Set defaults for directives add_header and proxy_set_header

2026-03-21 09:48:26 +00:00
parent 17a8b6bce2
commit 8296b58bd3
20 changed files with 1603 additions and 0 deletions
--- a/data/sites-enabled/plane.conf
+++ b/data/sites-enabled/plane.conf
@@ -0,0 +1,176 @@
+upstream backend_web {
+    server plane-web:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_space {
+    server plane-space:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_admin {
+    server plane-admin:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_live {
+    server plane-live:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_api {
+    server plane-api:8000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+# upstream backend_minio {
+#     server minio:9000;
+#     keepalive 16;
+#     keepalive_timeout 60s;
+#     keepalive_requests 100;
+# }
+
+
+server {
+    listen 80;
+    server_name plane.novicelab.io;
+    if ($host = plane.novicelab.io) {
+        return 301 https://$host$request_uri;
+    }
+}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl; 
+    http2 on;
+    server_name plane.novicelab.io; 
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+
+    # Logging
+    access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
+    error_log /var/log/nginx/plane.novicelab.io_error.log debug;
+
+    # set $plane_backend 10.0.0.251:9020; 
+    # set $backend_web    plane-web:3000;
+    # set $backend_space  plane-space:3000;
+    # set $backend_admin  plane-admin:3000;
+    # set $backend_live   plane-live:3000;
+    # set $backend_api    plane-api:8000;
+    set $backend_minio  minio:9000;
+
+
+    # client_max_body_size 0;
+    # Set the bucket name as a variable for the regex location
+    set $bucket_name "plane";
+
+    # if ($http_x_forwarded_proto != "https") {
+    #     return 301 https://$host$request_uri;
+    # }
+
+    # --- Routes ---
+
+    # Spaces
+    location = /spaces {
+        return 301 /spaces/;
+    }
+    location /spaces/ {
+        proxy_pass http://backend_space;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # God-Mode
+    location = /god-mode {
+        return 301 /god-mode/;
+    }
+    location /god-mode/ {
+        proxy_pass http://backend_admin;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Live
+    location /live/ {
+        proxy_pass http://backend_live;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # API & Auth
+    location /api/ {
+        proxy_pass http://backend_api;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /auth/ {
+        proxy_pass http://backend_api;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Minio (Bucket)
+    # Handles both /bucket and /bucket/*
+    # location ~ ^/${BUCKET_NAME}(/.*)?$ {
+    location ~ ^/plane(/.*)?$ {
+        proxy_pass http://$backend_minio/plane;
+        proxy_set_header Host $host; 
+        
+        # Standard proxy headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+        
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+
+        client_max_body_size 20M;
+        # proxy_pass https://s3.novicelab.io/plane;
+    }
+
+    # Web (Default catch-all)
+    location / {
+        proxy_pass http://backend_web;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}