novicelab.io/nginx
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: novicelab.io:dc320d83d4a922870c15657776554dc80da5b780
Branches Tags
novicelab.io:main novicelab.io:cleanup novicelab.io:json-combined-log-format novicelab.io:goaccess
..
compare: novicelab.io:main
Branches Tags
novicelab.io:main novicelab.io:cleanup novicelab.io:json-combined-log-format novicelab.io:goaccess

15 Commits
dc320d83d4 ... main

Author SHA1 Message Date
kbrianngeno
26c84a821c FIX: Increase client_max_body_size from 1k to 1M 2026-03-21 13:00:54 +00:00
kbrianngeno
3bf88ea638 FIX: Remove extra ; 2026-03-21 12:59:11 +00:00
kbrianngeno
693aa12720 Move site configs from conf.d to sites-enabled 2026-03-21 09:53:35 +00:00
kbrianngeno
f4cba30f72 FIX: Track data/sites-available/ & data/sites-enabled/ 2026-03-21 09:52:23 +00:00
kbrianngeno
8296b58bd3 Set defaults for directives add_header and proxy_set_header 2026-03-21 09:48:26 +00:00
kbrianngeno
17a8b6bce2 Set low default values for directives 
Adjust directive values as needed depending on site requirements
e.g client_max_body_size 500M in minio.conf while other sites are limited to 1k
 2026-03-21 09:35:02 +00:00
kbrianngeno
8d79a452ee Unmount conf.d, mount sites-available and sites-enabled 2026-03-21 09:33:20 +00:00
kbrianngeno
ba09bd3f7c Untrack conf.d 
Configs exist in nginx.conf and site.confs.
conf.d contains:
- general.conf 	- gzip
- proxy.conf 	- proxy_buffer, proxy_set_header and proxy_* directives
- security.conf	- add_header directives
 2026-03-21 09:28:08 +00:00
kbrianngeno
544984243d Merge pull request 'Remove commented out config sections' (#3) from cleanup into main 
Reviewed-on: https://gitea.novicelab.io/novicelab.io/nginx/pulls/3
 2026-03-20 04:13:28 +00:00
kbrianngeno
69ed1a853e Remove commented out config sections 2026-03-20 04:11:20 +00:00
kbrianngeno
6240de4af5 Merge pull request 'json-combined-log-format, 502 fix' (#2) from json-combined-log-format into main 
Reviewed-on: https://gitea.novicelab.io/novicelab.io/nginx/pulls/2
Merge json_combined format change and 502 proxy buffer size increase fix
 2026-03-17 18:19:59 +00:00
kbrianngeno
547701c7da Set access log format and Upstream 
Set access log format to json_combined
Switch from $backend_variable to upstream
(Except for harbor, plane-minio, goaccess, opencloud)
 2026-03-17 18:12:45 +00:00
kbrianngeno
50b13c34ef Access log format, Proxy buffer size 
Set access log format to json_combined
Increase proxy buffer sizes to fix frequent 502 errors on all sites
 2026-03-17 18:12:39 +00:00
kbrianngeno
6308d32f8e Add README.md 2026-03-17 09:15:50 +00:00
kbrianngeno
56a221fb9d Merge pull request 'goaccess setup and integration' (#1) from goaccess into main 
Reviewed-on: https://gitea.novicelab.io/novicelab.io/nginx/pulls/1
 2026-03-17 08:56:17 +00:00
32 changed files with 1238 additions and 998 deletions
Expand all files Collapse all files

24
.gitignore vendored
View File

@@ -1,8 +1,18 @@
.env
/data/
/certbot/
/goaccess/
/data/public/
!/data/nginx.conf
!/data/conf.d/**
!/goaccess/goaccess.conf
certbot/
goaccess/
!goaccess/goaccess.conf
data/
# data/public/
# data/conf.d/
# data/logs/
# data/logs-VCOMBINED/
!data/nginx.conf
!data/sites-available/**
!data/sites-enabled/**
# !data/conf.d/** # Configurations exist in nginx.conf and site confs
!data/sites-enabled

