novicelab.io/nginx
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: novicelab.io:7b36b99e182dfec6c4d305612958dae2ee1a1ad7
Branches Tags
novicelab.io:main novicelab.io:cleanup novicelab.io:json-combined-log-format novicelab.io:goaccess
...
compare: novicelab.io:cleanup
Branches Tags
novicelab.io:main novicelab.io:cleanup novicelab.io:json-combined-log-format novicelab.io:goaccess

11 Commits
7b36b99e18 ... cleanup

Author SHA1 Message Date
kbrianngeno
69ed1a853e Remove commented out config sections 2026-03-20 04:11:20 +00:00
kbrianngeno
6240de4af5 Merge pull request 'json-combined-log-format, 502 fix' (#2) from json-combined-log-format into main 
Reviewed-on: https://gitea.novicelab.io/novicelab.io/nginx/pulls/2
Merge json_combined format change and 502 proxy buffer size increase fix
 2026-03-17 18:19:59 +00:00
kbrianngeno
547701c7da Set access log format and Upstream 
Set access log format to json_combined
Switch from $backend_variable to upstream
(Except for harbor, plane-minio, goaccess, opencloud)
 2026-03-17 18:12:45 +00:00
kbrianngeno
50b13c34ef Access log format, Proxy buffer size 
Set access log format to json_combined
Increase proxy buffer sizes to fix frequent 502 errors on all sites
 2026-03-17 18:12:39 +00:00
kbrianngeno
6308d32f8e Add README.md 2026-03-17 09:15:50 +00:00
kbrianngeno
56a221fb9d Merge pull request 'goaccess setup and integration' (#1) from goaccess into main 
Reviewed-on: https://gitea.novicelab.io/novicelab.io/nginx/pulls/1
 2026-03-17 08:56:17 +00:00
kbrianngeno
dc320d83d4 Change access log format to VCOMBINED and error log format to debug 2026-03-17 08:48:06 +00:00
kbrianngeno
382a3dd438 Track goaccess/goaccess.conf and ignore real-time html file (report.html) 2026-03-17 08:41:27 +00:00
kbrianngeno
ff464ef99f Add goaccess nginx configuration 2026-03-17 08:39:33 +00:00
kbrianngeno
b710eaa41b Change log format to VCOMBINED for access logs and debug for error logs 2026-03-17 08:36:08 +00:00
kbrianngeno
9a810fe545 Add goaccess for log visualization on hugo pages 2026-03-17 08:34:36 +00:00
23 changed files with 501 additions and 527 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -1,5 +1,8 @@
.env .env
/data/ /data/
/certbot/ /certbot/
/goaccess/
/data/public/
!/data/nginx.conf !/data/nginx.conf
!/data/conf.d/** !/data/conf.d/**
!/goaccess/goaccess.conf

54
README.md Normal file
View File

@@ -0,0 +1,54 @@
# Novicelab Nginx
Nginx + Certbot + GoAccess
## Logs
All logs stored in `data/logs` site files
## Site confs
Located in `data/conf.d`
## Container variables
Harbor and Opencloud site confs use host IP; they have expansive configs with their own Docker networks. \
All other site confs use a backend variable that points to the contioner as such:
```
server {
listen 443 ssl;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
set $adminer_backend adminer:8080;
location / {
## Advantage: Nginx container start won't be blocked should the
## below services container be down
## Upstream works just as well
proxy_pass http://$adminer_backend;
...
}
}
```
## Upstream structure
```
http {
upstream goaccess {
server goaccess:7890 weight=1 fail_timeout=30s;
}
server {
listen 443 ssl;
location /ws {
proxy_pass http://goaccess;
...
}
}
}
```
```
mkdir nginx && cd nginx
git clone https://gitea.novicelab.io/novicelab.io/nginx.git .
docker compose up -d
```

