FIX: Increase client_max_body_size from 1k to 1M

Adjust directive values as needed depending on site requirements
e.g client_max_body_size 500M in minio.conf while other sites are limited to 1k

.gitignore

@@ -1,8 +1,18 @@
 .env
-/data/
+
-/certbot/
+certbot/
-/goaccess/
+
-/data/public/
+goaccess/
-!/data/nginx.conf
+!goaccess/goaccess.conf
-!/data/conf.d/**
+
-!/goaccess/goaccess.conf
+data/
+# data/public/
+# data/conf.d/
+# data/logs/
+# data/logs-VCOMBINED/
+!data/nginx.conf
+!data/sites-available/**
+!data/sites-enabled/**
+# !data/conf.d/** # Configurations exist in nginx.conf and site confs
+
+!data/sites-enabled

data/conf.d/drone.conf

@@ -1,63 +0,0 @@
-upstream drone_backend {
-    server drone:80;
-
-    # Keep up to 32 idle connections per worker
-    keepalive 16;
-
-    # Maximum time a connection can be idle
-    keepalive_timeout 60s;
-
-    # Maximum requests per keepalive connection
-    keepalive_requests 100;
-}
-
-server {
-    listen 80;
-    server_name drone.novicelab.io;
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    server_name drone.novicelab.io;
-
-    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    ssl_protocols       TLSv1.2 TLSv1.3;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
-    ssl_session_cache   shared:SSL:10m;
-
-    # Logging
-    access_log /var/log/nginx/drone.novicelab.io_access.log;
-    error_log /var/log/nginx/drone.novicelab.io_error.log;
-
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
-
-    # set $drone_backend drone:80;
-
-    location / {
-        proxy_pass http://drone_backend;
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        # WebSocket support for real-time updates
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-
-        # Timeouts
-        proxy_connect_timeout 300;
-        proxy_send_timeout 300;
-        proxy_read_timeout 300;
-        send_timeout 300;
-    }
-}

data/conf.d/hugo.conf

@@ -1,93 +0,0 @@
-upstream hugo_backend {
-    # server hugo:1313;
-    server 10.0.0.250:8000;
-
-    # Keep up to 32 idle connections per worker
-    keepalive 16;
-
-    # Maximum time a connection can be idle
-    keepalive_timeout 60s;
-
-    # Maximum requests per keepalive connection
-    keepalive_requests 100;
-}
-
-# # Redirect HTTP to HTTPS
-server {
-    listen 80;
-    listen [::]:80;
-    server_name novicelab.io www.novicelab.io x.y.novicelab.io; 
-    
-    # ACME challenge for Let's Encrypt certificate renewal
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-    
-    location / {
-        return 301 https://$server_name$request_uri;
-    }
-}
-
-server {
-    listen 443 ssl; 
-    listen [::]:443 ssl; #
-    server_name novicelab.io www.novicelab.io x.y.novicelab.io;
-
-    # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    # OCSP Stapling
-    # ssl_stapling on;
-    # ssl_stapling_verify on;
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
-
-    # Security Headers
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
-
-    # Diffie-Hellman parameter for DHE ciphersuites
-    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-
-    # Logging
-    access_log /var/log/nginx/novicelab.io_access.log json_combined;
-    error_log /var/log/nginx/novicelab.io_error.log debug;
-
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # set $hugo_backend hugo:1313; 
-
-    location / {
-        # proxy_pass http://10.0.0.250:8000/;
-        proxy_pass http://hugo_backend;
-        
-        proxy_set_header Host $host;
-        # proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header   X-Real-IP $http_cf_connecting_ip;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https; # $scheme;
-        proxy_set_header X-Forwarded-Host $host;
-
-        proxy_buffering off;
-        proxy_set_header Referer $http_referer;
-        proxy_redirect off;
-
-        proxy_set_header Cookie $http_cookie;
-    }
-}

