From 69ed1a853e3ffcb56bbe615e0479d0f4114beb6e Mon Sep 17 00:00:00 2001 From: kbrianngeno Date: Fri, 20 Mar 2026 04:11:20 +0000 Subject: [PATCH] Remove commented out config sections --- data/conf.d/adminer.conf | 40 +++++---------------------------------- data/conf.d/auth.conf | 30 ++++------------------------- data/conf.d/book.conf | 33 +++----------------------------- data/conf.d/cluster.conf | 8 ++++---- data/conf.d/drone.conf | 24 +---------------------- data/conf.d/gitea.conf | 4 ++-- data/conf.d/goaccess.conf | 5 ----- data/conf.d/harbor.conf | 3 --- data/conf.d/hugo.conf | 25 +++++------------------- data/conf.d/minio.conf | 15 ++++----------- data/conf.d/plane.conf | 40 ++++----------------------------------- data/conf.d/umami.conf | 23 +--------------------- data/conf.d/vault.conf | 4 ++-- 13 files changed, 35 insertions(+), 219 deletions(-) diff --git a/data/conf.d/adminer.conf b/data/conf.d/adminer.conf index 5038690..79f4cf4 100644 --- a/data/conf.d/adminer.conf +++ b/data/conf.d/adminer.conf @@ -1,7 +1,7 @@ upstream adminer_backend { server adminer:8080; - # Keep up to 32 idle connections per worker + # Keep up to 16 idle connections per worker keepalive 16; # Maximum time a connection can be idle @@ -27,26 +27,14 @@ server { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; server_name adminer.novicelab.io; # SSL Certificate paths ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - # Trusted certificate for OCSP stapling - # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; - - # Cloudflare Origin CA certificate for client verification - # Cloudflare Origin CA for authenticated origin pulls (optional) - # Only enable if you want to restrict to Cloudflare only - # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; - # ssl_verify_client on; - - # SSL Protocol - TLS 1.2 and 1.3 only - # ssl_protocols TLSv1.2 TLSv1.3; - # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; @@ -56,9 +44,6 @@ server { ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - # OCSP Stapling - # ssl_stapling on; - # ssl_stapling_verify on; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; @@ -70,32 +55,17 @@ server { add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - # Diffie-Hellman parameter for DHE ciphersuites - # ssl_dhparam /etc/nginx/ssl/dhparam.pem; - # Logging access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined; error_log /var/log/nginx/adminer.novicelab.io_error.log debug; - # Root and index - # root /var/www/html; - # index index.html index.htm; - - # include /etc/letsencrypt/options-ssl-nginx.conf; # set $adminer_backend adminer:8080; - location / { #/adminer { - # rewrite ^/adminer/(.*)$ /$1 break; - - # proxy_pass http://10.0.0.251:9080/; + location / { proxy_pass http://adminer_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; #https; - #$scheme; - - # Handle redirects (like after login) so they stay under /adminer/ - # proxy_redirect / /adminer/; + proxy_set_header X-Forwarded-Proto $scheme; } } \ No newline at end of file diff --git a/data/conf.d/auth.conf b/data/conf.d/auth.conf index 9099d3b..8eff435 100644 --- a/data/conf.d/auth.conf +++ b/data/conf.d/auth.conf @@ -28,22 +28,13 @@ server { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; # server_name auth.novicelab.io; # SSL Certificate paths ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # Trusted certificate for OCSP stapling - # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; - - # Cloudflare Origin CA certificate for client verification - # Cloudflare Origin CA for authenticated origin pulls (optional) - # Only enable if you want to restrict to Cloudflare only - # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; - # ssl_verify_client on; # SSL Protocol - TLS 1.2 and 1.3 only ssl_protocols TLSv1.2 TLSv1.3; @@ -57,9 +48,6 @@ server { ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - # OCSP Stapling - # ssl_stapling on; - # ssl_stapling_verify on; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; @@ -71,30 +59,20 @@ server { add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - # Diffie-Hellman parameter for DHE ciphersuites - # ssl_dhparam /etc/nginx/ssl/dhparam.pem; - # Logging