxy_redirect off; + +# proxy_set_header Cookie $http_cookie; +# } +# } \ No newline at end of file diff --git a/data/sites-enabled/opencloud.conf b/data/sites-enabled/opencloud.conf new file mode 100644 index 0000000..b597edc --- /dev/null +++ b/data/sites-enabled/opencloud.conf @@ -0,0 +1,73 @@ +upstream opencloud_backend { + server 10.0.0.250:9200; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 80; + server_name opencloud.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name opencloud.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined; + error_log /var/log/nginx/opencloud.novicelab.io_error.log debug; + + client_max_body_size 10M; + + # Disable buffering - essential for SSE + proxy_buffering off; + proxy_request_buffering off; + + # Extend timeouts for long connections + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + keepalive_requests 100000; + keepalive_timeout 5m; + http2_max_concurrent_streams 512; + + # set $opencloud_backend 10.0.0.251:9200; + # Prevent nginx from trying other upstreams + proxy_next_upstream off; + + + location / { + proxy_pass http://opencloud_backend; + # proxy_pass http://opencloud_backend/; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Headers for WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/data/sites-enabled/opencloud_collabora.conf b/data/sites-enabled/opencloud_collabora.conf new file mode 100644 index 0000000..011a9fc --- /dev/null +++ b/data/sites-enabled/opencloud_collabora.conf @@ -0,0 +1,75 @@ +upstream collabora_backend { + server 10.0.0.250:9980; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 80; + server_name collabora.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name collabora.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/opencloud_collabora.novicelab.io_access.log json_combined; + error_log /var/log/nginx/opencloud_collabora.novicelab.io_error.log debug; + + client_max_body_size 10M; + + # Disable buffering - essential for SSE + proxy_buffering off; + proxy_request_buffering off; + + # Extend timeouts for long connections + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + keepalive_requests 100000; + keepalive_timeout 5m; + http2_max_concurrent_streams 512; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # set $collabora_backend 10.0.0.251:9980; + # Prevent nginx from trying other upstreams + proxy_next_upstream off; + + + location / { + proxy_pass http://collabora_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Headers for WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/data/sites-enabled/opencloud_wopi.conf b/data/sites-enabled/opencloud_wopi.conf new file mode 100644 index 0000000..f59b38a --- /dev/null +++ b/data/sites-enabled/opencloud_wopi.conf @@ -0,0 +1,58 @@ +upstream wopi_backend { + server 10.0.0.250:9300;; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +server { + listen 80; + server_name wopi.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name wopi.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/opencloud_wopi.novicelab.io_access.log json_combined; + error_log /var/log/nginx/opencloud_wopi.novicelab.io_error.log debug; + + # set $wopi_backend 10.0.0.251:9300; + + + location / { + # proxy_pass http://10.0.0.250:9300; + proxy_pass http://wopi_backend/; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Headers for WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/data/sites-enabled/plane.conf b/data/sites-enabled/plane.conf new file mode 100644 index 0000000..55772f7 --- /dev/null +++ b/data/sites-enabled/plane.conf @@ -0,0 +1,176 @@ +upstream backend_web { + server plane-web:3000; + keepalive 16; + keepalive_timeout 60s; + keepalive_requests 100; +} +upstream backend_space { + server plane-space:3000; + keepalive 16; + keepalive_timeout 60s; + keepalive_requests 100; +} +upstream backend_admin { + server plane-admin:3000; + keepalive 16; + keepalive_timeout 60s; + keepalive_requests 100; +} +upstream backend_live { + server plane-live:3000; + keepalive 16; + keepalive_timeout 60s; + keepalive_requests 100; +} +upstream backend_api { + server plane-api:8000; + keepalive 16; + keepalive_timeout 60s; + keepalive_requests 100; +} +# upstream backend_minio { +# server minio:9000; +# keepalive 16; +# keepalive_timeout 60s; +# keepalive_requests 100; +# } + + +server { + listen 80; + server_name plane.novicelab.io; + if ($host = plane.novicelab.io) { + return 301 https://$host$request_uri; + } +} +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name plane.