data/conf.d/wopi.conf

@@ -1,43 +0,0 @@
-server {
-    listen 80;
-    server_name wopi.novicelab.io;
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl; # http2;
-    server_name wopi.novicelab.io;
-
-    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    ssl_protocols       TLSv1.2 TLSv1.3;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
-    ssl_session_cache   shared:SSL:10m;
-
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
-
-    # set $opencloud_backend 10.0.0.251:9300;
-
-
-    location / {
-        proxy_pass              http://10.0.0.251:9300;
-        #proxy_pass         http://$opencloud_backend/;
-
-        proxy_set_header        Host $host;
-        proxy_set_header        X-Real-IP $remote_addr;
-        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header        X-Forwarded-Proto $scheme;
-
-        # Headers for WebSocket support
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-    }
-}

data/nginx.conf

@@ -3,25 +3,36 @@ worker_processes auto;
 error_log /var/log/nginx/error.log warn;
 pid /var/run/nginx.pid;
 
+# Load modules
+include              /etc/nginx/modules-enabled/*.conf;
+
 events {
     worker_connections 1024;
-    use epoll;
     multi_accept on;
 }
 
 http {
+    # MIME
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    keepalive_timeout 65;
+    charset                utf-8;
-    keepalive_requests 100000;
+    sendfile               on;
+    tcp_nopush             on;
+    tcp_nodelay            on;
+    server_tokens          off;
 
-    variables_hash_max_size 2048;
+    log_format main      '$remote_addr - $remote_user [$time_local] '
-    server_names_hash_bucket_size 128;
+                         '"$request" $status $bytes_sent '
-    server_tokens off;
+                         '"$http_referer" "$http_user_agent" '
+                         '"$gzip_ratio"';
 
-    resolver 8.8.8.8 valid=30s ipv6=off;
+    log_format cloudflare '$remote_addr - $remote_user [$time_local] "$request" '
-    resolver_timeout 11s;
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" $http_cf_ray $http_cf_connecting_ip '
+                          '$http_x_forwarded_for $http_x_forwarded_proto ' 
+                          '$http_true_client_ip $http_cf_ipcountry '
+                          '$http_cf_visitor $http_cdn_loop';
 
     log_format json_combined escape=json '{'
         '"method":"$request_method",'
@@ -40,49 +51,87 @@ http {
         '"timestamp":"$time_iso8601",'
         '"ip":"$http_x_forwarded_for"'
     '}';
+
     # log_format VCOMBINED '$host:$server_port '
     #                  '$remote_addr $remote_user [$time_local] '
     #                  '"$request" $status $body_bytes_sent '
     #                  '"$http_referer" "$http_user_agent"';
 
 
+    # track every client request and are vital for traffic analysis and performance monitoring.
     access_log  /var/log/nginx/access.log json_combined;
+    # capture internal server issues and help with troubleshooting.
     error_log   /var/log/nginx/error.log debug;
     
-    sendfile on;
+    # SSL
-    tcp_nopush on;
+    # Mozilla Intermediate configuration
-    tcp_nodelay on;
+    ssl_protocols          TLSv1.2 TLSv1.3;
-    types_hash_max_size 2048;
+    ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-
-    # Important for MinIO
-    client_max_body_size 0;
-    proxy_buffering off;
-    proxy_request_buffering off;
-
-    # Increase the buffer for the request line and headers
-    client_header_buffer_size 16k;
-    large_client_header_buffers 4 32k;
-
-    # If using Nginx as a proxy to the Harbor core/registry
-    proxy_buffer_size          128k;
-    proxy_buffers              4 256k;
-    proxy_busy_buffers_size    256k;
-
-    proxy_connect_timeout 300;
-    proxy_send_timeout 300;
-    proxy_read_timeout 300;
-
-    # Add extra headers
-    add_header X-Frame-Options DENY;
-    add_header Content-Security-Policy "frame-ancestors 'none'";
-
-    # SSL Settings
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
+    # enable session resumption to improve https performance
-    ssl_session_timeout 10m;
+    ssl_session_timeout    10m;
+    ssl_session_cache      shared:SSL:10m;
+    ssl_session_tickets    off;
 