60
data/conf.d/adminer.conf
View File

@@ -1,4 +1,16 @@
# Redirect HTTP to HTTPS upstream adminer_backend {
server adminer:8080;
# Keep up to 16 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
@@ -15,26 +27,14 @@ server {
} }
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl;
server_name adminer.novicelab.io; server_name adminer.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only
# ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
@@ -44,9 +44,6 @@ server {
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
@@ -58,32 +55,17 @@ server {
add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging # Logging
access_log /var/log/nginx/adminer.novicelab.io_access.log; access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined;
error_log /var/log/nginx/adminer.novicelab.io_error.log; error_log /var/log/nginx/adminer.novicelab.io_error.log debug;
# Root and index # set $adminer_backend adminer:8080;
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf; location / {
set $adminer_backend adminer:8080; proxy_pass http://adminer_backend;
location / { #/adminer {
# rewrite ^/adminer/(.*)$ /$1 break;
# proxy_pass http://10.0.0.251:9080/;
proxy_pass http://$adminer_backend;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https; proxy_set_header X-Forwarded-Proto $scheme;
#$scheme;
# Handle redirects (like after login) so they stay under /adminer/
# proxy_redirect / /adminer/;
} }
} }

51
data/conf.d/auth.conf
View File

@@ -1,3 +1,16 @@
upstream keycloak_backend {
server keycloak:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS # Redirect HTTP to HTTPS
server { server {
listen 80; listen 80;
@@ -15,22 +28,13 @@ server {
} }
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl; #
server_name auth.novicelab.io; server_name auth.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only # SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
@@ -44,9 +48,6 @@ server {
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
@@ -58,30 +59,20 @@ server {
add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging # Logging
access_log /var/log/nginx/auth.novicelab.io_access.log; access_log /var/log/nginx/auth.novicelab.io_access.log json_combined;
error_log /var/log/nginx/auth.novicelab.io_error.log; error_log /var/log/nginx/auth.novicelab.io_error.log debug;
# Root and index # set $keycloak_backend keycloak:80;
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf; location / {
set $keycloak_backend keycloak:80;
# client_max_body_size 0;
location / {
# proxy_pass http://10.0.0.253:8085/auth/; # proxy_pass http://10.0.0.253:8085/auth/;
proxy_pass http://$keycloak_backend; proxy_pass http://keycloak_backend;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https; #$scheme; proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

55
data/conf.d/book.conf
View File

@@ -1,3 +1,17 @@
upstream bookstack_backend {
# server 10.0.0.251:6875/;
server bookstack:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS # # Redirect HTTP to HTTPS
server { server {
listen 80; listen 80;
@@ -15,22 +29,13 @@ server {
} }
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl;
server_name book.novicelab.io; server_name book.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only # SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
@@ -44,9 +49,6 @@ server {
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
@@ -58,32 +60,17 @@ server {
add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging # Logging
access_log /var/log/nginx/book.novicelab.io_access.log; access_log /var/log/nginx/book.novicelab.io_access.log json_combined;
error_log /var/log/nginx/book.novicelab.io_error.log; error_log /var/log/nginx/book.novicelab.io_error.log debug;
# Root and index # set $bookstack_backend bookstack:80;
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf;
set $bookstack_backend bookstack:80;
# client_max_body_size 0;
# BookStack (/docs)
location / { location / {
# rewrite ^/docs/(.*) /$1 break; proxy_pass http://bookstack_backend;
# proxy_pass http://$bookstack_backend;
proxy_pass http://10.0.0.251:6875/;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; #$scheme; proxy_set_header X-Forwarded-Proto https;
# proxy_redirect / /docs/;
} }
} }

10
data/conf.d/cluster.conf
View File

@@ -6,8 +6,8 @@ upstream haproxy_backend {
} }
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl;
server_name *.novicelab.io; server_name *.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
@@ -38,11 +38,11 @@ server {
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging # Logging
access_log /var/log/nginx/*.novicelab.io_access.log; access_log /var/log/nginx/*.novicelab.io_access.log json_combined;
error_log /var/log/nginx/*.novicelab.io_error.log; error_log /var/log/nginx/*.novicelab.io_error.log debug;
location / { location / {
proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080 proxy_pass http://10.0.0.20:80;
# proxy_pass http://haproxy_backend; # proxy_pass http://haproxy_backend;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Connection ""; proxy_set_header Connection "";

