Remove commented out config sections

Merge pull request 'json-combined-log-format, 502 fix' (#2 ) from json-combined-log-format into main
Reviewed-on: https://gitea.novicelab.io/novicelab.io/nginx/pulls/2 Merge json_combined format change and 502 proxy buffer size increase fix
2026-03-20 04:11:20 +00:00 · 2026-03-17 18:19:59 +00:00 · 2026-03-17 18:12:45 +00:00 · 2026-03-17 18:12:39 +00:00
15 changed files with 338 additions and 290 deletions
--- a/data/conf.d/adminer.conf
+++ b/data/conf.d/adminer.conf
@@ -1,4 +1,16 @@
-# Redirect HTTP to HTTPS
+upstream adminer_backend {
+    server adminer:8080;
+
+    # Keep up to 16 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 server {
    listen 80;
    listen [::]:80;
@@ -15,26 +27,14 @@ server {
 }

 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
    server_name adminer.novicelab.io;

    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    
-    # Trusted certificate for OCSP stapling
-    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
-
-    # Cloudflare Origin CA certificate for client verification
-    # Cloudflare Origin CA for authenticated origin pulls (optional)
-    # Only enable if you want to restrict to Cloudflare only
-    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
-    # ssl_verify_client on;
-
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    # ssl_protocols TLSv1.2 TLSv1.3;
-    
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
@@ -44,9 +44,6 @@ server {
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

-    # OCSP Stapling
-    # ssl_stapling on;
-    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

@@ -58,32 +55,17 @@ server {
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

-    # Diffie-Hellman parameter for DHE ciphersuites
-    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-
    # Logging
-    access_log /var/log/nginx/adminer.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/adminer.novicelab.io_error.log debug;

-    # Root and index
-    # root /var/www/html;
-    # index index.html index.htm;
+    # set $adminer_backend adminer:8080; 

-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    set $adminer_backend adminer:8080; 
-
-    location / { #/adminer {
-        # rewrite ^/adminer/(.*)$ /$1 break;
-
-        # proxy_pass http://10.0.0.251:9080/;
-        proxy_pass http://$adminer_backend;
+    location / {
+        proxy_pass http://adminer_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme; #https;
-        #$scheme;
-
-        # Handle redirects (like after login) so they stay under /adminer/
-        # proxy_redirect / /adminer/;
+        proxy_set_header X-Forwarded-Proto $scheme;
    }
 }
--- a/data/conf.d/auth.conf
+++ b/data/conf.d/auth.conf
@@ -1,3 +1,16 @@
+upstream keycloak_backend {
+    server keycloak:80; 
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 # Redirect HTTP to HTTPS
 server {
    listen 80;
@@ -15,23 +28,14 @@ server {
 }

 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl; 
+    listen [::]:443 ssl; #
    server_name auth.novicelab.io;

    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;

-    # Trusted certificate for OCSP stapling
-    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
-
-    # Cloudflare Origin CA certificate for client verification
-    # Cloudflare Origin CA for authenticated origin pulls (optional)
-    # Only enable if you want to restrict to Cloudflare only
-    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
-    # ssl_verify_client on;
-
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    
@@ -44,9 +48,6 @@ server {
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

-    # OCSP Stapling
-    # ssl_stapling on;
-    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

@@ -58,30 +59,20 @@ server {
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

-    # Diffie-Hellman parameter for DHE ciphersuites
-    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-
    # Logging
-    access_log /var/log/nginx/auth.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/auth.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/auth.novicelab.io_error.log debug;

-    # Root and index
-    # root /var/www/html;
-    # index index.html index.htm;
+    # set $keycloak_backend keycloak:80; 

-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    
-    set $keycloak_backend keycloak:80; 
-
-    # client_max_body_size 0;
-        location / {
+    location / {
        # proxy_pass http://10.0.0.253:8085/auth/;
-        proxy_pass http://$keycloak_backend;
+        proxy_pass http://keycloak_backend;
            

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Scheme $scheme;
-        proxy_set_header X-Forwarded-Proto  https; #$scheme;
+        proxy_set_header X-Forwarded-Proto  https;
        proxy_set_header X-Forwarded-For    $remote_addr;
        proxy_set_header X-Real-IP		$remote_addr;