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam            /etc/nginx/dhparam.pem;
+
+    # OCSP Stapling 
+    # ssl_stapling           on;
+    # ssl_stapling_verify    on;
+    resolver               127.0.0.11 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+    resolver_timeout       2s;
+
+
+    #       CONTROL RESOURCES AND LIMITS / CONTROLLING BUFFER OVERFLOW ATTACKS
+    # specify the client request body buffer size; default 8k/16k
+    client_body_buffer_size 1k;
+    # sets the headerbuffer size for the request header from client.
+    # 1K sufficient for most requests. 
+    # Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client).
+    client_header_buffer_size 1k;
+    # assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request. 
+    # If size is greater the given one, then the client gets the error “Request Entity Too Large” (413). 
+    # Increase this when you are getting file uploads via the POST method. e.g harbor image push, minio uploads
+    client_max_body_size 1k;
+    # assigns the maximum number and size of buffers for large headers to read from client request. 
+    # By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K, 
+    # if at the end of working request connection converts to state keep-alive, 
+    # then these buffers are freed. 2x1k will accept 2kB data URI. 
+    # This will also help combat bad bots and DoS attacks. 
+    large_client_header_buffers 4 4k;
+
+    client_header_timeout  60;
+    client_body_timeout    60;
+    send_timeout           60;
+
+    #       PROXY BUFFERING
+    # NGINX stores the response from a server in internal buffers as it comes in, 
+    # and doesn't start sending data to the client until the entire response is buffered
+
+    # With proxy_buffering disabled, data received from the server is immediately relayed by NGINX, 
+    # allowing for minimum Time To First Byte (TTFB). 
+    # TLDR - Buffering is needed to ensure that the upstream server can be set free after delivering the response to NGINX, 
+    #        and NGINX will proceed to deliver the response to the slow client.
+    proxy_buffering off; # for a single server setup (SSL termination of Varnish), where no caching is done in NGINX itself
+    # Defines the amount of memory that NGINX will allocate for each request to the proxied server. 
+    # This small chunk of memory will be used for reading and storing the tiny fraction of response – the HTTP headers.
+    # tuning solves the upstream sent too big header while reading response header from upstream error.
+    proxy_buffer_size 8k; # defaults: 4k/8k, should be enough for most PHP websites, or adjust as above
+    # size of buffers, in kilobytes, which can be used for delivering the response to clients 
+    # while it was not fully read from the upstream server.
+    proxy_busy_buffers_size 16k; # essentially, proxy_buffer_size + 2 small buffers of 4k
+    # The rule of thumb with this setting is that while we make use of buffering, 
+    # it is best that the complete response from upstream can be held in memory, to avoid disk I/O.
+    proxy_buffers 8 4k; # Default: 8 4k|8k; should be enough for most PHP websites, adjust as above to get an accurate value
+
+    # Time to establish TCP connection
+    # Increase only if your app has slow endpoints
+    proxy_connect_timeout 60s;
+    # Time between successive writes to upstream
+    proxy_send_timeout 60;
+    # Time between successive reads from upstream
+    proxy_read_timeout 60;
 
     # Gzip Settings
     gzip on;
@@ -91,7 +140,7 @@ http {
     gzip_comp_level 6;
     gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
 
-
     # Include all server configurations
-    include /etc/nginx/conf.d/*.conf;
+    # include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
 }

data/sites-enabled/adminer.conf

@@ -1,12 +1,9 @@
 upstream adminer_backend {
     server adminer:8080;
-
     # Keep up to 16 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
@@ -29,31 +26,22 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
+    http2 on;
     server_name adminer.novicelab.io;
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined;
@@ -63,9 +51,13 @@ server {
 
     location / {
         proxy_pass http://adminer_backend;
-        proxy_set_header Host $host;
+        
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host               $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP          $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
     }
 }

data/sites-enabled/auth.conf

@@ -1,12 +1,9 @@
 upstream keycloak_backend {
     server keycloak:80; 
-
+    # Keep up to 16 idle connections per worker
-    # Keep up to 32 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
@@ -29,35 +26,23 @@ server {
 
 server {
     listen 443 ssl; 
-    listen [::]:443 ssl; #
+    listen [::]:443 ssl;
+    http2 on;
     server_name auth.novicelab.io;
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/auth.novicelab.io_access.log json_combined;
@@ -66,20 +51,20 @@ server {
     # set $keycloak_backend keycloak:80; 
 
     location / {
-        # proxy_pass http://10.0.0.253:8085/auth/;
         proxy_pass http://keycloak_backend;
             