44
data/conf.d/collabora.conf
View File

@@ -1,44 +0,0 @@
server {
listen 80;
server_name collabora.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # http2;
server_name collabora.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $opencloud_backend 10.0.0.251:9980;
location / {
proxy_pass http://10.0.0.251:9980;
#proxy_pass http://$opencloud_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://10.0.0.251:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
}

92
data/conf.d/couch.conf
View File

@@ -1,92 +0,0 @@
server {
listen 80;
server_name couch.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # http2;
server_name couch.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
set $couch_backend 10.0.0.251:5984;
# # Block access to _utils (Fauxton) in production
# location /_utils {
# deny all;
# return 403;
# }
# # Block _config endpoint externally
# location /_config {
# deny all;
# return 403;
# }
# # Block _node endpoint externally
# location /_node {
# # deny all;
# # return 403;
# proxy_pass http://$couch_backend/_node;
# proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# # Timeouts
# proxy_connect_timeout 10s;
# proxy_read_timeout 60s;
# }
location / {
# Handle CORS preflight without hitting CouchDB auth
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Methods "GET, PUT, POST, HEAD, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "accept, authorization, content-type, origin, referer, x-csrf-token" always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Max-Age 3600;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# Pass all other requests to CouchDB
# proxy_pass http://127.0.0.1:5984;
proxy_pass http://$couch_backend/;
proxy_redirect off;
proxy_buffering off;
proxy_method $request_method;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Forward CORS headers from CouchDB responses too
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Credentials "true" always;
proxy_connect_timeout 10s;
proxy_read_timeout 60s;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

41
data/conf.d/drone.conf
View File

@@ -1,3 +1,16 @@
upstream drone_backend {
server drone:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server { server {
listen 80; listen 80;
server_name drone.novicelab.io; server_name drone.novicelab.io;
@@ -5,7 +18,7 @@ server {
} }
server { server {
listen 443 ssl; # http2; listen 443 ssl;
server_name drone.novicelab.io; server_name drone.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
@@ -27,12 +40,10 @@ server {
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
# set $couch_backend 10.0.0.251:9001; # set $drone_backend drone:80;
set $drone_backend drone:80;
set $drone_runner_backend drone-runner-1:3000;
location / { location / {
proxy_pass http://$drone_backend; proxy_pass http://drone_backend;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -49,24 +60,4 @@ server {
proxy_read_timeout 300; proxy_read_timeout 300;
send_timeout 300; send_timeout 300;
} }
# location /runner-1 {
# proxy_pass http://$drone_runner_backend;
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# # WebSocket support for real-time updates
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# # Timeouts
# proxy_connect_timeout 300;
# proxy_send_timeout 300;
# proxy_read_timeout 300;
# send_timeout 300;
# }
} }

25
data/conf.d/gitea.conf
View File

@@ -1,6 +1,19 @@
upstream gitea_backend {
server gitea:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl; #
server_name gitea.novicelab.io; server_name gitea.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
@@ -31,13 +44,13 @@ server {
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging # Logging
access_log /var/log/nginx/gitea.novicelab.io_access.log; access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined;
error_log /var/log/nginx/gitea.novicelab.io_error.log; error_log /var/log/nginx/gitea.novicelab.io_error.log debug;
set $gitea_backend gitea:3000; # set $gitea_backend gitea:3000;
location / { location / {
proxy_pass http://$gitea_backend; proxy_pass http://gitea_backend;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