access_log /var/log/nginx/auth.novicelab.io_access.log json_combined; error_log /var/log/nginx/auth.novicelab.io_error.log debug; - # Root and index - # root /var/www/html; - # index index.html index.htm; - - # include /etc/letsencrypt/options-ssl-nginx.conf; - # set $keycloak_backend keycloak:80; - # client_max_body_size 0; - location / { + location / { # proxy_pass http://10.0.0.253:8085/auth/; proxy_pass http://keycloak_backend; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; - proxy_set_header X-Forwarded-Proto https; #$scheme; + proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; diff --git a/data/conf.d/book.conf b/data/conf.d/book.conf index bd3e6f6..2daf294 100644 --- a/data/conf.d/book.conf +++ b/data/conf.d/book.conf @@ -29,22 +29,13 @@ server { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; server_name book.novicelab.io; # SSL Certificate paths ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # Trusted certificate for OCSP stapling - # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; - - # Cloudflare Origin CA certificate for client verification - # Cloudflare Origin CA for authenticated origin pulls (optional) - # Only enable if you want to restrict to Cloudflare only - # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; - # ssl_verify_client on; # SSL Protocol - TLS 1.2 and 1.3 only ssl_protocols TLSv1.2 TLSv1.3; @@ -58,9 +49,6 @@ server { ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - # OCSP Stapling - # ssl_stapling on; - # ssl_stapling_verify on; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; @@ -72,32 +60,17 @@ server { add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - # Diffie-Hellman parameter for DHE ciphersuites - # ssl_dhparam /etc/nginx/ssl/dhparam.pem; - # Logging access_log /var/log/nginx/book.novicelab.io_access.log json_combined; error_log /var/log/nginx/book.novicelab.io_error.log debug; - # Root and index - # root /var/www/html; - # index index.html index.htm; - - # include /etc/letsencrypt/options-ssl-nginx.conf; - # set $bookstack_backend bookstack:80; - # client_max_body_size 0; - # BookStack (/docs) location / { - # rewrite ^/docs/(.*) /$1 break; proxy_pass http://bookstack_backend; - # proxy_pass http://10.0.0.251:6875/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; #$scheme; - - # proxy_redirect / /docs/; + proxy_set_header X-Forwarded-Proto https; } } \ No newline at end of file diff --git a/data/conf.d/cluster.conf b/data/conf.d/cluster.conf index d912f82..0436f79 100644 --- a/data/conf.d/cluster.conf +++ b/data/conf.d/cluster.conf @@ -6,8 +6,8 @@ upstream haproxy_backend { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; server_name *.novicelab.io; # SSL Certificate paths @@ -38,11 +38,11 @@ server { add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; # Logging - access_log /var/log/nginx/*.novicelab.io_access.log VCOMBINED; + access_log /var/log/nginx/*.novicelab.io_access.log json_combined; error_log /var/log/nginx/*.novicelab.io_error.log debug; location / { - proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080 + proxy_pass http://10.0.0.20:80; # proxy_pass http://haproxy_backend; proxy_http_version 1.1; proxy_set_header Connection ""; diff --git a/data/conf.d/drone.conf b/data/conf.d/drone.conf index 5609d85..9945a81 100644 --- a/data/conf.d/drone.conf +++ b/data/conf.d/drone.conf @@ -18,7 +18,7 @@ server { } server { - listen 443 ssl; # http2; + listen 443 ssl; server_name drone.novicelab.io; ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; @@ -40,9 +40,7 @@ server { resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; - # set $couch_backend 10.0.0.251:9001; # set $drone_backend drone:80; - # set $drone_runner_backend drone-runner-1:3000; location / { proxy_pass http://drone_backend; @@ -62,24 +60,4 @@ server { proxy_read_timeout 300; send_timeout 300; } - - # location /runner-1 { - # proxy_pass http://$drone_runner_backend; - # proxy_set_header Host $http_host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - - # # WebSocket support for real-time updates - # proxy_http_version 1.1; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "upgrade"; - - # # Timeouts - # proxy_connect_timeout 300; - # proxy_send_timeout 300; - # proxy_read_timeout 300; - # send_timeout 300; - # } - } \ No newline at end of file diff --git a/data/conf.d/gitea.conf b/data/conf.d/gitea.conf index 1d77993..3954c49 100644 --- a/data/conf.d/gitea.conf +++ b/data/conf.d/gitea.conf @@ -12,8 +12,8 @@ upstream gitea_backend { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; # server_name gitea.novicelab.io; # SSL Certificate paths diff --git a/data/conf.d/goaccess.conf b/data/conf.d/goaccess.conf index cf25eec..a0b1bd2 100644 --- a/data/conf.d/goaccess.conf +++ b/data/conf.d/goaccess.conf @@ -45,11 +45,6 @@ server { ssl_session_tickets off; ssl_protocols TLSv1.3; - # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - # add_header X-Content-Type-Options nosniff; - # add_header X-Frame-Options DENY; - # add_header X-XSS-Protection "1; mode=block"; - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; diff --git a/data/conf.d/harbor.conf b/data/conf.d/harbor.conf index 884d22e..6a64e6e 100644 --- a/data/conf.d/harbor.conf +++ b/data/conf.d/harbor.conf @@ -61,9 +61,6 @@ server { location / { proxy_pass http://$harbor_backend; proxy_set_header Host $http_host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for real-time updates proxy_http_version 1.1; diff --git a/data/conf.d/hugo.conf b/data/conf.d/hugo.conf index c2b1467..454ae79 100644 --- a/data/conf.d/hugo.conf +++ b/data/conf.d/hugo.conf @@ -1,5 +1,6 @@ upstream hugo_backend { - server hugo:1313; + # server hugo:1313; + server 10.0.0.250:8000; # Keep up to 32 idle connections per worker keepalive 16; @@ -28,22 +29,13 @@ server { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; # server_name novicelab.io www.novicelab.io x.y.novicelab.io; # SSL Certificate paths ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # Trusted certificate for OCSP stapling - # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; - - # Cloudflare Origin CA certificate for client verification - # Cloudflare Origin CA for authenticated origin pulls (optional) - # Only enable if you want to restrict to Cloudflare only - # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; - # ssl_verify_client on; # SSL Protocol - TLS 1.2 and 1.3 only ssl_protocols TLSv1.2 TLSv1.3; @@ -78,18 +70,11 @@ server { access_log /var/log/nginx/novicelab.io_access.log json_combined; error_log /var/log/nginx/novicelab.io_error.log debug; - # Root and index - # root /var/www/html; - # index index.html index.htm; - - # Only allow traffic from Cloudflare IPs (optional but recommended) - # include /etc/nginx/cloudflare-ips.conf; - # include /etc/letsencrypt/options-ssl-nginx.conf; # set $hugo_backend hugo:1313; location / { - # proxy_pass http://10.0.0.251:9200/; + # proxy_pass http://10.0.0.250:8000/; proxy_pass http://hugo_backend; proxy_set_header Host $host; diff --git a/data/conf.d/minio.conf b/data/conf.d/minio.conf index c3a0881..d2bc7f1 100644 --- a/data/conf.d/minio.conf +++ b/data/conf.d/minio.conf @@ -31,14 +31,13 @@ server { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; # server_name minio.novicelab.io; # SSL Certificate paths ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # # SSL Protocol - TLS 1.2 and 1.3 only ssl_protocols TLSv1.2 TLSv1.3; @@ -52,9 +51,6 @@ server { ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - # ssl_stapling on; - # ssl_stapling_verify on; - resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; @@ -73,9 +69,6 @@ server { # resolver 127.0.0.11 valid=30s; # set $minio_backend minio:9001; - # if ($http_x_forwarded_proto != "https") { - # return 301 https://$host$request_uri; - # } location / { proxy_pass http://minio_backend; @@ -107,8 +100,8 @@ server { } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; server_name s3.novicelab.io; # SSL Certificate paths diff --git a/data/conf.d/plane.conf b/data/conf.d/plane.conf index 6a2eb30..c1b11b5 100644 --- a/data/conf.d/plane.conf +++ b/data/conf.d/plane.conf @@ -37,17 +37,15 @@ upstream backend_api { server { + listen 80; + server_name plane.novicelab.io; if ($host = plane.novicelab.io) { return 301 https://$host$request_uri; } - - # listen 80; - # server_name plane.novicelab.io; - # return 404; } server { - listen 443 ssl; #http2; - listen [::]:443 ssl; # http2; + listen 443 ssl; + listen [::]:443 ssl; server_name plane.novicelab.io; # SSL Certificate paths @@ -81,7 +79,6 @@ server { access_log /var/log/nginx/plane.novicelab.io_access.log json_combined; error_log /var/log/nginx/plane.novicelab.io_error.log debug; - # resolver 127.0.0.11 valid=30s; # set $plane_backend 10.0.0.251:9020; # set $backend_web plane-web:3000; # set $backend_space plane-space:3000; @@ -160,9 +157,6 @@ server { # location ~ ^/${BUCKET_NAME}(/.