-
+        proxy_set_header Host               $host;
-        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP          $remote_addr;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Scheme $scheme;
-        proxy_set_header X-Forwarded-Proto  https;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
-        proxy_set_header X-Forwarded-For    $remote_addr;
+        proxy_set_header X-Forwarded-Host   $http_host;
-        proxy_set_header X-Real-IP		$remote_addr;
+        proxy_set_header X-Forwarded-Port   $server_port;
 
         proxy_set_header Accept-Encoding ""; 
 
+        proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $http_connection;
-        proxy_http_version 1.1;
     }
 }

data/sites-enabled/book.conf

@@ -1,13 +1,9 @@
 upstream bookstack_backend {
-    # server 10.0.0.251:6875/;
     server bookstack:80;
-
     # Keep up to 32 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
@@ -31,34 +27,22 @@ server {
 server {
     listen 443 ssl; 
     listen [::]:443 ssl; 
+    http2 on;
     server_name book.novicelab.io;
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/book.novicelab.io_access.log json_combined;
@@ -68,9 +52,13 @@ server {
 
     location / {
         proxy_pass http://bookstack_backend;
-        proxy_set_header Host $host;
+        
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host               $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP          $remote_addr;
-        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
     }
 }

data/sites-enabled/cluster.conf

@@ -8,34 +8,22 @@ upstream haproxy_backend {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
+    http2 on;
     server_name *.novicelab.io;
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/*.novicelab.io_access.log json_combined;
@@ -44,16 +32,23 @@ server {
     location / {
         proxy_pass http://10.0.0.20:80;
         # proxy_pass http://haproxy_backend;
+        
+        proxy_set_header Host               $host;
+        proxy_set_header X-Real-IP          $remote_addr;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
+
         proxy_http_version 1.1;
-        proxy_set_header Connection "";
+        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Host $host;
+        proxy_set_header Connection $http_connection;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
         
         # Performance optimizations
         proxy_buffering off;
         proxy_request_buffering off;
+
         # Timeouts
         proxy_connect_timeout 300;
         proxy_send_timeout 300;

data/sites-enabled/drone.conf

@@ -0,0 +1,68 @@
+upstream drone_backend {
+    server drone:80;
+
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
+server {
+    listen 80;
+    server_name drone.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name drone.novicelab.io;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+
+    # Logging
+    access_log /var/log/nginx/drone.novicelab.io_access.log;
+    error_log /var/log/nginx/drone.novicelab.io_error.log;
+
+    # set $drone_backend drone:80;
+
+    location / {
+        proxy_pass http://drone_backend;
+
+        proxy_set_header Host               $host;
+        proxy_set_header X-Real-IP          $remote_addr;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
+
+        # WebSocket support for real-time updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+    }
+}

data/sites-enabled/gitea.conf

@@ -13,27 +13,14 @@ upstream gitea_backend {
 
 server {
     listen 443 ssl; 
-    listen [::]:443 ssl; #
+    listen [::]:443 ssl;
+    http2 on;
     server_name gitea.novicelab.io;  
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -42,6 +29,7 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined;
@@ -51,10 +39,16 @@ server {
 
     location / {
         proxy_pass http://gitea_backend;
-        proxy_set_header Host $http_host;
+
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host               $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP          $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
+
+        client_max_body_size 1M;
 
         # WebSocket support for real-time updates
         proxy_http_version 1.1;

data/sites-enabled/goaccess.conf

@@ -33,20 +33,24 @@ map $http_upgrade $connection_upgrade {
 
 # Server block for GoAccess dashboard
 server {
-    listen 443 ssl; # http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
     server_name goaccess.novicelab.io;
 