--- a/data/conf.d/book.conf
+++ b/data/conf.d/book.conf
@@ -1,3 +1,17 @@
+upstream bookstack_backend {
+    # server 10.0.0.251:6875/;
+    server bookstack:80;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 # # Redirect HTTP to HTTPS
 server {
    listen 80;
@@ -15,23 +29,14 @@ server {
 }

 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl; 
+    listen [::]:443 ssl; 
    server_name book.novicelab.io;

    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;

-    # Trusted certificate for OCSP stapling
-    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
-
-    # Cloudflare Origin CA certificate for client verification
-    # Cloudflare Origin CA for authenticated origin pulls (optional)
-    # Only enable if you want to restrict to Cloudflare only
-    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
-    # ssl_verify_client on;
-
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    
@@ -44,9 +49,6 @@ server {
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

-    # OCSP Stapling
-    # ssl_stapling on;
-    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

@@ -58,32 +60,17 @@ server {
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

-    # Diffie-Hellman parameter for DHE ciphersuites
-    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-
    # Logging
-    access_log /var/log/nginx/book.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/book.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/book.novicelab.io_error.log debug;

-    # Root and index
-    # root /var/www/html;
-    # index index.html index.htm;
+    # set $bookstack_backend bookstack:80;

-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    
-    set $bookstack_backend bookstack:80;
-
-    # client_max_body_size 0;
-    # BookStack (/docs)
    location / {
-        # rewrite ^/docs/(.*) /$1 break;
-        # proxy_pass http://$bookstack_backend;
-        proxy_pass http://10.0.0.251:6875/;
+        proxy_pass http://bookstack_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https; #$scheme;
-
-        # proxy_redirect / /docs/;
+        proxy_set_header X-Forwarded-Proto https;
    }
 }
--- a/data/conf.d/cluster.conf
+++ b/data/conf.d/cluster.conf
@@ -6,8 +6,8 @@ upstream haproxy_backend {
 }

 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
    server_name *.novicelab.io;

    # SSL Certificate paths
@@ -38,11 +38,11 @@ server {
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    # Logging
-    access_log /var/log/nginx/*.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/*.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/*.novicelab.io_error.log debug;

    location / {
-        proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080
+        proxy_pass http://10.0.0.20:80;
        # proxy_pass http://haproxy_backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
--- a/data/conf.d/drone.conf
+++ b/data/conf.d/drone.conf
@@ -1,3 +1,16 @@
+upstream drone_backend {
+    server drone:80;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 server {
    listen 80;
    server_name drone.novicelab.io;
@@ -5,7 +18,7 @@ server {
 }

 server {
-    listen 443 ssl; # http2;
+    listen 443 ssl;
    server_name drone.novicelab.io;

    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
@@ -27,12 +40,10 @@ server {
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

-    # set $couch_backend 10.0.0.251:9001;
-    set $drone_backend drone:80;
-    set $drone_runner_backend drone-runner-1:3000;
+    # set $drone_backend drone:80;

    location / {
-        proxy_pass http://$drone_backend;
+        proxy_pass http://drone_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -49,24 +60,4 @@ server {
        proxy_read_timeout 300;
        send_timeout 300;
    }
-
-    # location /runner-1 {
-    #     proxy_pass http://$drone_runner_backend;
-    #     proxy_set_header Host $http_host;
-    #     proxy_set_header X-Real-IP $remote_addr;
-    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #     proxy_set_header X-Forwarded-Proto $scheme;
-
-    #     # WebSocket support for real-time updates
-    #     proxy_http_version 1.1;
-    #     proxy_set_header Upgrade $http_upgrade;
-    #     proxy_set_header Connection "upgrade";
-
-    #     # Timeouts
-    #     proxy_connect_timeout 300;
-    #     proxy_send_timeout 300;
-    #     proxy_read_timeout 300;
-    #     send_timeout 300;
-    # }
-
 }
--- a/data/conf.d/gitea.conf
+++ b/data/conf.d/gitea.conf
@@ -1,6 +1,19 @@
+upstream gitea_backend {
+    server gitea:3000; 
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl; 
+    listen [::]:443 ssl; #
    server_name gitea.novicelab.io;  

    # SSL Certificate paths
@@ -31,13 +44,13 @@ server {
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    # Logging
-    access_log /var/log/nginx/gitea.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/gitea.novicelab.io_error.log debug;