54
README.md Normal file
View File

@@ -0,0 +1,54 @@
# Novicelab Nginx
Nginx + Certbot + GoAccess
## Logs
All logs stored in `data/logs` site files
## Site confs
Located in `data/conf.d`
## Container variables
Harbor and Opencloud site confs use host IP; they have expansive configs with their own Docker networks. \
All other site confs use a backend variable that points to the contioner as such:
```
server {
listen 443 ssl;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
set $adminer_backend adminer:8080;
location / {
## Advantage: Nginx container start won't be blocked should the
## below services container be down
## Upstream works just as well
proxy_pass http://$adminer_backend;
...
}
}
```
## Upstream structure
```
http {
upstream goaccess {
server goaccess:7890 weight=1 fail_timeout=30s;
}
server {
listen 443 ssl;
location /ws {
proxy_pass http://goaccess;
...
}
}
}
```
```
mkdir nginx && cd nginx
git clone https://gitea.novicelab.io/novicelab.io/nginx.git .
docker compose up -d
```

89
data/conf.d/adminer.conf
View File

@@ -1,89 +0,0 @@
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name adminer.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name adminer.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only
# ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging
access_log /var/log/nginx/adminer.novicelab.io_access.log VCOMBINED;
error_log /var/log/nginx/adminer.novicelab.io_error.log debug;
# Root and index
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf;
set $adminer_backend adminer:8080;
location / { #/adminer {
# rewrite ^/adminer/(.*)$ /$1 break;
# proxy_pass http://10.0.0.251:9080/;
proxy_pass http://$adminer_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https;
#$scheme;
# Handle redirects (like after login) so they stay under /adminer/
# proxy_redirect / /adminer/;
}
}

94
data/conf.d/auth.conf
View File

@@ -1,94 +0,0 @@
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name auth.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name auth.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging
access_log /var/log/nginx/auth.novicelab.io_access.log VCOMBINED;
error_log /var/log/nginx/auth.novicelab.io_error.log debug;
# Root and index
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf;
set $keycloak_backend keycloak:80;
# client_max_body_size 0;
location / {
# proxy_pass http://10.0.0.253:8085/auth/;
proxy_pass http://$keycloak_backend;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https; #$scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
}
}

89
data/conf.d/book.conf
View File

@@ -1,89 +0,0 @@
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name book.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name book.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging
access_log /var/log/nginx/book.novicelab.io_access.log VCOMBINED;
error_log /var/log/nginx/book.novicelab.io_error.log debug;
# Root and index
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf;
set $bookstack_backend bookstack:80;
# client_max_body_size 0;
# BookStack (/docs)
location / {
# rewrite ^/docs/(.*) /$1 break;
# proxy_pass http://$bookstack_backend;
proxy_pass http://10.0.0.251:6875/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; #$scheme;
# proxy_redirect / /docs/;
}
}

72
data/conf.d/drone.conf
View File

@@ -1,72 +0,0 @@
server {
listen 80;
server_name drone.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # http2;
server_name drone.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Logging
access_log /var/log/nginx/drone.novicelab.io_access.log;
error_log /var/log/nginx/drone.novicelab.io_error.log;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $couch_backend 10.0.0.251:9001;
set $drone_backend drone:80;
set $drone_runner_backend drone-runner-1:3000;
location / {
proxy_pass http://$drone_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
# location /runner-1 {
# proxy_pass http://$drone_runner_backend;
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# # WebSocket support for real-time updates
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# # Timeouts
# proxy_connect_timeout 300;
# proxy_send_timeout 300;
# proxy_read_timeout 300;
# send_timeout 300;
# }
}

68
data/conf.d/goaccess.conf
View File

@@ -1,68 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name goaccess.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Server block for GoAccess dashboard
server {
listen 443 ssl; # http2;
server_name goaccess.novicelab.io;
# SSL configuration
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# add_header X-Content-Type-Options nosniff;
# add_header X-Frame-Options DENY;
# add_header X-XSS-Protection "1; mode=block";
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Logging
access_log /var/log/nginx/goaccess.novicelab.io_access.log VCOMBINED;
error_log /var/log/nginx/goaccess.novicelab.io_error.log debug;
set $goaccess_backend goaccess:7890;
root /usr/share/nginx/html;
index report.html;
location / {
try_files $uri $uri/ =404;
}
location /ws {
proxy_pass http://$goaccess_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#enable ws upgrade
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