-    # SSL configuration
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
 
-    ssl_session_timeout 1d;
+    # Security Headers
-    ssl_session_cache shared:SSL:10m;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-    ssl_session_tickets off;
+    add_header X-Frame-Options "SAMEORIGIN" always;
-    ssl_protocols TLSv1.3;
+    add_header X-Content-Type-Options "nosniff" always;
-
+    add_header X-XSS-Protection "1; mode=block" always;
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    resolver_timeout 5s;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
         # Logging
     access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined;
@@ -63,10 +67,14 @@ server {
 
     location /ws {
         proxy_pass http://$goaccess_backend;
-        proxy_set_header Host $http_host;
+        
-		proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host               $host;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP          $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
 		
 		#enable ws upgrade
 		proxy_http_version 1.1;

data/sites-enabled/harbor.conf

@@ -1,39 +1,27 @@
-# upstream harbor_backend {
+upstream harbor_backend {
-#     server nginx-harbor:80; 
+    # server harbor-nginx:8080; # Harbor is in its own network
-# 
+    server 10.0.0.250:3200; 
-#     # Keep up to 32 idle connections per worker
+
-#     keepalive 16;
+    # Keep up to 32 idle connections per worker
-# 
+    keepalive 16;
-#     # Maximum time a connection can be idle
+
-#     keepalive_timeout 60s;
+    # Maximum time a connection can be idle
-# 
+    keepalive_timeout 60s;
-#     # Maximum requests per keepalive connection
+
-#     keepalive_requests 100;
+    # Maximum requests per keepalive connection
-# }
+    keepalive_requests 100;
+}
 
 server {
-    listen 443 ssl; #http2;
+    listen 443 ssl;
-    listen [::]:443 ssl; # http2;
+    listen [::]:443 ssl;
+    http2 on;
     server_name harbor.novicelab.io;
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -42,13 +30,14 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined;
     error_log /var/log/nginx/harbor.novicelab.io_error.log debug;
 
-    # set $harbor_backend 10.0.0.251:9090; 
+    # set $harbor_backend 10.0.0.251:3200; 
-    set $harbor_backend nginx-harbor:80; 
+    # set $harbor_backend harbor-nginx:8080; 
 
     client_max_body_size 0;
 
@@ -59,8 +48,15 @@ server {
     chunked_transfer_encoding on;
 
     location / {
-        proxy_pass http://$harbor_backend;
+        proxy_pass http://harbor_backend;
-        proxy_set_header Host $http_host;
+
+        proxy_set_header Host               $host;
+        proxy_set_header X-Real-IP          $remote_addr;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
 
         # WebSocket support for real-time updates
         proxy_http_version 1.1;
@@ -96,12 +92,14 @@ server {
 
     location /v2/ {
         # Do not allow Nginx to add/remove trailing slashes here
-        proxy_pass http://$harbor_backend;
+        proxy_pass http://harbor_backend;
         
         proxy_set_header Host $http_host; # Important for Registry
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-IP         $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host  $host;
+        proxy_set_header X-Forwarded-Port  $server_port;
         
         # Increase body size for image uploads
         client_max_body_size 0; 

data/sites-enabled/hugo.conf

@@ -0,0 +1,82 @@
+upstream hugo_backend {
+    server hugo:1313;
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name novicelab.io www.novicelab.io; 
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+# Redirect www to non-www
+server {
+    listen                  443 ssl;
+    listen                  [::]:443 ssl;
+    http2 on;
+    server_name             www.novicelab.io;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # logging
+    error_log               /var/log/nginx/error.log debug;
+    return                  301 https://novicelab.io$request_uri;
+}
+
+
+server {
+    listen 443 ssl; 
+    listen [::]:443 ssl;
+    http2 on;
+    server_name novicelab.io;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # Security Headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+
+    # Logging
+    access_log /var/log/nginx/novicelab.io_access.log json_combined;
+    error_log /var/log/nginx/novicelab.io_error.log debug;
+
+    # set $hugo_backend hugo:1313; 
+
+    location / {
+        proxy_pass http://hugo_backend;
+        
+        proxy_set_header Host               $host;
+        proxy_set_header X-Real-IP          $remote_addr;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
+    }
+}

