diff --git a/data/conf.d/adminer.conf b/data/conf.d/adminer.conf index 33fe17b..d4806c9 100644 --- a/data/conf.d/adminer.conf +++ b/data/conf.d/adminer.conf @@ -62,8 +62,8 @@ server { # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Logging - access_log /var/log/nginx/adminer.novicelab.io_access.log; - error_log /var/log/nginx/adminer.novicelab.io_error.log; + access_log /var/log/nginx/adminer.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/adminer.novicelab.io_error.log debug; # Root and index # root /var/www/html; diff --git a/data/conf.d/auth.conf b/data/conf.d/auth.conf index 6c1ea3f..f666b88 100644 --- a/data/conf.d/auth.conf +++ b/data/conf.d/auth.conf @@ -62,8 +62,8 @@ server { # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Logging - access_log /var/log/nginx/auth.novicelab.io_access.log; - error_log /var/log/nginx/auth.novicelab.io_error.log; + access_log /var/log/nginx/auth.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/auth.novicelab.io_error.log debug; # Root and index # root /var/www/html; diff --git a/data/conf.d/book.conf b/data/conf.d/book.conf index 0b4110a..10f80f8 100644 --- a/data/conf.d/book.conf +++ b/data/conf.d/book.conf @@ -62,8 +62,8 @@ server { # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Logging - access_log /var/log/nginx/book.novicelab.io_access.log; - error_log /var/log/nginx/book.novicelab.io_error.log; + access_log /var/log/nginx/book.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/book.novicelab.io_error.log debug; # Root and index # root /var/www/html; diff --git a/data/conf.d/cluster.conf b/data/conf.d/cluster.conf index fa86c9a..d912f82 100644 --- a/data/conf.d/cluster.conf +++ b/data/conf.d/cluster.conf @@ -38,8 +38,8 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/*.novicelab.io_access.log; - error_log /var/log/nginx/*.novicelab.io_error.log; + access_log /var/log/nginx/*.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/*.novicelab.io_error.log debug; location / { proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080 diff --git a/data/conf.d/collabora.conf b/data/conf.d/collabora.conf deleted file mode 100644 index 5dac65f..0000000 --- a/data/conf.d/collabora.conf +++ /dev/null @@ -1,44 +0,0 @@ -server { - listen 80; - server_name collabora.novicelab.io; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; # http2; - server_name collabora.novicelab.io; - - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_session_cache shared:SSL:10m; - - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # set $opencloud_backend 10.0.0.251:9980; - - - location / { - proxy_pass http://10.0.0.251:9980; - #proxy_pass http://$opencloud_backend/; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ ^/cool/(.*)/ws$ { - proxy_pass http://10.0.0.251:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - } -} \ No newline at end of file diff --git a/data/conf.d/couch.conf b/data/conf.d/couch.conf deleted file mode 100644 index 3e40bab..0000000 --- a/data/conf.d/couch.conf +++ /dev/null @@ -1,92 +0,0 @@ -server { - listen 80; - server_name couch.novicelab.io; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; # http2; - server_name couch.novicelab.io; - - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_session_cache shared:SSL:10m; - - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - set $couch_backend 10.0.0.251:5984; - - # # Block access to _utils (Fauxton) in production - # location /_utils { - # deny all; - # return 403; - # } - - # # Block _config endpoint externally - # location /_config { - # deny all; - # return 403; - # } - - # # Block _node endpoint externally - # location /_node { - # # deny all; - # # return 403; - # proxy_pass http://$couch_backend/_node; - # proxy_redirect off; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - - # # Timeouts - # proxy_connect_timeout 10s; - # proxy_read_timeout 60s; - # } - - location / { - # Handle CORS preflight without hitting CouchDB auth - if ($request_method = OPTIONS) { - add_header Access-Control-Allow-Origin $http_origin always; - add_header Access-Control-Allow-Methods "GET, PUT, POST, HEAD, DELETE, OPTIONS" always; - add_header Access-Control-Allow-Headers "accept, authorization, content-type, origin, referer, x-csrf-token" always; - add_header Access-Control-Allow-Credentials "true" always; - add_header Access-Control-Max-Age 3600; - add_header Content-Length 0; - add_header Content-Type text/plain; - return 204; - } - - # Pass all other requests to CouchDB - # proxy_pass http://127.0.0.1:5984; - proxy_pass http://$couch_backend/; - proxy_redirect off; - proxy_buffering off; - proxy_method $request_method; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Forward CORS headers from CouchDB responses too - add_header Access-Control-Allow-Origin $http_origin always; - add_header Access-Control-Allow-Credentials "true" always; - - proxy_connect_timeout 10s; - proxy_read_timeout 60s; - - # Headers for WebSocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - } -} \ No newline at end of file diff --git a/data/conf.d/gitea.conf b/data/conf.d/gitea.conf index 298c795..cf9416a 100644 --- a/data/conf.d/gitea.conf +++ b/data/conf.d/gitea.conf @@ -31,8 +31,8 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/gitea.novicelab.io_access.log; - error_log /var/log/nginx/gitea.novicelab.io_error.log; + access_log /var/log/nginx/gitea.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/gitea.novicelab.io_error.log debug; set $gitea_backend gitea:3000; diff --git a/data/conf.d/harbor.conf b/data/conf.d/harbor.conf index bf6fecf..f2f2892 100644 --- a/data/conf.d/harbor.conf +++ b/data/conf.d/harbor.conf @@ -31,8 +31,8 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/harbor.novicelab.io_access.log; - error_log /var/log/nginx/harbor.novicelab.io_error.log; + access_log /var/log/nginx/harbor.