95
data/conf.d/hugo.conf
View File

@@ -1,95 +0,0 @@
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name novicelab.io www.novicelab.io x.y.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name novicelab.io www.novicelab.io x.y.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging
access_log /var/log/nginx/novicelab.io_access.log VCOMBINED;
error_log /var/log/nginx/novicelab.io_error.log debug;
# Root and index
# root /var/www/html;
# index index.html index.htm;
# Only allow traffic from Cloudflare IPs (optional but recommended)
# include /etc/nginx/cloudflare-ips.conf;
# include /etc/letsencrypt/options-ssl-nginx.conf;
set $hugo_backend hugo:1313;
location / {
# proxy_pass http://10.0.0.251:9200/;
proxy_pass http://$hugo_backend;
proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $http_cf_connecting_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
}

124
data/conf.d/umami.conf
View File

@@ -1,124 +0,0 @@
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name umami.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
server_name umami.novicelab.io;
# SSL Certificate paths
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# Trusted certificate for OCSP stapling
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# Cloudflare Origin CA certificate for client verification
# Cloudflare Origin CA for authenticated origin pulls (optional)
# Only enable if you want to restrict to Cloudflare only
# ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
# ssl_verify_client on;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Logging
access_log /var/log/nginx/umami.novicelab.io_access.log VCOMBINED;
error_log /var/log/nginx/umami.novicelab.io_error.log debug;
# Root and index
# root /var/www/html;
# index index.html index.htm;
# include /etc/letsencrypt/options-ssl-nginx.conf;
set $umami_backend umami:3000;
location / {
# proxy_pass http://10.0.0.251:9200/;
proxy_pass http://$umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
# 1. Allow public access to tracking scripts
location ~ ^/(script\.js|umami\.js)$ {
proxy_pass http://$umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
# 2. Allow public access to tracking API (metrics collection)
location /api/send {
proxy_pass http://$umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_redirect off;
proxy_set_header Cookie $http_cookie;
}
}

43
data/conf.d/wopi.conf
View File

@@ -1,43 +0,0 @@
server {
listen 80;
server_name wopi.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # http2;
server_name wopi.novicelab.io;
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $opencloud_backend 10.0.0.251:9300;
location / {
proxy_pass http://10.0.0.251:9300;
#proxy_pass http://$opencloud_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