data/sites-enabled/kimai.conf

@@ -0,0 +1,58 @@
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name kimai.novicelab.io;
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl; 
+    listen [::]:443 ssl;
+    http2 on;
+    server_name kimai.novicelab.io;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+    # Logging
+    access_log /var/log/nginx/kimai.novicelab.io_access.log;
+    error_log /var/log/nginx/kimai.novicelab.io_error.log;
+    
+    set $kimai_backend kimai:8001; 
+
+    location / {
+        proxy_pass http://10.0.0.250:8400;
+        # proxy_pass http://$kimai_backend;
+
+        proxy_set_header Host               $host;
+        proxy_set_header X-Real-IP          $remote_addr;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        # proxy_set_header  X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
+        
+    }
+    # Redirect HTTP to HTTPS, in case an invalid (plain HTTP) request was sent to port 443
+    error_page 497 https://$host:$server_port$request_uri;
+}

data/sites-enabled/mailcow.conf

@@ -6,20 +6,23 @@ server {
 
 server {
     listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
     server_name mailcow.novicelab.io;
 
-    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    ssl_session_timeout 1d;
-    # ssl_session_cache shared:SSL:50m;
-    ssl_session_tickets off;
 
-    # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
+    # Security Headers
-    # An example config is given below
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-    # ssl_protocols TLSv1.2;
+    add_header X-Frame-Options "SAMEORIGIN" always;
-    ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
+    add_header X-Content-Type-Options "nosniff" always;
-    ssl_prefer_server_ciphers off;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/mailcow.novicelab.io_access.log;
@@ -46,8 +49,8 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         client_max_body_size 0;
-    # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
+        # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
-    # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
+        # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
         # proxy_buffer_size 128k;
         proxy_buffers 64 512k;
         proxy_busy_buffers_size 512k;

data/sites-enabled/minio.conf

@@ -1,25 +1,19 @@
 upstream minio_backend {
     server minio:9001;
-
     # Keep up to 32 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
 
 upstream s3_backend {
     server minio:9000; 
-
     # Keep up to 32 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
@@ -32,27 +26,14 @@ server {
 
 server {
     listen 443 ssl; 
-    listen [::]:443 ssl; #
+    listen [::]:443 ssl; 
+    http2 on;
     server_name minio.novicelab.io; 
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -61,15 +42,14 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/minio.novicelab.io_access.log json_combined;
     error_log /var/log/nginx/minio.novicelab.io_error.log debug;
 
-    # resolver 127.0.0.11 valid=30s;
     # set $minio_backend minio:9001; 
 
-
     location / {
         proxy_pass http://minio_backend;
         proxy_set_header Host $host;
@@ -89,7 +69,7 @@ server {
         proxy_read_timeout 300;
         send_timeout 300;
 
-        client_max_body_size 0;
+        client_max_body_size 500M;
     }
 }
 
@@ -102,26 +82,13 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl; 
+    http2 on;
     server_name s3.novicelab.io; 
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -130,16 +97,17 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/s3.novicelab.io_access.log json_combined;
     error_log /var/log/nginx/s3.novicelab.io_error.log debug;
 
-    # resolver 127.0.0.11 valid=30s;
     # set $s3_backend minio:9000; 
 
     location / {
         proxy_pass http://s3_backend;
+
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

data/sites-enabled/opencloud.conf

@@ -1,12 +1,9 @@
 upstream opencloud_backend {
-    server 10.0.0.251:9200;
+    server 10.0.0.250:9200;
-
     # Keep up to 32 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
@@ -18,25 +15,29 @@ server {
 }
 
 server {
-    listen 443 ssl; # http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
     server_name opencloud.novicelab.io;
 
