VibeCoding mit Problemen
This commit is contained in:
@@ -17,3 +17,5 @@ xyz.server.schooltech.ch = /var/www/certbot
|
||||
controller.server.schooltech.ch = /var/www/certbot
|
||||
portainer.server.schooltech.ch = /var/www/certbot
|
||||
simulation3a29.server.schooltech.ch = /var/www/certbot
|
||||
[acme_renewal_info]
|
||||
ari_retry_after = 2026-02-07T08:36:28
|
||||
|
||||
147
nginx.conf
147
nginx.conf
@@ -5,7 +5,9 @@ map $http_upgrade $connection_upgrade {
|
||||
'' close;
|
||||
}
|
||||
|
||||
# Default HTTP -> HTTPS redirect (keine Änderung)
|
||||
# ------------------------------------------------------------
|
||||
# Default HTTP -> HTTPS redirect
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
@@ -19,7 +21,25 @@ server {
|
||||
}
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# #***# DEFAULT 443 SERVER (NEU)
|
||||
# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt"
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
server_name _;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
# Einfach Verbindung schließen für unbekannte Hosts
|
||||
return 444;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# UI (portal) - nur für server.schooltech.ch
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name server.schooltech.ch;
|
||||
@@ -36,7 +56,7 @@ server {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# API forwarding to auth (same as before)
|
||||
# API forwarding to auth (wie vorher) - nur für server.schooltech.ch
|
||||
location /api/ {
|
||||
proxy_pass http://appserverauth:3000/api/;
|
||||
proxy_set_header Host $host;
|
||||
@@ -45,18 +65,28 @@ server {
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# Internal auth endpoint for auth_request (used by other server blocks)
|
||||
# Einheitlicher nginxauth-Block: Host + URI an Auth-Service
|
||||
# ------------------------------------------------------------
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://appserverauth:3000/internal/auth;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig)
|
||||
proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
|
||||
# Security
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
}
|
||||
|
||||
# (abc.server.schooltech.ch) - Controller on ThinkCentre
|
||||
# ------------------------------------------------------------
|
||||
# abc.server.schooltech.ch - Controller on ThinkCentre
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name abc.server.schooltech.ch;
|
||||
@@ -95,7 +125,7 @@ server {
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
|
||||
# ---- Hauptanwendung (HTML, API-Aufrufe aus dem App) - auth prüfen ----
|
||||
# ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ----
|
||||
location / {
|
||||
auth_request /nginxauth;
|
||||
|
||||
@@ -122,15 +152,22 @@ server {
|
||||
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||
}
|
||||
|
||||
# /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet)
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://appserverauth:3000/internal/auth;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH
|
||||
proxy_set_header Cookie $http_cookie; #***# AUTH
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
}
|
||||
|
||||
# Simulation 3a29
|
||||
# ------------------------------------------------------------
|
||||
# simulation3a29.server.schooltech.ch
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name simulation3a29.server.schooltech.ch;
|
||||
@@ -140,7 +177,7 @@ server {
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
|
||||
# ---- Static assets: keine Auth ----
|
||||
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
|
||||
proxy_pass https://thinkcentre.local:1003;
|
||||
proxy_set_header Host thinkcentre.local;
|
||||
@@ -150,7 +187,7 @@ server {
|
||||
# kein proxy_set_header Connection / Upgrade hier
|
||||
}
|
||||
|
||||
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
|
||||
# ---- WebSocket-Endpoint ----
|
||||
location /echo {
|
||||
auth_request /nginxauth;
|
||||
proxy_pass https://thinkcentre.local:1003/echo;
|
||||
@@ -169,7 +206,7 @@ server {
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
|
||||
# ---- Hauptanwendung (HTML, API-Aufrufe aus dem App) - auth prüfen ----
|
||||
# ---- Hauptanwendung ----
|
||||
location / {
|
||||
auth_request /nginxauth;
|
||||
|
||||
@@ -196,15 +233,24 @@ server {
|
||||
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# location = /nginxauth (SIMULATION FIX)
|
||||