169
data/nginx.conf
View File

@@ -3,86 +3,135 @@ worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
# Load modules
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# MIME
include /etc/nginx/mime.types;
default_type application/octet-stream;
keepalive_timeout 65;
keepalive_requests 100000;
variables_hash_max_size 2048;
server_names_hash_bucket_size 128;
server_tokens off;
resolver 8.8.8.8 valid=30s ipv6=off;
resolver_timeout 11s;
# log_format json_combined escape=json '{'
# '"method":"$request_method",'
# '"scheme":"$scheme",'
# '"domain":"$host",'
# '"uri":"$request_uri",'
# '"query_string":"$query_string",'
# '"referer":"$http_referer",'
# '"content_type":"$sent_http_content_type",'
# '"status": $status,'
# '"bytes_sent":$body_bytes_sent,'
# '"request_time":$request_time,'
# '"user_agent":"$http_user_agent",'
# '"cache":"$upstream_cache_status",'
# '"upstream_time": "$upstream_response_time",'
# '"timestamp":"$time_iso8601",'
# '"ip":"$http_x_forwarded_for"'
# '}';
log_format VCOMBINED '$host:$server_port '
'$remote_addr $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log VCOMBINED;
error_log /var/log/nginx/error.log debug;
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off;
# Important for MinIO
client_max_body_size 0;
proxy_buffering off;
proxy_request_buffering off;
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
# Increase the buffer for the request line and headers
client_header_buffer_size 16k;
large_client_header_buffers 4 32k;
log_format cloudflare '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_cf_ray $http_cf_connecting_ip '
'$http_x_forwarded_for $http_x_forwarded_proto '
'$http_true_client_ip $http_cf_ipcountry '
'$http_cf_visitor $http_cdn_loop';
# If using Nginx as a proxy to the Harbor core/registry
proxy_buffer_size 16k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
log_format json_combined escape=json '{'
'"method":"$request_method",'
'"scheme":"$scheme",'
'"domain":"$host",'
'"uri":"$request_uri",'
'"query_string":"$query_string",'
'"referer":"$http_referer",'
'"content_type":"$sent_http_content_type",'
'"status": $status,'
'"bytes_sent":$body_bytes_sent,'
'"request_time":$request_time,'
'"user_agent":"$http_user_agent",'
'"cache":"$upstream_cache_status",'
'"upstream_time": "$upstream_response_time",'
'"timestamp":"$time_iso8601",'
'"ip":"$http_x_forwarded_for"'
'}';
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
# log_format VCOMBINED '$host:$server_port '
# '$remote_addr $remote_user [$time_local] '
# '"$request" $status $body_bytes_sent '
# '"$http_referer" "$http_user_agent"';
# Add extra headers
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
# SSL Settings
# track every client request and are vital for traffic analysis and performance monitoring.
access_log /var/log/nginx/access.log json_combined;
# capture internal server issues and help with troubleshooting.
error_log /var/log/nginx/error.log debug;
# SSL
# Mozilla Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# enable session resumption to improve https performance
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/dhparam.pem;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# CONTROL RESOURCES AND LIMITS / CONTROLLING BUFFER OVERFLOW ATTACKS
# specify the client request body buffer size; default 8k/16k
client_body_buffer_size 1k;
# sets the headerbuffer size for the request header from client.
# 1K sufficient for most requests.
# Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client).
client_header_buffer_size 1k;
# assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request.
# If size is greater the given one, then the client gets the error “Request Entity Too Large” (413).
# Increase this when you are getting file uploads via the POST method. e.g harbor image push, minio uploads
client_max_body_size 1k;
# assigns the maximum number and size of buffers for large headers to read from client request.
# By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K,
# if at the end of working request connection converts to state keep-alive,
# then these buffers are freed. 2x1k will accept 2kB data URI.
# This will also help combat bad bots and DoS attacks.
large_client_header_buffers 4 4k;
client_header_timeout 60;
client_body_timeout 60;
send_timeout 60;
# PROXY BUFFERING
# NGINX stores the response from a server in internal buffers as it comes in,
# and doesn't start sending data to the client until the entire response is buffered
# With proxy_buffering disabled, data received from the server is immediately relayed by NGINX,
# allowing for minimum Time To First Byte (TTFB).
# TLDR - Buffering is needed to ensure that the upstream server can be set free after delivering the response to NGINX,
# and NGINX will proceed to deliver the response to the slow client.
proxy_buffering off; # for a single server setup (SSL termination of Varnish), where no caching is done in NGINX itself
# Defines the amount of memory that NGINX will allocate for each request to the proxied server.
# This small chunk of memory will be used for reading and storing the tiny fraction of response the HTTP headers.
# tuning solves the upstream sent too big header while reading response header from upstream error.
proxy_buffer_size 8k; # defaults: 4k/8k, should be enough for most PHP websites, or adjust as above
# size of buffers, in kilobytes, which can be used for delivering the response to clients
# while it was not fully read from the upstream server.
proxy_busy_buffers_size 16k; # essentially, proxy_buffer_size + 2 small buffers of 4k
# The rule of thumb with this setting is that while we make use of buffering,
# it is best that the complete response from upstream can be held in memory, to avoid disk I/O.
proxy_buffers 8 4k; # Default: 8 4k|8k; should be enough for most PHP websites, adjust as above to get an accurate value
# Time to establish TCP connection
# Increase only if your app has slow endpoints
proxy_connect_timeout 60s;
# Time between successive writes to upstream
proxy_send_timeout 60;
# Time between successive reads from upstream
proxy_read_timeout 60;
# Gzip Settings
gzip on;
@@ -91,7 +140,7 @@ http {
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
# Include all server configurations
include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

