diff --git a/letsencrypt/conf/renewal/server.schooltech.ch.conf b/letsencrypt/conf/renewal/server.schooltech.ch.conf index c1ac545..9b37deb 100644 --- a/letsencrypt/conf/renewal/server.schooltech.ch.conf +++ b/letsencrypt/conf/renewal/server.schooltech.ch.conf @@ -17,3 +17,5 @@ xyz.server.schooltech.ch = /var/www/certbot controller.server.schooltech.ch = /var/www/certbot portainer.server.schooltech.ch = /var/www/certbot simulation3a29.server.schooltech.ch = /var/www/certbot +[acme_renewal_info] +ari_retry_after = 2026-02-07T08:36:28 diff --git a/nginx.conf b/nginx.conf index 957cefc..b2f3605 100755 --- a/nginx.conf +++ b/nginx.conf @@ -5,7 +5,9 @@ map $http_upgrade $connection_upgrade { '' close; } -# Default HTTP -> HTTPS redirect (keine Änderung) +# ------------------------------------------------------------ +# Default HTTP -> HTTPS redirect +# ------------------------------------------------------------ server { listen 80 default_server; server_name _; @@ -19,7 +21,25 @@ server { } } +# ------------------------------------------------------------ +# #***# DEFAULT 443 SERVER (NEU) +# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt" +# ------------------------------------------------------------ +server { + listen 443 ssl http2 default_server; + server_name _; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + + # Einfach Verbindung schließen für unbekannte Hosts + return 444; +} + +# ------------------------------------------------------------ # UI (portal) - nur für server.schooltech.ch +# ------------------------------------------------------------ server { listen 443 ssl http2; server_name server.schooltech.ch; @@ -36,7 +56,7 @@ server { try_files $uri $uri/ /index.html; } - # API forwarding to auth (same as before) + # API forwarding to auth (wie vorher) - nur für server.schooltech.ch location /api/ { proxy_pass http://appserverauth:3000/api/; proxy_set_header Host $host; @@ -45,18 +65,28 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } + # ------------------------------------------------------------ # Internal auth endpoint for auth_request (used by other server blocks) + # Einheitlicher nginxauth-Block: Host + URI an Auth-Service + # ------------------------------------------------------------ location = /nginxauth { internal; - proxy_pass http://appserverauth:3000/internal/auth; - proxy_set_header Cookie $http_cookie; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig) + proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; } # Security add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; } -# (abc.server.schooltech.ch) - Controller on ThinkCentre +# ------------------------------------------------------------ +# abc.server.schooltech.ch - Controller on ThinkCentre +# ------------------------------------------------------------ server { listen 443 ssl http2; server_name abc.server.schooltech.ch; @@ -95,7 +125,7 @@ server { proxy_set_header X-Forwarded-Proto https; } - # ---- Hauptanwendung (HTML, API-Aufrufe aus dem App) - auth prüfen ---- + # ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ---- location / { auth_request /nginxauth; @@ -122,15 +152,22 @@ server { add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; } + # /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet) location = /nginxauth { internal; - proxy_pass http://appserverauth:3000/internal/auth; - proxy_set_header Cookie $http_cookie; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; } } -# Simulation 3a29 +# ------------------------------------------------------------ +# simulation3a29.server.schooltech.ch +# ------------------------------------------------------------ server { listen 443 ssl http2; server_name simulation3a29.server.schooltech.ch; @@ -140,7 +177,7 @@ server { ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; - # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ---- + # ---- Static assets: keine Auth ---- location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { proxy_pass https://thinkcentre.local:1003; proxy_set_header Host thinkcentre.local; @@ -150,7 +187,7 @@ server { # kein proxy_set_header Connection / Upgrade hier } - # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ---- + # ---- WebSocket-Endpoint ---- location /echo { auth_request /nginxauth; proxy_pass https://thinkcentre.local:1003/echo; @@ -169,7 +206,7 @@ server { proxy_set_header X-Forwarded-Proto https; } - # ---- Hauptanwendung (HTML, API-Aufrufe aus dem App) - auth prüfen ---- + # ---- Hauptanwendung ---- location / { auth_request /nginxauth; @@ -196,15 +233,24 @@ server { add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; } + # ------------------------------------------------------------ + # location = /nginxauth (SIMULATION FIX) + # ------------------------------------------------------------ location = /nginxauth { internal; - proxy_pass http://appserverauth:3000/internal/auth; - proxy_set_header Cookie $http_cookie; + proxy_pass http://appserverauth:3000/internal/auth; #***# SIMULATION: fehlende proxy_pass eingefügt + proxy_set_header Cookie $http_cookie; #***# SIMULATION: Cookie weitergeben + + #***# AUTH HEADER ERWEITERUNG (nur einmal) proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; } } -# Guacamole on ThinkCentre +# ------------------------------------------------------------ +# xyz.server.schooltech.ch (Guacamole on ThinkCentre) +# ------------------------------------------------------------ server { listen 443 ssl http2; server_name xyz.server.schooltech.ch; @@ -215,7 +261,7 @@ server { ssl_prefer_server_ciphers on; location / { - auth_request /nginxauth; # <--- hier + auth_request /nginxauth; # Auth prüfen proxy_pass http://thinkcentre.local:8080/; @@ -223,8 +269,8 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - # Proxy Header - proxy_set_header Host thinkcentre.local; # <--- Upstream erwartet diesen Host + # Proxy Header (Upstream erwartet thinkcentre.local) + proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation proxy_set_header Origin $http_origin; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -240,14 +286,20 @@ server { location = /nginxauth { internal; - proxy_pass http://appserverauth:3000/internal/auth; + proxy_pass http://appserverauth:3000/internal/auth; #***# XYZ: proxy_pass wie überall proxy_set_header Cookie $http_cookie; + proxy_set_header X-Original-URI $request_uri; + + #***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks) + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; } } - -# Guacamole on ThinkCentre +# ------------------------------------------------------------ +# portainer.server.schooltech.ch +# ------------------------------------------------------------ server { listen 443 ssl http2; server_name portainer.server.schooltech.ch; @@ -257,23 +309,52 @@ server { ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; - location / { - auth_request /nginxauth; # <--- hier + #***# PORTAINER: API direkt weiterleiten (kein auth_request) + location ^~ /api/ { + proxy_pass http://127.0.0.1:9000; #***# auf lokalen Portainer HTTP Backend zeigen + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } - proxy_pass http://portainer:9000/; + #***# PORTAINER: statische Assets / locales ebenfalls ohne auth (wichtig für i18n) + location ~* \.(?:js|css|json|png|jpg|jpeg|gif|ico|svg|woff2?)$ { + proxy_pass http://127.0.0.1:9000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location ^~ /locales/ { + # explizit für i18n Pfade + proxy_pass http://127.0.0.1:9000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + } + + # Haupt-UI: auth_request greift nur hier (UI), nicht für /api/ oder Assets + location / { + auth_request /nginxauth; + + proxy_pass http://127.0.0.1:9000/; #***# auf lokales Portainer HTTP Backend zeigen proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - # Proxy Header - proxy_set_header Host thinkcentre.local; # <--- Upstream erwartet diesen Host + #***# PORTAINER HOST FIX: + proxy_set_header Host $host; #***# PORTAINER HOST + proxy_set_header X-Forwarded-Host $host; #***# PORTAINER HOST + proxy_set_header X-Forwarded-Proto https; #***# PORTAINER HOST + proxy_set_header Origin $http_origin; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - # iFrame erlauben proxy_hide_header X-Frame-Options; add_header X-Frame-Options "ALLOWALL" always; @@ -283,8 +364,12 @@ server { location = /nginxauth { internal; - proxy_pass http://appserverauth:3000/internal/auth; - proxy_set_header Cookie $http_cookie; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; } -} \ No newline at end of file +} diff --git a/public/index.html b/public/index.html index 595009a..9623e70 100755 --- a/public/index.html +++ b/public/index.html @@ -16,7 +16,7 @@
-

Willkommen im Service Portal

+

server.schooltech.ch - Service Portal

diff --git a/public/style.css b/public/style.css index 8d6fec1..ff9bc19 100755 --- a/public/style.css +++ b/public/style.css @@ -42,7 +42,7 @@ nav button:hover { } main { - padding: 100px 40px; + padding: 80px 4px; } #service-grid {