76
data/conf.d/goaccess.conf Normal file
View File

@@ -0,0 +1,76 @@
# upstream goaccess_backend {
# server goaccess:7890;
#
# # Keep up to 32 idle connections per worker
# keepalive 16;
#
# # Maximum time a connection can be idle
# keepalive_timeout 60s;
#
# # Maximum requests per keepalive connection
# keepalive_requests 100;
# }
server {
listen 80;
listen [::]:80;
server_name goaccess.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Server block for GoAccess dashboard
server {
listen 443 ssl; # http2;
server_name goaccess.novicelab.io;
# SSL configuration
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Logging
access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined;
error_log /var/log/nginx/goaccess.novicelab.io_error.log debug;
set $goaccess_backend goaccess:7890;
root /usr/share/nginx/html;
index report.html;
location / {
try_files $uri $uri/ =404;
}
location /ws {
proxy_pass http://$goaccess_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#enable ws upgrade
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

20
data/conf.d/harbor.conf
View File

@@ -1,3 +1,16 @@
# upstream harbor_backend {
# server nginx-harbor:80;
#
# # Keep up to 32 idle connections per worker
# keepalive 16;
#
# # Maximum time a connection can be idle
# keepalive_timeout 60s;
#
# # Maximum requests per keepalive connection
# keepalive_requests 100;
# }
server { server {
listen 443 ssl; #http2; listen 443 ssl; #http2;
listen [::]:443 ssl; # http2; listen [::]:443 ssl; # http2;
@@ -31,8 +44,8 @@ server {
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging # Logging
access_log /var/log/nginx/harbor.novicelab.io_access.log; access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined;
error_log /var/log/nginx/harbor.novicelab.io_error.log; error_log /var/log/nginx/harbor.novicelab.io_error.log debug;
# set $harbor_backend 10.0.0.251:9090; # set $harbor_backend 10.0.0.251:9090;
set $harbor_backend nginx-harbor:80; set $harbor_backend nginx-harbor:80;
@@ -48,9 +61,6 @@ server {
location / { location / {
proxy_pass http://$harbor_backend; proxy_pass http://$harbor_backend;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates # WebSocket support for real-time updates
proxy_http_version 1.1; proxy_http_version 1.1;

48
data/conf.d/hugo.conf
View File

@@ -1,8 +1,22 @@
upstream hugo_backend {
# server hugo:1313;
server 10.0.0.250:8000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS # # Redirect HTTP to HTTPS
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name novicelab.io www.novicelab.io; server_name novicelab.io www.novicelab.io x.y.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal # ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
@@ -15,22 +29,13 @@ server {
} }
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl; #
server_name novicelab.io www.novicelab.io; server_name novicelab.io www.novicelab.io x.y.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only # SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
@@ -62,22 +67,15 @@ server {
# ssl_dhparam /etc/nginx/ssl/dhparam.pem; # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging # Logging
access_log /var/log/nginx/novicelab.io_access.log; access_log /var/log/nginx/novicelab.io_access.log json_combined;
error_log /var/log/nginx/novicelab.io_error.log; error_log /var/log/nginx/novicelab.io_error.log debug;
# Root and index
# root /var/www/html;
# index index.html index.htm;
# Only allow traffic from Cloudflare IPs (optional but recommended)
# include /etc/nginx/cloudflare-ips.conf;
# include /etc/letsencrypt/options-ssl-nginx.conf; # include /etc/letsencrypt/options-ssl-nginx.conf;
set $hugo_backend hugo:1313; # set $hugo_backend hugo:1313;
location / { location / {
# proxy_pass http://10.0.0.251:9200/; # proxy_pass http://10.0.0.250:8000/;
proxy_pass http://$hugo_backend; proxy_pass http://hugo_backend;
proxy_set_header Host $host; proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $remote_addr;