63
data/sites-enabled/adminer.conf Normal file
View File

@@ -0,0 +1,63 @@
upstream adminer_backend {
server adminer:8080;
# Keep up to 16 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
listen [::]:80;
server_name adminer.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name adminer.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined;
error_log /var/log/nginx/adminer.novicelab.io_error.log debug;
# set $adminer_backend adminer:8080;
location / {
proxy_pass http://adminer_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
}

70
data/sites-enabled/auth.conf Normal file
View File

@@ -0,0 +1,70 @@
upstream keycloak_backend {
server keycloak:80;
# Keep up to 16 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name auth.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name auth.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/auth.novicelab.io_access.log json_combined;
error_log /var/log/nginx/auth.novicelab.io_error.log debug;
# set $keycloak_backend keycloak:80;
location / {
proxy_pass http://keycloak_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Accept-Encoding "";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}

64
data/sites-enabled/book.conf Normal file
View File

@@ -0,0 +1,64 @@
upstream bookstack_backend {
server bookstack:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name book.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name book.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/book.novicelab.io_access.log json_combined;
error_log /var/log/nginx/book.novicelab.io_error.log debug;
# set $bookstack_backend bookstack:80;
location / {
proxy_pass http://bookstack_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
}

43
data/conf.d/cluster.conf → data/sites-enabled/cluster.conf
View File

@@ -6,54 +6,49 @@ upstream haproxy_backend {
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name *.novicelab.io;
# SSL Certificate paths
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/*.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/*.novicelab.io_access.log json_combined;
error_log /var/log/nginx/*.novicelab.io_error.log debug;
location / {
proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080
proxy_pass http://10.0.0.20:80;
# proxy_pass http://haproxy_backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
# Performance optimizations
proxy_buffering off;
proxy_request_buffering off;
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;

68
data/sites-enabled/drone.conf Normal file
View File

@@ -0,0 +1,68 @@
upstream drone_backend {
server drone:80;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name drone.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name drone.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/drone.novicelab.io_access.log;
error_log /var/log/nginx/drone.novicelab.io_error.log;
# set $drone_backend drone:80;
location / {
proxy_pass http://drone_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket support for real-time updates
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}

53
data/conf.d/gitea.conf → data/sites-enabled/gitea.conf
View File

@@ -1,26 +1,26 @@
upstream gitea_backend {
server gitea:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gitea.novicelab.io;
# SSL Certificate paths
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -29,19 +29,26 @@ server {
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/gitea.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined;
error_log /var/log/nginx/gitea.novicelab.io_error.log debug;
set $gitea_backend gitea:3000;
# set $gitea_backend gitea:3000;
location / {
proxy_pass http://$gitea_backend;
proxy_set_header Host $http_host;
proxy_pass http://gitea_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
client_max_body_size 1M;
# WebSocket support for real-time updates
proxy_http_version 1.1;

84
data/sites-enabled/goaccess.conf Normal file
View File

@@ -0,0 +1,84 @@
# upstream goaccess_backend {
# server goaccess:7890;
#
# # Keep up to 32 idle connections per worker
# keepalive 16;
#
# # Maximum time a connection can be idle
# keepalive_timeout 60s;
#
# # Maximum requests per keepalive connection
# keepalive_requests 100;
# }
server {
listen 80;
listen [::]:80;
server_name goaccess.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Server block for GoAccess dashboard
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name goaccess.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined;
error_log /var/log/nginx/goaccess.novicelab.io_error.log debug;
set $goaccess_backend goaccess:7890;
root /usr/share/nginx/html;
index report.html;
location / {
try_files $uri $uri/ =404;
}
location /ws {
proxy_pass http://$goaccess_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
#enable ws upgrade
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