-    set $gitea_backend gitea:3000; 
+    # set $gitea_backend gitea:3000; 

    location / {
-        proxy_pass http://$gitea_backend;
+        proxy_pass http://gitea_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/data/conf.d/goaccess.conf
+++ b/data/conf.d/goaccess.conf
@@ -1,3 +1,16 @@
+# upstream goaccess_backend {
+#     server goaccess:7890; 
+# 
+#     # Keep up to 32 idle connections per worker
+#     keepalive 16;
+# 
+#     # Maximum time a connection can be idle
+#     keepalive_timeout 60s;
+# 
+#     # Maximum requests per keepalive connection
+#     keepalive_requests 100;
+# }
+
 server {
    listen 80;
    listen [::]:80;
@@ -32,16 +45,11 @@ server {
    ssl_session_tickets off;
    ssl_protocols TLSv1.3;

-    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    # add_header X-Content-Type-Options nosniff;
-    # add_header X-Frame-Options DENY;
-    # add_header X-XSS-Protection "1; mode=block";
-
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

        # Logging
-    access_log /var/log/nginx/goaccess.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/goaccess.novicelab.io_error.log debug;

    set $goaccess_backend goaccess:7890; 
--- a/data/conf.d/harbor.conf
+++ b/data/conf.d/harbor.conf
@@ -1,3 +1,16 @@
+# upstream harbor_backend {
+#     server nginx-harbor:80; 
+# 
+#     # Keep up to 32 idle connections per worker
+#     keepalive 16;
+# 
+#     # Maximum time a connection can be idle
+#     keepalive_timeout 60s;
+# 
+#     # Maximum requests per keepalive connection
+#     keepalive_requests 100;
+# }
+
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
@@ -31,7 +44,7 @@ server {
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    # Logging
-    access_log /var/log/nginx/harbor.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/harbor.novicelab.io_error.log debug;

    # set $harbor_backend 10.0.0.251:9090; 
@@ -48,9 +61,6 @@ server {
    location / {
        proxy_pass http://$harbor_backend;
        proxy_set_header Host $http_host;
-        # proxy_set_header X-Real-IP $remote_addr;
-        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        # proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support for real-time updates
        proxy_http_version 1.1;
--- a/data/conf.d/hugo.conf
+++ b/data/conf.d/hugo.conf
@@ -1,3 +1,17 @@
+upstream hugo_backend {
+    # server hugo:1313;
+    server 10.0.0.250:8000;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 # # Redirect HTTP to HTTPS
 server {
    listen 80;
@@ -15,23 +29,14 @@ server {
 }

 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl; 
+    listen [::]:443 ssl; #
    server_name novicelab.io www.novicelab.io x.y.novicelab.io;

    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;

-    # Trusted certificate for OCSP stapling
-    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
-
-    # Cloudflare Origin CA certificate for client verification
-    # Cloudflare Origin CA for authenticated origin pulls (optional)
-    # Only enable if you want to restrict to Cloudflare only
-    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
-    # ssl_verify_client on;
-
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    
@@ -62,22 +67,15 @@ server {
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # Logging
-    access_log /var/log/nginx/novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/novicelab.io_access.log json_combined;
    error_log /var/log/nginx/novicelab.io_error.log debug;

-    # Root and index
-    # root /var/www/html;
-    # index index.html index.htm;
-
-    # Only allow traffic from Cloudflare IPs (optional but recommended)
-    # include /etc/nginx/cloudflare-ips.conf;
-
    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    set $hugo_backend hugo:1313; 
+    # set $hugo_backend hugo:1313; 

    location / {
-        # proxy_pass http://10.0.0.251:9200/;
-        proxy_pass http://$hugo_backend;
+        # proxy_pass http://10.0.0.250:8000/;
+        proxy_pass http://hugo_backend;
        
        proxy_set_header Host $host;
        # proxy_set_header X-Real-IP $remote_addr;
--- a/data/conf.d/minio.conf
+++ b/data/conf.d/minio.conf
@@ -1,3 +1,29 @@
+upstream minio_backend {
+    server minio:9001;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
+upstream s3_backend {
+    server minio:9000; 
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 server {
    listen 80;
    server_name minio.novicelab.io; 
@@ -5,14 +31,13 @@ server {
 }

 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl; 
+    listen [::]:443 ssl; #
    server_name minio.novicelab.io; 

    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
@@ -26,9 +51,6 @@ server {
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

-    # ssl_stapling on;
-    # ssl_stapling_verify on;
-
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