# ------------------------------------------------------------
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://appserverauth:3000/internal/auth;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
proxy_pass http://appserverauth:3000/internal/auth; #***# SIMULATION: fehlende proxy_pass eingefügt
|
||||
proxy_set_header Cookie $http_cookie; #***# SIMULATION: Cookie weitergeben
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG (nur einmal)
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
}
|
||||
|
||||
# Guacamole on ThinkCentre
|
||||
# ------------------------------------------------------------
|
||||
# xyz.server.schooltech.ch (Guacamole on ThinkCentre)
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name xyz.server.schooltech.ch;
|
||||
@@ -215,7 +261,7 @@ server {
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
location / {
|
||||
auth_request /nginxauth; # <--- hier
|
||||
auth_request /nginxauth; # Auth prüfen
|
||||
|
||||
proxy_pass http://thinkcentre.local:8080/;
|
||||
|
||||
@@ -223,8 +269,8 @@ server {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
# Proxy Header
|
||||
proxy_set_header Host thinkcentre.local; # <--- Upstream erwartet diesen Host
|
||||
# Proxy Header (Upstream erwartet thinkcentre.local)
|
||||
proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation
|
||||
proxy_set_header Origin $http_origin;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@@ -240,14 +286,20 @@ server {
|
||||
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://appserverauth:3000/internal/auth;
|
||||
proxy_pass http://appserverauth:3000/internal/auth; #***# XYZ: proxy_pass wie überall
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
|
||||
#***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks)
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Guacamole on ThinkCentre
|
||||
# ------------------------------------------------------------
|
||||
# portainer.server.schooltech.ch
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name portainer.server.schooltech.ch;
|
||||
@@ -257,23 +309,52 @@ server {
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
location / {
|
||||
auth_request /nginxauth; # <--- hier
|
||||
#***# PORTAINER: API direkt weiterleiten (kein auth_request)
|
||||
location ^~ /api/ {
|
||||
proxy_pass http://127.0.0.1:9000; #***# auf lokalen Portainer HTTP Backend zeigen
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
}
|
||||
|
||||
proxy_pass http://portainer:9000/;
|
||||
#***# PORTAINER: statische Assets / locales ebenfalls ohne auth (wichtig für i18n)
|
||||
location ~* \.(?:js|css|json|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
|
||||
proxy_pass http://127.0.0.1:9000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
}
|
||||
|
||||
location ^~ /locales/ {
|
||||
# explizit für i18n Pfade
|
||||
proxy_pass http://127.0.0.1:9000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
|
||||
# Haupt-UI: auth_request greift nur hier (UI), nicht für /api/ oder Assets
|
||||
location / {
|
||||
auth_request /nginxauth;
|
||||
|
||||
proxy_pass http://127.0.0.1:9000/; #***# auf lokales Portainer HTTP Backend zeigen
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
# Proxy Header
|
||||
proxy_set_header Host thinkcentre.local; # <--- Upstream erwartet diesen Host
|
||||
#***# PORTAINER HOST FIX:
|
||||
proxy_set_header Host $host; #***# PORTAINER HOST
|
||||
proxy_set_header X-Forwarded-Host $host; #***# PORTAINER HOST
|
||||
proxy_set_header X-Forwarded-Proto https; #***# PORTAINER HOST
|
||||
|
||||
proxy_set_header Origin $http_origin;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# iFrame erlauben
|
||||
proxy_hide_header X-Frame-Options;
|
||||
add_header X-Frame-Options "ALLOWALL" always;
|
||||
|
||||
@@ -283,8 +364,12 @@ server {
|
||||
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://appserverauth:3000/internal/auth;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH
|
||||
proxy_set_header Cookie $http_cookie; #***# AUTH
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
</header>
|
||||
|
||||
<main>
|
||||
<h1>Willkommen im Service Portal</h1>
|
||||
<h1>server.schooltech.ch - Service Portal</h1>
|
||||
|
||||
<!-- iFrame für Services -->
|
||||
<iframe id="service-frame" style="width:100%;height:80vh;display:none;"></iframe>
|
||||
|
||||
@@ -42,7 +42,7 @@ nav button:hover {
|
||||
}
|
||||
|
||||
main {
|
||||
padding: 100px 40px;
|
||||
padding: 80px 4px;
|
||||
}
|
||||
|
||||
#service-grid {
|
||||
|
||||
Reference in New Issue
Block a user