62
data/conf.d/harbor.conf → data/sites-enabled/harbor.conf
View File

@@ -1,26 +1,27 @@
upstream harbor_backend {
# server harbor-nginx:8080; # Harbor is in its own network
server 10.0.0.250:3200;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name harbor.novicelab.io;
# SSL Certificate paths
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -29,13 +30,14 @@ server {
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/harbor.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined;
error_log /var/log/nginx/harbor.novicelab.io_error.log debug;
# set $harbor_backend 10.0.0.251:9090;
set $harbor_backend nginx-harbor:80;
# set $harbor_backend 10.0.0.251:3200;
# set $harbor_backend harbor-nginx:8080;
client_max_body_size 0;
@@ -46,11 +48,15 @@ server {
chunked_transfer_encoding on;
location / {
proxy_pass http://$harbor_backend;
proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://harbor_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket support for real-time updates
proxy_http_version 1.1;
@@ -86,12 +92,14 @@ server {
location /v2/ {
# Do not allow Nginx to add/remove trailing slashes here
proxy_pass http://$harbor_backend;
proxy_pass http://harbor_backend;
proxy_set_header Host $http_host; # Important for Registry
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Increase body size for image uploads
client_max_body_size 0;

82
data/sites-enabled/hugo.conf Normal file
View File

@@ -0,0 +1,82 @@
upstream hugo_backend {
server hugo:1313;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name novicelab.io www.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
# Redirect www to non-www
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# logging
error_log /var/log/nginx/error.log debug;
return 301 https://novicelab.io$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/novicelab.io_access.log json_combined;
error_log /var/log/nginx/novicelab.io_error.log debug;
# set $hugo_backend hugo:1313;
location / {
proxy_pass http://hugo_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
}

58
data/sites-enabled/kimai.conf Normal file
View File

@@ -0,0 +1,58 @@
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name kimai.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name kimai.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/kimai.novicelab.io_access.log;
error_log /var/log/nginx/kimai.novicelab.io_error.log;
set $kimai_backend kimai:8001;
location / {
proxy_pass http://10.0.0.250:8400;
# proxy_pass http://$kimai_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
# proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
}
# Redirect HTTP to HTTPS, in case an invalid (plain HTTP) request was sent to port 443
error_page 497 https://$host:$server_port$request_uri;
}

21
data/conf.d/mailcow.conf → data/sites-enabled/mailcow.conf
View File

@@ -6,20 +6,23 @@ server {
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name mailcow.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
# An example config is given below
# ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
ssl_prefer_server_ciphers off;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/mailcow.novicelab.io_access.log;

99
data/conf.d/minio.conf → data/sites-enabled/minio.conf
View File

@@ -1,3 +1,23 @@
upstream minio_backend {
server minio:9001;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
upstream s3_backend {
server minio:9000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name minio.novicelab.io;
@@ -5,32 +25,15 @@ server {
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name minio.novicelab.io;
# SSL Certificate paths
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# # SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -39,20 +42,16 @@ server {
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/minio.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/minio.novicelab.io_access.log json_combined;
error_log /var/log/nginx/minio.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s;
set $minio_backend minio:9001;
# if ($http_x_forwarded_proto != "https") {
# return 301 https://$host$request_uri;
# }
# set $minio_backend minio:9001;
location / {
proxy_pass http://$minio_backend;
proxy_pass http://minio_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -70,33 +69,26 @@ server {
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 0;
client_max_body_size 500M;
}
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
listen 80;
server_name s3.novicelab.io;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name s3.novicelab.io;
# SSL Certificate paths
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -105,16 +97,17 @@ server {
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/s3.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/s3.novicelab.io_access.log json_combined;
error_log /var/log/nginx/s3.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s;
set $s3_backend minio:9000;
# set $s3_backend minio:9000;
location / {
proxy_pass http://$s3_backend;
proxy_pass http://s3_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

0
data/conf.d/mkdocs.conf → data/sites-enabled/mkdocs.conf
View File

44
data/conf.d/opencloud.conf → data/sites-enabled/opencloud.conf
View File

@@ -1,3 +1,13 @@
upstream opencloud_backend {
server 10.0.0.250:9200;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name opencloud.novicelab.io;
@@ -5,25 +15,29 @@ server {
}
server {
listen 443 ssl; # http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name opencloud.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/opencloud.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud.novicelab.io_error.log debug;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 10M;
# Disable buffering - essential for SSE
@@ -37,18 +51,14 @@ server {
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $opencloud_backend 10.0.0.251:9200;
# Prevent nginx from trying other upstreams
proxy_next_upstream off;
location / {
# Pass all other requests to CouchDB
proxy_pass http://10.0.0.251:9200;
#proxy_pass http://$opencloud_backend/;
proxy_pass http://opencloud_backend;
# proxy_pass http://opencloud_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