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/plane.novicelab.io_access.log json_combined; + error_log /var/log/nginx/plane.novicelab.io_error.log debug; + + # set $plane_backend 10.0.0.251:9020; + # set $backend_web plane-web:3000; + # set $backend_space plane-space:3000; + # set $backend_admin plane-admin:3000; + # set $backend_live plane-live:3000; + # set $backend_api plane-api:8000; + set $backend_minio minio:9000; + + + # client_max_body_size 0; + # Set the bucket name as a variable for the regex location + set $bucket_name "plane"; + + # if ($http_x_forwarded_proto != "https") { + # return 301 https://$host$request_uri; + # } + + # --- Routes --- + + # Spaces + location = /spaces { + return 301 /spaces/; + } + location /spaces/ { + proxy_pass http://backend_space; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # God-Mode + location = /god-mode { + return 301 /god-mode/; + } + location /god-mode/ { + proxy_pass http://backend_admin; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Live + location /live/ { + proxy_pass http://backend_live; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # API & Auth + location /api/ { + proxy_pass http://backend_api; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + location /auth/ { + proxy_pass http://backend_api; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Minio (Bucket) + # Handles both /bucket and /bucket/* + # location ~ ^/${BUCKET_NAME}(/.*)?$ { + location ~ ^/plane(/.*)?$ { + proxy_pass http://$backend_minio/plane; + proxy_set_header Host $host; + + # Standard proxy headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + + if ($request_method = 'OPTIONS') { + return 204; + } + + client_max_body_size 20M; + # proxy_pass https://s3.novicelab.io/plane; + } + + # Web (Default catch-all) + location / { + proxy_pass http://backend_web; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} \ No newline at end of file diff --git a/data/sites-enabled/portainer.conf b/data/sites-enabled/portainer.conf new file mode 100644 index 0000000..c780469 --- /dev/null +++ b/data/sites-enabled/portainer.conf @@ -0,0 +1,65 @@ +upstream portainer_backend { + server portainer:9000; + keepalive 16; + keepalive_timeout 60s; + keepalive_requests 100; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name portainer.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name portainer.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/portainer.novicelab.io_access.log; + error_log /var/log/nginx/portainer.novicelab.io_error.log; + + # set $portainer_backend portainer:9000; + + location / { + proxy_pass http://portainer_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; #https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; + } +} \ No newline at end of file diff --git a/data/sites-enabled/umami.conf b/data/sites-enabled/umami.conf new file mode 100644 index 0000000..d9b904b --- /dev/null +++ b/data/sites-enabled/umami.conf @@ -0,0 +1,88 @@ +upstream umami_backend { + server umami:3000; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +# # Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name umami.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name umami.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/umami.novicelab.io_access.log json_combined; + error_log /var/log/nginx/umami.novicelab.io_error.log debug; + + # set $umami_backend umami:3000; + + location / { + proxy_pass http://umami_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; #https ; + proxy_set_header X-Forwarded-Host $host; + + # WebSocket support for real-time dashboard + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + # 1. Allow public access to tracking scripts + location ~ ^/(script\.js|umami\.js)$ { + proxy_pass http://umami_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; #https ; + proxy_set_header X-Forwarded-Host $host; + } + + # 2. Allow public access to tracking API (metrics collection) + location /api/send { + proxy_pass http://umami_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; #https ; + proxy_set_header X-Forwarded-Host $host; + } +} \ No newline at end of file diff --git a/data/sites-enabled/vault.conf b/data/sites-enabled/vault.conf new file mode 100644 index 0000000..3c87298 --- /dev/null +++ b/data/sites-enabled/vault.conf @@ -0,0 +1,72 @@ +upstream vault_backend { + server 10.0.0.250:8090; + # Keep up to 32 idle connections per worker + keepalive 16; + # Maximum time a connection can be idle + keepalive_timeout 60s; + # Maximum requests per keepalive connection + keepalive_requests 100; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name vault.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name vault.novicelab.io; + + # SSL + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Logging + access_log /var/log/nginx/vault.novicelab.io_access.log json_combined; + error_log /var/log/nginx/vault.novicelab.io_error.log debug; + + # set $vault_backend vaultwarden:443; + + location / { + proxy_pass http://vault_backend; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } +} \ No newline at end of file