0
data/conf.d/kenvip.conf
View File

63
data/conf.d/minio.conf
View File

@@ -1,3 +1,29 @@
upstream minio_backend {
server minio:9001;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
upstream s3_backend {
server minio:9000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server { server {
listen 80; listen 80;
server_name minio.novicelab.io; server_name minio.novicelab.io;
@@ -5,14 +31,13 @@ server {
} }
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl; #
server_name minio.novicelab.io; server_name minio.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# # SSL Protocol - TLS 1.2 and 1.3 only # # SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
@@ -26,9 +51,6 @@ server {
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
@@ -41,18 +63,15 @@ server {
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging # Logging
access_log /var/log/nginx/minio.novicelab.io_access.log; access_log /var/log/nginx/minio.novicelab.io_access.log json_combined;
error_log /var/log/nginx/minio.novicelab.io_error.log; error_log /var/log/nginx/minio.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s; # resolver 127.0.0.11 valid=30s;
set $minio_backend minio:9001; # set $minio_backend minio:9001;
# if ($http_x_forwarded_proto != "https") {
# return 301 https://$host$request_uri;
# }
location / { location / {
proxy_pass http://$minio_backend; proxy_pass http://minio_backend;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -75,8 +94,14 @@ server {
} }
server { server {
listen 443 ssl; #http2; listen 80;
listen [::]:443 ssl; # http2; server_name s3.novicelab.io;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name s3.novicelab.io; server_name s3.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
@@ -107,14 +132,14 @@ server {
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging # Logging
access_log /var/log/nginx/s3.novicelab.io_access.log; access_log /var/log/nginx/s3.novicelab.io_access.log json_combined;
error_log /var/log/nginx/s3.novicelab.io_error.log; error_log /var/log/nginx/s3.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s; # resolver 127.0.0.11 valid=30s;
set $s3_backend minio:9000; # set $s3_backend minio:9000;
location / { location / {
proxy_pass http://$s3_backend; proxy_pass http://s3_backend;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

21
data/conf.d/opencloud.conf
View File

@@ -1,3 +1,16 @@
upstream opencloud_backend {
server 10.0.0.251:9200;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server { server {
listen 80; listen 80;
server_name opencloud.novicelab.io; server_name opencloud.novicelab.io;
@@ -15,8 +28,8 @@ server {
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
# Logging # Logging
access_log /var/log/nginx/opencloud.novicelab.io_access.log; access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud.novicelab.io_error.log; error_log /var/log/nginx/opencloud.novicelab.io_error.log debug;
# Security headers # Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
@@ -47,8 +60,8 @@ server {
location / { location / {
# Pass all other requests to CouchDB # Pass all other requests to CouchDB
proxy_pass http://10.0.0.251:9200; proxy_pass http://10.0.0.250:9200;
#proxy_pass http://$opencloud_backend/; # proxy_pass http://opencloud_backend/;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