@@ -41,18 +63,15 @@ server {
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    # Logging
-    access_log /var/log/nginx/minio.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/minio.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/minio.novicelab.io_error.log debug;

    # resolver 127.0.0.11 valid=30s;
-    set $minio_backend minio:9001; 
+    # set $minio_backend minio:9001; 

-    # if ($http_x_forwarded_proto != "https") {
-    #     return 301 https://$host$request_uri;
-    # }

    location / {
-        proxy_pass http://$minio_backend;
+        proxy_pass http://minio_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -75,8 +94,14 @@ server {
 }

 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 80;
+    server_name s3.novicelab.io; 
+    return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl; 
    server_name s3.novicelab.io; 

    # SSL Certificate paths
@@ -107,14 +132,14 @@ server {
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    # Logging
-    access_log /var/log/nginx/s3.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/s3.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/s3.novicelab.io_error.log debug;

    # resolver 127.0.0.11 valid=30s;
-    set $s3_backend minio:9000; 
+    # set $s3_backend minio:9000; 

    location / {
-        proxy_pass http://$s3_backend;
+        proxy_pass http://s3_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/data/conf.d/opencloud.conf
+++ b/data/conf.d/opencloud.conf
@@ -1,3 +1,16 @@
+upstream opencloud_backend {
+    server 10.0.0.251:9200;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 server {
    listen 80;
    server_name opencloud.novicelab.io;
@@ -15,7 +28,7 @@ server {
    ssl_session_cache   shared:SSL:10m;

    # Logging
-    access_log /var/log/nginx/opencloud.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/opencloud.novicelab.io_error.log debug;

    # Security headers
@@ -47,8 +60,8 @@ server {

    location / {
        # Pass all other requests to CouchDB
-        proxy_pass              http://10.0.0.251:9200;
-        #proxy_pass         http://$opencloud_backend/;
+        proxy_pass              http://10.0.0.250:9200;
+        # proxy_pass         http://opencloud_backend/;

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
--- a/data/conf.d/plane.conf
+++ b/data/conf.d/plane.conf
@@ -1,15 +1,51 @@
+upstream backend_web {
+    server plane-web:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_space {
+    server plane-space:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_admin {
+    server plane-admin:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_live {
+    server plane-live:3000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+upstream backend_api {
+    server plane-api:8000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+# upstream backend_minio {
+#     server minio:9000;
+#     keepalive 16;
+#     keepalive_timeout 60s;
+#     keepalive_requests 100;
+# }
+
+
 server {
+    listen 80;
+    server_name plane.novicelab.io;
    if ($host = plane.novicelab.io) {
        return 301 https://$host$request_uri;
    }
-
-    # listen 80;
-    # server_name plane.novicelab.io;
-    # return 404;
 }
 server {
-    listen 443 ssl; #http2;
-    listen [::]:443 ssl; # http2;
+    listen 443 ssl;
+    listen [::]:443 ssl; 
    server_name plane.novicelab.io; 

    # SSL Certificate paths
@@ -40,16 +76,15 @@ server {
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    # Logging
-    access_log /var/log/nginx/plane.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/plane.novicelab.io_error.log debug;

-    # resolver 127.0.0.11 valid=30s;
    # set $plane_backend 10.0.0.251:9020; 
-    set $backend_web    plane-web:3000;
-    set $backend_space  plane-space:3000;
-    set $backend_admin  plane-admin:3000;
-    set $backend_live   plane-live:3000;
-    set $backend_api    plane-api:8000;
+    # set $backend_web    plane-web:3000;
+    # set $backend_space  plane-space:3000;
+    # set $backend_admin  plane-admin:3000;
+    # set $backend_live   plane-live:3000;
+    # set $backend_api    plane-api:8000;
    set $backend_minio  minio:9000;


@@ -68,7 +103,7 @@ server {
        return 301 /spaces/;
    }
    location /spaces/ {
-        proxy_pass http://$backend_space;
+        proxy_pass http://backend_space;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -81,7 +116,7 @@ server {
        return 301 /god-mode/;
    }
    location /god-mode/ {
-        proxy_pass http://$backend_admin;
+        proxy_pass http://backend_admin;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -91,7 +126,7 @@ server {

    # Live
    location /live/ {
-        proxy_pass http://$backend_live;
+        proxy_pass http://backend_live;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -101,7 +136,7 @@ server {