-    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+
-    ssl_session_cache   shared:SSL:10m;
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined;
     error_log /var/log/nginx/opencloud.novicelab.io_error.log debug;
 
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-
     client_max_body_size 10M;
 
     # Disable buffering - essential for SSE
@@ -50,17 +51,13 @@ server {
     keepalive_timeout 5m;
     http2_max_concurrent_streams 512;
 
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
-
     # set $opencloud_backend 10.0.0.251:9200;
     # Prevent nginx from trying other upstreams
     proxy_next_upstream off;
 
 
     location / {
-        # Pass all other requests to CouchDB
+        proxy_pass              http://opencloud_backend;
-        proxy_pass              http://10.0.0.250:9200;
         # proxy_pass         http://opencloud_backend/;
 
         proxy_set_header        Host $host;

data/sites-enabled/opencloud_collabora.conf

@@ -0,0 +1,75 @@
+upstream collabora_backend {
+    server 10.0.0.250:9980;
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
+server {
+    listen 80;
+    server_name collabora.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name collabora.novicelab.io;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+
+    # Logging
+    access_log /var/log/nginx/opencloud_collabora.novicelab.io_access.log json_combined;
+    error_log /var/log/nginx/opencloud_collabora.novicelab.io_error.log debug;
+
+    client_max_body_size 10M;
+
+    # Disable buffering - essential for SSE
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    # Extend timeouts for long connections
+    proxy_read_timeout 3600s;
+    proxy_send_timeout 3600s;
+    keepalive_requests 100000;
+    keepalive_timeout 5m;
+    http2_max_concurrent_streams 512;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # set $collabora_backend 10.0.0.251:9980;
+    # Prevent nginx from trying other upstreams
+    proxy_next_upstream off;
+
+
+    location / {
+        proxy_pass              http://collabora_backend;
+
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        # Headers for WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}

data/sites-enabled/opencloud_wopi.conf

@@ -0,0 +1,58 @@
+upstream wopi_backend {
+    server 10.0.0.250:9300;
+    # Keep up to 32 idle connections per worker
+    keepalive 16;
+    # Maximum time a connection can be idle
+    keepalive_timeout 60s;
+    # Maximum requests per keepalive connection
+    keepalive_requests 100;
+}
+
+server {
+    listen 80;
+    server_name wopi.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name wopi.novicelab.io;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+
+    # Logging
+    access_log /var/log/nginx/opencloud_wopi.novicelab.io_access.log json_combined;
+    error_log /var/log/nginx/opencloud_wopi.novicelab.io_error.log debug;
+
+    # set $wopi_backend 10.0.0.251:9300;
+
+
+    location / {
+        # proxy_pass              http://10.0.0.250:9300;
+        proxy_pass         http://wopi_backend/;
+
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        # Headers for WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}

data/sites-enabled/plane.conf

@@ -46,26 +46,13 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl; 
+    http2 on;
     server_name plane.novicelab.io; 
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -74,6 +61,7 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
@@ -88,7 +76,7 @@ server {
     set $backend_minio  minio:9000;
 
 
-    client_max_body_size 0;
+    # client_max_body_size 0;
     # Set the bucket name as a variable for the regex location
     set $bucket_name "plane";
 
@@ -172,7 +160,7 @@ server {
             return 204;
         }
 
-        client_max_body_size 0;
+        client_max_body_size 20M;
         # proxy_pass https://s3.novicelab.io/plane;
     }
 

data/sites-enabled/portainer.conf

@@ -0,0 +1,65 @@
+upstream portainer_backend {
+    server portainer:9000;
+    keepalive 16;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name portainer.novicelab.io;
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name portainer.novicelab.io;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+
+    # Logging
+    access_log /var/log/nginx/portainer.novicelab.io_access.log;
+    error_log /var/log/nginx/portainer.novicelab.io_error.log;
+
+    # set $portainer_backend portainer:9000; 
+
+    location / {
+        proxy_pass http://portainer_backend;
+            
+        proxy_set_header Host               $host;
+        proxy_set_header X-Real-IP          $remote_addr;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  $scheme; #https;
+        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host   $http_host;
+        proxy_set_header X-Forwarded-Port   $server_port;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_http_version 1.1;
+    }
+}