104
data/conf.d/plane.conf
View File

@@ -1,15 +1,51 @@
upstream backend_web {
server plane-web:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_space {
server plane-space:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_admin {
server plane-admin:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_live {
server plane-live:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_api {
server plane-api:8000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
# upstream backend_minio {
# server minio:9000;
# keepalive 16;
# keepalive_timeout 60s;
# keepalive_requests 100;
# }
server { server {
listen 80;
server_name plane.novicelab.io;
if ($host = plane.novicelab.io) { if ($host = plane.novicelab.io) {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
# listen 80;
# server_name plane.novicelab.io;
# return 404;
} }
server { server {
listen 443 ssl; #http2; listen 443 ssl;
listen [::]:443 ssl; # http2; listen [::]:443 ssl;
server_name plane.novicelab.io; server_name plane.novicelab.io;
# SSL Certificate paths # SSL Certificate paths
@@ -40,16 +76,15 @@ server {
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging # Logging
access_log /var/log/nginx/plane.novicelab.io_access.log; access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
error_log /var/log/nginx/plane.novicelab.io_error.log; error_log /var/log/nginx/plane.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s;
# set $plane_backend 10.0.0.251:9020; # set $plane_backend 10.0.0.251:9020;
set $backend_web plane-web:3000; # set $backend_web plane-web:3000;
set $backend_space plane-space:3000; # set $backend_space plane-space:3000;
set $backend_admin plane-admin:3000; # set $backend_admin plane-admin:3000;
set $backend_live plane-live:3000; # set $backend_live plane-live:3000;
set $backend_api plane-api:8000; # set $backend_api plane-api:8000;
set $backend_minio minio:9000; set $backend_minio minio:9000;
@@ -68,7 +103,7 @@ server {
return 301 /spaces/; return 301 /spaces/;
} }
location /spaces/ { location /spaces/ {
proxy_pass http://$backend_space; proxy_pass http://backend_space;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@@ -81,7 +116,7 @@ server {
return 301 /god-mode/; return 301 /god-mode/;
} }
location /god-mode/ { location /god-mode/ {
proxy_pass http://$backend_admin; proxy_pass http://backend_admin;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@@ -91,7 +126,7 @@ server {
# Live # Live
location /live/ { location /live/ {
proxy_pass http://$backend_live; proxy_pass http://backend_live;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@@ -101,7 +136,7 @@ server {
# API & Auth # API & Auth
location /api/ { location /api/ {
proxy_pass http://$backend_api; proxy_pass http://backend_api;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@@ -109,7 +144,7 @@ server {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
location /auth/ { location /auth/ {
proxy_pass http://$backend_api; proxy_pass http://backend_api;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@@ -122,9 +157,6 @@ server {
# location ~ ^/${BUCKET_NAME}(/.*)?$ { # location ~ ^/${BUCKET_NAME}(/.*)?$ {
location ~ ^/plane(/.*)?$ { location ~ ^/plane(/.*)?$ {
proxy_pass http://$backend_minio/plane; proxy_pass http://$backend_minio/plane;
# proxy_pass https://s3.novicelab.io/plane;
# location ~ ^/test(/.*)?$ {
# proxy_pass http://$backend_minio/test;
proxy_set_header Host $host; proxy_set_header Host $host;
# Standard proxy headers # Standard proxy headers
@@ -143,40 +175,14 @@ server {
client_max_body_size 0; client_max_body_size 0;
# proxy_pass https://s3.novicelab.io/plane; # proxy_pass https://s3.novicelab.io/plane;
} }
# location ~* ^/(?<bucket>.+)(?<path>/.*)?$ {
# # Check if the first part of the URI matches our bucket variable
# if ($bucket = $bucket_name) {
# proxy_pass http://$backend_minio;
# break;
# }
# # Fallback to the main web app if the path isn't the bucket
# set $upstream_web "web:3000";
# proxy_pass http://$upstream_web;
# }
# Web (Default catch-all) # Web (Default catch-all)
location / { location / {
proxy_pass http://$backend_web; proxy_pass http://backend_web;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
# location / {
# # proxy_pass http://10.0.0.251:9020;
# proxy_pass http://$plane_backend;
# # Set headers for proxied request
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $http_host;
# proxy_http_version 1.1;
# }
} }

0
data/conf.d/s3.conf
View File

58
data/conf.d/tre.conf
View File

@@ -1,58 +0,0 @@
server {
# listen 80;
# server_name *.novicelab.io;
# resolver 127.0.0.11 valid=30s;
# set $haproxy_backend haproxy:80;
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name tre.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging
access_log /var/log/nginx/tre.novicelab.io_access.log;
error_log /var/log/nginx/tre.novicelab.io_error.log;
location /data-catalog {
proxy_pass https://10.0.0.251:8888; # Assuming HAProxy is on port 8080
# proxy_pass http://haproxy_backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Performance optimizations
proxy_buffering off;
proxy_request_buffering off;
proxy_connect_timeout 5s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
}