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/harbor.novicelab.io_error.log debug; # set $harbor_backend 10.0.0.251:9090; set $harbor_backend nginx-harbor:80; diff --git a/data/conf.d/hugo.conf b/data/conf.d/hugo.conf index dbb26ae..8daa3a0 100644 --- a/data/conf.d/hugo.conf +++ b/data/conf.d/hugo.conf @@ -2,7 +2,7 @@ server { listen 80; listen [::]:80; - server_name novicelab.io www.novicelab.io; + server_name novicelab.io www.novicelab.io x.y.novicelab.io; # ACME challenge for Let's Encrypt certificate renewal location /.well-known/acme-challenge/ { @@ -17,7 +17,7 @@ server { server { listen 443 ssl; #http2; listen [::]:443 ssl; # http2; - server_name novicelab.io www.novicelab.io; + server_name novicelab.io www.novicelab.io x.y.novicelab.io; # SSL Certificate paths ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; @@ -62,8 +62,8 @@ server { # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Logging - access_log /var/log/nginx/novicelab.io_access.log; - error_log /var/log/nginx/novicelab.io_error.log; + access_log /var/log/nginx/novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/novicelab.io_error.log debug; # Root and index # root /var/www/html; diff --git a/data/conf.d/kenvip.conf b/data/conf.d/kenvip.conf deleted file mode 100644 index e69de29..0000000 diff --git a/data/conf.d/minio.conf b/data/conf.d/minio.conf index 27e5b9c..86e0832 100644 --- a/data/conf.d/minio.conf +++ b/data/conf.d/minio.conf @@ -41,8 +41,8 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/minio.novicelab.io_access.log; - error_log /var/log/nginx/minio.novicelab.io_error.log; + access_log /var/log/nginx/minio.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/minio.novicelab.io_error.log debug; # resolver 127.0.0.11 valid=30s; set $minio_backend minio:9001; @@ -107,8 +107,8 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/s3.novicelab.io_access.log; - error_log /var/log/nginx/s3.novicelab.io_error.log; + access_log /var/log/nginx/s3.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/s3.novicelab.io_error.log debug; # resolver 127.0.0.11 valid=30s; set $s3_backend minio:9000; diff --git a/data/conf.d/opencloud.conf b/data/conf.d/opencloud.conf index f95ed0a..bdec5e9 100644 --- a/data/conf.d/opencloud.conf +++ b/data/conf.d/opencloud.conf @@ -15,8 +15,8 @@ server { ssl_session_cache shared:SSL:10m; # Logging - access_log /var/log/nginx/opencloud.novicelab.io_access.log; - error_log /var/log/nginx/opencloud.novicelab.io_error.log; + access_log /var/log/nginx/opencloud.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/opencloud.novicelab.io_error.log debug; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/data/conf.d/plane.conf b/data/conf.d/plane.conf index 074feac..0b4e275 100644 --- a/data/conf.d/plane.conf +++ b/data/conf.d/plane.conf @@ -40,8 +40,8 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/plane.novicelab.io_access.log; - error_log /var/log/nginx/plane.novicelab.io_error.log; + access_log /var/log/nginx/plane.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/plane.novicelab.io_error.log debug; # resolver 127.0.0.11 valid=30s; # set $plane_backend 10.0.0.251:9020; diff --git a/data/conf.d/s3.conf b/data/conf.d/s3.conf deleted file mode 100644 index e69de29..0000000 diff --git a/data/conf.d/tre.conf b/data/conf.d/tre.conf deleted file mode 100644 index 9d41ee3..0000000 --- a/data/conf.d/tre.conf +++ /dev/null @@ -1,58 +0,0 @@ -server { - # listen 80; - # server_name *.novicelab.io; - # resolver 127.0.0.11 valid=30s; - # set $haproxy_backend haproxy:80; - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; - server_name tre.novicelab.io; - - # SSL Certificate paths - ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # SSL Protocol - TLS 1.2 and 1.3 only - ssl_protocols TLSv1.2 TLSv1.3; - - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; - - # SSL session configuration - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - # Security Headers - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - - # Logging - access_log /var/log/nginx/tre.novicelab.io_access.log; - error_log /var/log/nginx/tre.novicelab.io_error.log; - - location /data-catalog { - proxy_pass https://10.0.0.251:8888; # Assuming HAProxy is on port 8080 - # proxy_pass http://haproxy_backend; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Performance optimizations - proxy_buffering off; - proxy_request_buffering off; - proxy_connect_timeout 5s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; - } -} \ No newline at end of file diff --git a/data/conf.d/umami.conf b/data/conf.d/umami.conf index 73fb9dd..1a284c9 100644 --- a/data/conf.d/umami.conf +++ b/data/conf.d/umami.conf @@ -62,8 +62,8 @@ server { # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Logging - access_log /var/log/nginx/umami.novicelab.io_access.log; - error_log /var/log/nginx/umami.novicelab.io_error.log; + access_log /var/log/nginx/umami.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/umami.novicelab.io_error.log debug; # Root and index # root /var/www/html; diff --git a/data/conf.d/vault.conf b/data/conf.d/vault.conf index eb70608..caedbc2 100644 --- a/data/conf.d/vault.conf +++ b/data/conf.d/vault.conf @@ -31,8 +31,8 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/vault.novicelab.io_access.log; - error_log /var/log/nginx/vault.novicelab.io_error.log; + access_log /var/log/nginx/vault.novicelab.io_access.log VCOMBINED; + error_log /var/log/nginx/vault.novicelab.io_error.log debug; set $vault_backend vaultwarden:443; location / {