data/sites-enabled/umami.conf

@@ -1,12 +1,9 @@
 upstream umami_backend {
     server umami:3000;
-
     # Keep up to 32 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
@@ -28,28 +25,15 @@ server {
 }
 
 server {
-    listen 443 ssl; #http2;
+    listen 443 ssl;
-    listen [::]:443 ssl; # http2;
+    listen [::]:443 ssl;
+    http2 on;
     server_name umami.novicelab.io;
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -58,6 +42,7 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/umami.novicelab.io_access.log json_combined;
@@ -66,54 +51,38 @@ server {
     # set $umami_backend umami:3000; 
 
     location / {
-        # proxy_pass http://$umami_backend;
         proxy_pass http://umami_backend;
         
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Proto $scheme; #https ;
         proxy_set_header X-Forwarded-Host $host;
 
-        proxy_buffering off;
+        # WebSocket support for real-time dashboard
-        proxy_set_header Referer $http_referer;
+        proxy_http_version 1.1;
-        proxy_redirect off;
+        proxy_set_header Upgrade $http_upgrade;
-
+        proxy_set_header Connection "upgrade";
-        proxy_set_header Cookie $http_cookie;
     }
         # 1. Allow public access to tracking scripts
     location ~ ^/(script\.js|umami\.js)$ {
-        # proxy_pass http://$umami_backend;
         proxy_pass http://umami_backend;
         
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https; # $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme; #https ;
         proxy_set_header X-Forwarded-Host $host;
-
-        proxy_buffering off;
-        proxy_set_header Referer $http_referer;
-        proxy_redirect off;
-
-        proxy_set_header Cookie $http_cookie;
     }
 
     # 2. Allow public access to tracking API (metrics collection)
     location /api/send {
-        # proxy_pass http://$umami_backend;
         proxy_pass http://umami_backend;
         
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https; # $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme; #https ;
         proxy_set_header X-Forwarded-Host $host;
-
-        proxy_buffering off;
-        proxy_set_header Referer $http_referer;
-        proxy_redirect off;
-
-        proxy_set_header Cookie $http_cookie;
     }
 }

data/sites-enabled/vault.conf

@@ -1,12 +1,9 @@
 upstream vault_backend {
     server 10.0.0.250:8090;
-
     # Keep up to 32 idle connections per worker
     keepalive 16;
-
     # Maximum time a connection can be idle
     keepalive_timeout 60s;
-
     # Maximum requests per keepalive connection
     keepalive_requests 100;
 }
@@ -28,28 +25,15 @@ server {
 }
 
 server {
-    listen 443 ssl; #http2;
+    listen 443 ssl;
-    listen [::]:443 ssl; # http2;
+    listen [::]:443 ssl;
+    http2 on;
     server_name vault.novicelab.io; 
 
-    # SSL Certificate paths
+    # SSL
     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    # SSL Protocol - TLS 1.2 and 1.3 only
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-
-    # SSL session configuration
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
-
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 5s;
 
     # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -58,6 +42,7 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
 
     # Logging
     access_log /var/log/nginx/vault.novicelab.io_access.log json_combined;
@@ -66,8 +51,8 @@ server {
     # set $vault_backend vaultwarden:443;
 
     location / {
-        # proxy_pass http://$vault_backend;
         proxy_pass http://vault_backend;
+        
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

docker-compose.yml

@@ -7,7 +7,9 @@ services:
       - "443:443"
     volumes:
       - ./data/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./data/conf.d:/etc/nginx/conf.d:ro
+      # - ./data/conf.d:/etc/nginx/conf.d:ro
+      - ./data/sites-available:/etc/nginx/sites-available
+      - ./data/sites-enabled:/etc/nginx/sites-enabled
       - ./data/logs:/var/log/nginx
       - ./data/public:/usr/share/nginx/html:rw
       - ./certbot/conf:/etc/letsencrypt