*)?$ { location ~ ^/plane(/.*)?$ { proxy_pass http://$backend_minio/plane; - # proxy_pass https://s3.novicelab.io/plane; - # location ~ ^/test(/.*)?$ { - # proxy_pass http://$backend_minio/test; proxy_set_header Host $host; # Standard proxy headers @@ -181,17 +175,6 @@ server { client_max_body_size 0; # proxy_pass https://s3.novicelab.io/plane; } - # location ~* ^/(?.+)(?/.*)?$ { - # # Check if the first part of the URI matches our bucket variable - # if ($bucket = $bucket_name) { - # proxy_pass http://$backend_minio; - # break; - # } - - # # Fallback to the main web app if the path isn't the bucket - # set $upstream_web "web:3000"; - # proxy_pass http://$upstream_web; - # } # Web (Default catch-all) location / { @@ -202,19 +185,4 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } - - # location / { - # # proxy_pass http://10.0.0.251:9020; - # proxy_pass http://$plane_backend; - # # Set headers for proxied request - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header X-Forwarded-Host $host; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Real-IP $remote_addr; - - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "upgrade"; - # proxy_set_header Host $http_host; - # proxy_http_version 1.1; - # } } \ No newline at end of file diff --git a/data/conf.d/umami.conf b/data/conf.d/umami.conf index 773b54d..96ced33 100644 --- a/data/conf.d/umami.conf +++ b/data/conf.d/umami.conf @@ -35,15 +35,6 @@ server { # SSL Certificate paths ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; - - # Trusted certificate for OCSP stapling - # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; - - # Cloudflare Origin CA certificate for client verification - # Cloudflare Origin CA for authenticated origin pulls (optional) - # Only enable if you want to restrict to Cloudflare only - # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; - # ssl_verify_client on; # SSL Protocol - TLS 1.2 and 1.3 only ssl_protocols TLSv1.2 TLSv1.3; @@ -57,9 +48,6 @@ server { ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - # OCSP Stapling - # ssl_stapling on; - # ssl_stapling_verify on; resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; @@ -71,29 +59,20 @@ server { add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; - # Diffie-Hellman parameter for DHE ciphersuites - # ssl_dhparam /etc/nginx/ssl/dhparam.pem; - # Logging access_log /var/log/nginx/umami.novicelab.io_access.log json_combined; error_log /var/log/nginx/umami.novicelab.io_error.log debug; - # Root and index - # root /var/www/html; - # index index.html index.htm; - - # include /etc/letsencrypt/options-ssl-nginx.conf; # set $umami_backend umami:3000; location / { - # proxy_pass http://10.0.0.251:9200/; # proxy_pass http://$umami_backend; proxy_pass http://umami_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; # $scheme; + proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_buffering off; diff --git a/data/conf.d/vault.conf b/data/conf.d/vault.conf index 4b04852..fdaa69e 100644 --- a/data/conf.d/vault.conf +++ b/data/conf.d/vault.conf @@ -11,7 +11,7 @@ upstream vault_backend { keepalive_requests 100; } -# # Redirect HTTP to HTTPS +# Redirect HTTP to HTTPS server { listen 80; listen [::]:80; @@ -62,11 +62,11 @@ server { # Logging access_log /var/log/nginx/vault.novicelab.io_access.log json_combined; error_log /var/log/nginx/vault.novicelab.io_error.log debug; + # set $vault_backend vaultwarden:443; location / { # proxy_pass http://$vault_backend; - # proxy_pass http://10.0.0.250:8090; proxy_pass http://vault_backend; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; -- 2.49.1