51
data/conf.d/umami.conf
View File

@@ -1,3 +1,16 @@
upstream umami_backend {
server umami:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS # # Redirect HTTP to HTTPS
server { server {
listen 80; listen 80;
@@ -22,15 +35,6 @@ server {
# SSL Certificate paths # SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only # SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
@@ -44,9 +48,6 @@ server {
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
@@ -58,28 +59,20 @@ server {
add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging # Logging
access_log /var/log/nginx/umami.novicelab.io_access.log; access_log /var/log/nginx/umami.novicelab.io_access.log json_combined;
error_log /var/log/nginx/umami.novicelab.io_error.log; error_log /var/log/nginx/umami.novicelab.io_error.log debug;
# Root and index # set $umami_backend umami:3000;
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf;
set $umami_backend umami:3000;
location / { location / {
# proxy_pass http://10.0.0.251:9200/; # proxy_pass http://$umami_backend;
proxy_pass http://$umami_backend; proxy_pass http://umami_backend;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme; proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_buffering off; proxy_buffering off;
@@ -90,7 +83,8 @@ server {
} }
# 1. Allow public access to tracking scripts # 1. Allow public access to tracking scripts
location ~ ^/(script\.js|umami\.js)$ { location ~ ^/(script\.js|umami\.js)$ {
proxy_pass http://$umami_backend; # proxy_pass http://$umami_backend;
proxy_pass http://umami_backend;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@@ -107,7 +101,8 @@ server {
# 2. Allow public access to tracking API (metrics collection) # 2. Allow public access to tracking API (metrics collection)
location /api/send { location /api/send {
proxy_pass http://$umami_backend; # proxy_pass http://$umami_backend;
proxy_pass http://umami_backend;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

39
data/conf.d/vault.conf
View File

@@ -1,3 +1,32 @@
upstream vault_backend {
server 10.0.0.250:8090;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vault.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server { server {
listen 443 ssl; #http2; listen 443 ssl; #http2;
listen [::]:443 ssl; # http2; listen [::]:443 ssl; # http2;
@@ -31,14 +60,14 @@ server {
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Logging # Logging
access_log /var/log/nginx/vault.novicelab.io_access.log; access_log /var/log/nginx/vault.novicelab.io_access.log json_combined;
error_log /var/log/nginx/vault.novicelab.io_error.log; error_log /var/log/nginx/vault.novicelab.io_error.log debug;
set $vault_backend vaultwarden:443;
# set $vault_backend vaultwarden:443;
location / { location / {
# proxy_pass http://$vault_backend; # proxy_pass http://$vault_backend;
# proxy_pass https://10.0.0.251:8100; proxy_pass http://vault_backend;
proxy_pass http://10.0.0.250:8090;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