75
data/sites-enabled/opencloud_collabora.conf Normal file
View File

@@ -0,0 +1,75 @@
upstream collabora_backend {
server 10.0.0.250:9980;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name collabora.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name collabora.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/opencloud_collabora.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud_collabora.novicelab.io_error.log debug;
client_max_body_size 10M;
# Disable buffering - essential for SSE
proxy_buffering off;
proxy_request_buffering off;
# Extend timeouts for long connections
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
keepalive_requests 100000;
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# set $collabora_backend 10.0.0.251:9980;
# Prevent nginx from trying other upstreams
proxy_next_upstream off;
location / {
proxy_pass http://collabora_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

58
data/sites-enabled/opencloud_wopi.conf Normal file
View File

@@ -0,0 +1,58 @@
upstream wopi_backend {
server 10.0.0.250:9300;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
server {
listen 80;
server_name wopi.novicelab.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name wopi.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/opencloud_wopi.novicelab.io_access.log json_combined;
error_log /var/log/nginx/opencloud_wopi.novicelab.io_error.log debug;
# set $wopi_backend 10.0.0.251:9300;
location / {
# proxy_pass http://10.0.0.250:9300;
proxy_pass http://wopi_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Headers for WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

126
data/conf.d/plane.conf → data/sites-enabled/plane.conf
View File

@@ -1,35 +1,58 @@
upstream backend_web {
server plane-web:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_space {
server plane-space:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_admin {
server plane-admin:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_live {
server plane-live:3000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
upstream backend_api {
server plane-api:8000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
# upstream backend_minio {
# server minio:9000;
# keepalive 16;
# keepalive_timeout 60s;
# keepalive_requests 100;
# }
server {
listen 80;
server_name plane.novicelab.io;
if ($host = plane.novicelab.io) {
return 301 https://$host$request_uri;
}
# listen 80;
# server_name plane.novicelab.io;
# return 404;
}
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name plane.novicelab.io;
# SSL Certificate paths
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -38,22 +61,22 @@ server {
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/plane.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
error_log /var/log/nginx/plane.novicelab.io_error.log debug;
# resolver 127.0.0.11 valid=30s;
# set $plane_backend 10.0.0.251:9020;
set $backend_web plane-web:3000;
set $backend_space plane-space:3000;
set $backend_admin plane-admin:3000;
set $backend_live plane-live:3000;
set $backend_api plane-api:8000;
# set $backend_web plane-web:3000;
# set $backend_space plane-space:3000;
# set $backend_admin plane-admin:3000;
# set $backend_live plane-live:3000;
# set $backend_api plane-api:8000;
set $backend_minio minio:9000;
client_max_body_size 0;
# client_max_body_size 0;
# Set the bucket name as a variable for the regex location
set $bucket_name "plane";
@@ -68,7 +91,7 @@ server {
return 301 /spaces/;
}
location /spaces/ {
proxy_pass http://$backend_space;
proxy_pass http://backend_space;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -81,7 +104,7 @@ server {
return 301 /god-mode/;
}
location /god-mode/ {
proxy_pass http://$backend_admin;
proxy_pass http://backend_admin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -91,7 +114,7 @@ server {
# Live
location /live/ {
proxy_pass http://$backend_live;
proxy_pass http://backend_live;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -101,7 +124,7 @@ server {
# API & Auth
location /api/ {
proxy_pass http://$backend_api;
proxy_pass http://backend_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -109,7 +132,7 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
proxy_pass http://$backend_api;
proxy_pass http://backend_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -122,9 +145,6 @@ server {
# location ~ ^/${BUCKET_NAME}(/.*)?$ {
location ~ ^/plane(/.*)?$ {
proxy_pass http://$backend_minio/plane;
# proxy_pass https://s3.novicelab.io/plane;
# location ~ ^/test(/.*)?$ {
# proxy_pass http://$backend_minio/test;
proxy_set_header Host $host;
# Standard proxy headers
@@ -140,43 +160,17 @@ server {
return 204;
}
client_max_body_size 0;
client_max_body_size 20M;
# proxy_pass https://s3.novicelab.io/plane;
}
# location ~* ^/(?<bucket>.+)(?<path>/.*)?$ {
# # Check if the first part of the URI matches our bucket variable
# if ($bucket = $bucket_name) {
# proxy_pass http://$backend_minio;
# break;
# }
# # Fallback to the main web app if the path isn't the bucket
# set $upstream_web "web:3000";
# proxy_pass http://$upstream_web;
# }
# Web (Default catch-all)
location / {
proxy_pass http://$backend_web;
proxy_pass http://backend_web;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# location / {
# # proxy_pass http://10.0.0.251:9020;
# proxy_pass http://$plane_backend;
# # Set headers for proxied request
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $http_host;
# proxy_http_version 1.1;
# }
}