    # API & Auth
    location /api/ {
-        proxy_pass http://$backend_api;
+        proxy_pass http://backend_api;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -109,7 +144,7 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /auth/ {
-        proxy_pass http://$backend_api;
+        proxy_pass http://backend_api;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -122,9 +157,6 @@ server {
    # location ~ ^/${BUCKET_NAME}(/.*)?$ {
    location ~ ^/plane(/.*)?$ {
        proxy_pass http://$backend_minio/plane;
-        # proxy_pass https://s3.novicelab.io/plane;
-    # location ~ ^/test(/.*)?$ {
-    #     proxy_pass http://$backend_minio/test;
        proxy_set_header Host $host; 
        
        # Standard proxy headers
@@ -143,40 +175,14 @@ server {
        client_max_body_size 0;
        # proxy_pass https://s3.novicelab.io/plane;
    }
-    # location ~* ^/(?<bucket>.+)(?<path>/.*)?$ {
-    #     # Check if the first part of the URI matches our bucket variable
-    #     if ($bucket = $bucket_name) {
-    #         proxy_pass http://$backend_minio;
-    #         break;
-    #     }
-
-    #     # Fallback to the main web app if the path isn't the bucket
-    #     set $upstream_web "web:3000";
-    #     proxy_pass http://$upstream_web;
-    # }

    # Web (Default catch-all)
    location / {
-        proxy_pass http://$backend_web;
+        proxy_pass http://backend_web;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
-
-    # location / {
-    #     # proxy_pass http://10.0.0.251:9020;
-    #     proxy_pass http://$plane_backend;
-    #     # Set headers for proxied request
-    #     proxy_set_header X-Forwarded-Proto $scheme;
-    #     proxy_set_header X-Forwarded-Host  $host;
-    #     proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-    #     proxy_set_header X-Real-IP         $remote_addr;
-
-    #     proxy_set_header Upgrade $http_upgrade;
-    #     proxy_set_header Connection "upgrade";
-    #     proxy_set_header Host $http_host;
-    #     proxy_http_version 1.1;
-    # }
 }
--- a/data/conf.d/umami.conf
+++ b/data/conf.d/umami.conf
@@ -1,3 +1,16 @@
+upstream umami_backend {
+    server umami:3000;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
 # # Redirect HTTP to HTTPS
 server {
    listen 80;
@@ -23,15 +36,6 @@ server {
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;

-    # Trusted certificate for OCSP stapling
-    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
-
-    # Cloudflare Origin CA certificate for client verification
-    # Cloudflare Origin CA for authenticated origin pulls (optional)
-    # Only enable if you want to restrict to Cloudflare only
-    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
-    # ssl_verify_client on;
-
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    
@@ -44,9 +48,6 @@ server {
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

-    # OCSP Stapling
-    # ssl_stapling on;
-    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

@@ -58,28 +59,20 @@ server {
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

-    # Diffie-Hellman parameter for DHE ciphersuites
-    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-
    # Logging
-    access_log /var/log/nginx/umami.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/umami.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/umami.novicelab.io_error.log debug;

-    # Root and index
-    # root /var/www/html;
-    # index index.html index.htm;
-
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    set $umami_backend umami:3000; 
+    # set $umami_backend umami:3000; 

    location / {
-        # proxy_pass http://10.0.0.251:9200/;
-        proxy_pass http://$umami_backend;
+        # proxy_pass http://$umami_backend;
+        proxy_pass http://umami_backend;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https; # $scheme;
+        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host $host;

        proxy_buffering off;
@@ -90,7 +83,8 @@ server {
    }
        # 1. Allow public access to tracking scripts
    location ~ ^/(script\.js|umami\.js)$ {
-        proxy_pass http://$umami_backend;
+        # proxy_pass http://$umami_backend;
+        proxy_pass http://umami_backend;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -107,7 +101,8 @@ server {