85
data/nginx.conf
View File

@@ -10,7 +10,7 @@ events {
} }
http { http {
include mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
keepalive_timeout 65; keepalive_timeout 65;
@@ -23,30 +23,31 @@ http {
resolver 8.8.8.8 valid=30s ipv6=off; resolver 8.8.8.8 valid=30s ipv6=off;
resolver_timeout 11s; resolver_timeout 11s;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' log_format json_combined escape=json '{'
'$status $body_bytes_sent "$http_referer" ' '"method":"$request_method",'
'"$http_user_agent" "$http_x_forwarded_for"'; '"scheme":"$scheme",'
'"domain":"$host",'
# JSON format — preferred for log aggregators (ELK, Loki, Datadog, etc.) '"uri":"$request_uri",'
log_format json_log escape=json '"query_string":"$query_string",'
'{' '"referer":"$http_referer",'
'"time":"$time_iso8601",' '"content_type":"$sent_http_content_type",'
'"remote_addr":"$remote_addr",' '"status": $status,'
'"method":"$request_method",' '"bytes_sent":$body_bytes_sent,'
'"uri":"$request_uri",' '"request_time":$request_time,'
'"status":$status,' '"user_agent":"$http_user_agent",'
'"bytes_sent":$body_bytes_sent,' '"cache":"$upstream_cache_status",'
'"request_time":$request_time,' '"upstream_time": "$upstream_response_time",'
'"upstream_response_time":"$upstream_response_time",' '"timestamp":"$time_iso8601",'
'"referer":"$http_referer",' '"ip":"$http_x_forwarded_for"'
'"user_agent":"$http_user_agent",' '}';
'"x_forwarded_for":"$http_x_forwarded_for",' # log_format VCOMBINED '$host:$server_port '
'"host":"$host"' # '$remote_addr $remote_user [$time_local] '
'}'; # '"$request" $status $body_bytes_sent '
# '"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log json_log; access_log /var/log/nginx/access.log json_combined;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log debug;
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
@@ -63,9 +64,9 @@ http {
large_client_header_buffers 4 32k; large_client_header_buffers 4 32k;
# If using Nginx as a proxy to the Harbor core/registry # If using Nginx as a proxy to the Harbor core/registry
proxy_buffer_size 16k; proxy_buffer_size 128k;
proxy_buffers 4 32k; proxy_buffers 4 256k;
proxy_busy_buffers_size 64k; proxy_busy_buffers_size 256k;
proxy_connect_timeout 300; proxy_connect_timeout 300;
proxy_send_timeout 300; proxy_send_timeout 300;
@@ -93,34 +94,4 @@ http {
# Include all server configurations # Include all server configurations
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
} }
# Existing http {} block stays as-is...
# TCP stream proxy for SMTP ports
# stream {
# upstream mailserver_smtp {
# server mailserver:25; # docker-mailserver container name
# }
# upstream mailserver_submission {
# server mailserver:587;
# }
# # Port 25 — inbound MTA-to-MTA (if you ever receive external mail)
# server {
# listen 25;
# proxy_pass mailserver_smtp;
# proxy_timeout 1m;
# proxy_connect_timeout 10s;
# }
# # Port 587 — STARTTLS submission (for mail clients or apps)
# server {
# listen 587;
# proxy_pass mailserver_submission;
# proxy_timeout 1m;
# proxy_connect_timeout 10s;
# }
# }

26
docker-compose.yml
View File

@@ -1,5 +1,5 @@
services: services:
web: nginx:
container_name: nginx container_name: nginx
image: nginx:latest image: nginx:latest
ports: ports:
@@ -8,6 +8,8 @@ services:
volumes: volumes:
- ./data/nginx.conf:/etc/nginx/nginx.conf:ro - ./data/nginx.conf:/etc/nginx/nginx.conf:ro
- ./data/conf.d:/etc/nginx/conf.d:ro - ./data/conf.d:/etc/nginx/conf.d:ro
- ./data/logs:/var/log/nginx
- ./data/public:/usr/share/nginx/html:rw
- ./certbot/conf:/etc/letsencrypt - ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot - ./certbot/www:/var/www/certbot
restart: always restart: always
@@ -16,6 +18,7 @@ services:
- nginx - nginx
certbot: certbot:
container_name: certbot
image: certbot/dns-cloudflare:latest image: certbot/dns-cloudflare:latest
restart: unless-stopped restart: unless-stopped
volumes: volumes:
@@ -26,6 +29,27 @@ services:
networks: networks:
- nginx - nginx
goaccess:
container_name: goaccess
image: allinurl/goaccess
user: "0:0"
ports:
- 0.0.0.0:7890:7890
volumes:
- ./goaccess/goaccess.conf:/srv/config/goaccess.conf
- ./data/logs:/srv/logs:rw
- ./data/public:/srv/report:rw
- ./certbot/conf:/etc/letsencrypt
command: ["--no-global-config",
"--config-file=/srv/config/goaccess.conf",
"--ssl-cert=/etc/letsencrypt/live/novicelab.io/fullchain.pem",
"--ssl-key=/etc/letsencrypt/live/novicelab.io/privkey.pem"]
environment:
- TZ=Africa/Nairobi
restart: unless-stopped
networks:
- nginx
networks: networks:
nginx: nginx:
driver: bridge driver: bridge