65
data/sites-enabled/portainer.conf Normal file
View File

@@ -0,0 +1,65 @@
upstream portainer_backend {
server portainer:9000;
keepalive 16;
keepalive_timeout 60s;
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name portainer.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name portainer.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/portainer.novicelab.io_access.log;
error_log /var/log/nginx/portainer.novicelab.io_error.log;
# set $portainer_backend portainer:9000;
location / {
proxy_pass http://portainer_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme; #https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
}
}

88
data/sites-enabled/umami.conf Normal file
View File

@@ -0,0 +1,88 @@
upstream umami_backend {
server umami:3000;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# # Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name umami.novicelab.io;
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name umami.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/umami.novicelab.io_access.log json_combined;
error_log /var/log/nginx/umami.novicelab.io_error.log debug;
# set $umami_backend umami:3000;
location / {
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https ;
proxy_set_header X-Forwarded-Host $host;
# WebSocket support for real-time dashboard
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# 1. Allow public access to tracking scripts
location ~ ^/(script\.js|umami\.js)$ {
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https ;
proxy_set_header X-Forwarded-Host $host;
}
# 2. Allow public access to tracking API (metrics collection)
location /api/send {
proxy_pass http://umami_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; #https ;
proxy_set_header X-Forwarded-Host $host;
}
}

60
data/conf.d/vault.conf → data/sites-enabled/vault.conf
View File

@@ -1,26 +1,39 @@
upstream vault_backend {
server 10.0.0.250:8090;
# Keep up to 32 idle connections per worker
keepalive 16;
# Maximum time a connection can be idle
keepalive_timeout 60s;
# Maximum requests per keepalive connection
keepalive_requests 100;
}
# Redirect HTTP to HTTPS
server {
listen 443 ssl; #http2;
listen [::]:443 ssl; # http2;
listen 80;
listen [::]:80;
server_name vault.novicelab.io;
# SSL Certificate paths
# ACME challenge for Let's Encrypt certificate renewal
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vault.novicelab.io;
# SSL
ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
# SSL Protocol - TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL session configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -29,16 +42,17 @@ server {
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# Logging
access_log /var/log/nginx/vault.novicelab.io_access.log VCOMBINED;
access_log /var/log/nginx/vault.novicelab.io_access.log json_combined;
error_log /var/log/nginx/vault.novicelab.io_error.log debug;
set $vault_backend vaultwarden:443;
# set $vault_backend vaultwarden:443;
location / {
# proxy_pass http://$vault_backend;
# proxy_pass https://10.0.0.251:8100;
proxy_pass http://10.0.0.250:8090;
proxy_pass http://vault_backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

4
docker-compose.yml
View File

@@ -7,7 +7,9 @@ services:
- "443:443"
volumes:
- ./data/nginx.conf:/etc/nginx/nginx.conf:ro
- ./data/conf.d:/etc/nginx/conf.d:ro
# - ./data/conf.d:/etc/nginx/conf.d:ro
- ./data/sites-available:/etc/nginx/sites-available
- ./data/sites-enabled:/etc/nginx/sites-enabled
- ./data/logs:/var/log/nginx
- ./data/public:/usr/share/nginx/html:rw
- ./certbot/conf:/etc/letsencrypt