    # 2. Allow public access to tracking API (metrics collection)
    location /api/send {
-        proxy_pass http://$umami_backend;
+        # proxy_pass http://$umami_backend;
+        proxy_pass http://umami_backend;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
--- a/data/conf.d/vault.conf
+++ b/data/conf.d/vault.conf
@@ -1,3 +1,32 @@
+upstream vault_backend {
+    server 10.0.0.250:8090;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name vault.novicelab.io;
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
@@ -31,14 +60,14 @@ server {
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    # Logging
-    access_log /var/log/nginx/vault.novicelab.io_access.log VCOMBINED;
+    access_log /var/log/nginx/vault.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/vault.novicelab.io_error.log debug;
-    set $vault_backend vaultwarden:443;
+    
+    # set $vault_backend vaultwarden:443;

    location / {
        # proxy_pass http://$vault_backend;
-        # proxy_pass https://10.0.0.251:8100;
-        proxy_pass http://10.0.0.250:8090;
+        proxy_pass http://vault_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/data/nginx.conf
+++ b/data/nginx.conf
@@ -23,30 +23,30 @@ http {
    resolver 8.8.8.8 valid=30s ipv6=off;
    resolver_timeout 11s;

-    # log_format json_combined escape=json '{'
-    #     '"method":"$request_method",'
-    #     '"scheme":"$scheme",'
-    #     '"domain":"$host",'
-    #     '"uri":"$request_uri",'
-    #     '"query_string":"$query_string",'
-    #     '"referer":"$http_referer",'
-    #     '"content_type":"$sent_http_content_type",'
-    #     '"status": $status,'
-    #     '"bytes_sent":$body_bytes_sent,'
-    #     '"request_time":$request_time,'
-    #     '"user_agent":"$http_user_agent",'
-    #     '"cache":"$upstream_cache_status",'
-    #     '"upstream_time": "$upstream_response_time",'
-    #     '"timestamp":"$time_iso8601",'
-    #     '"ip":"$http_x_forwarded_for"'
-    # '}';
-    log_format VCOMBINED '$host:$server_port '
-                     '$remote_addr $remote_user [$time_local] '
-                     '"$request" $status $body_bytes_sent '
-                     '"$http_referer" "$http_user_agent"';
+    log_format json_combined escape=json '{'
+        '"method":"$request_method",'
+        '"scheme":"$scheme",'
+        '"domain":"$host",'
+        '"uri":"$request_uri",'
+        '"query_string":"$query_string",'
+        '"referer":"$http_referer",'
+        '"content_type":"$sent_http_content_type",'
+        '"status": $status,'
+        '"bytes_sent":$body_bytes_sent,'
+        '"request_time":$request_time,'
+        '"user_agent":"$http_user_agent",'
+        '"cache":"$upstream_cache_status",'
+        '"upstream_time": "$upstream_response_time",'
+        '"timestamp":"$time_iso8601",'
+        '"ip":"$http_x_forwarded_for"'
+    '}';
+    # log_format VCOMBINED '$host:$server_port '
+    #                  '$remote_addr $remote_user [$time_local] '
+    #                  '"$request" $status $body_bytes_sent '
+    #                  '"$http_referer" "$http_user_agent"';


-    access_log  /var/log/nginx/access.log VCOMBINED;
+    access_log  /var/log/nginx/access.log json_combined;
    error_log   /var/log/nginx/error.log debug;
    
    sendfile on;
@@ -64,9 +64,9 @@ http {
    large_client_header_buffers 4 32k;

    # If using Nginx as a proxy to the Harbor core/registry
-    proxy_buffer_size 16k;
-    proxy_buffers 4 32k;
-    proxy_busy_buffers_size 64k;
+    proxy_buffer_size          128k;
+    proxy_buffers              4 256k;
+    proxy_busy_buffers_size    256k;

    proxy_connect_timeout 300;
    proxy_send_timeout 300;
Author	SHA1	Message	Date
kbrianngeno	69ed1a853e	Remove commented out config sections	2026-03-20 04:11:20 +00:00
kbrianngeno	6240de4af5	Merge pull request 'json-combined-log-format, 502 fix' (#2 ) from json-combined-log-format into main Reviewed-on: https://gitea.novicelab.io/novicelab.io/nginx/pulls/2 Merge json_combined format change and 502 proxy buffer size increase fix	2026-03-17 18:19:59 +00:00
kbrianngeno	547701c7da	Set access log format and Upstream Set access log format to json_combined Switch from $backend_variable to upstream (Except for harbor, plane-minio, goaccess, opencloud)	2026-03-17 18:12:45 +00:00
kbrianngeno	50b13c34ef	Access log format, Proxy buffer size Set access log format to json_combined Increase proxy buffer sizes to fix frequent 502 errors on all sites	2026-03-17 18:12:39 +00:00