auf SSH umstellen

nginx.conf

@@ -1,8 +1,21 @@
 error_log /var/log/nginx/error.log info;
 
+# Default HTTP -> HTTPS redirect (keine Änderung)
 server {
     listen 80 default_server;
     server_name _;
+    return 301 https://$host$request_uri;
+}
+
+# UI (portal) - nur für server.schooltech.ch
+server {
+    listen 443 ssl http2;
+    server_name server.schooltech.ch;
+
+    ssl_certificate /etc/ssl/certs/server.crt;
+    ssl_certificate_key /etc/ssl/private/server.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
 
     root /usr/share/nginx/html;
     index index.html;
@@ -11,56 +24,85 @@ server {
         try_files $uri $uri/ /index.html;
     }
 
-    # API calls to Auth service inside Docker network
+    # API forwarding to auth (same as before)
     location /api/ {
         proxy_pass http://appserverauth:3000/api/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
+
+    # Internal auth endpoint for auth_request (used by other server blocks)
+    location = /nginxauth {
+        internal;
+        proxy_pass http://appserverauth:3000/internal/auth;
+        proxy_set_header Cookie $http_cookie;
+    }
+
+    # Security
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 }
 
+
 server {
-    listen 80;
+    listen 443 ssl http2;
     server_name abc.server.schooltech.ch;
 
+    ssl_certificate /etc/ssl/certs/server.crt;
+    ssl_certificate_key /etc/ssl/private/server.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    # Auth-Request
     auth_request /nginxauth;
 
     location / {
         proxy_pass https://thinkcentre.local:10010/;
 
-        # WebSocket and HTTPS upstream settings
+        # WebSocket Support
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
+
+        # SSL zum Upstream
         proxy_ssl_server_name on;
-        proxy_ssl_name abc.server.schooltech.ch;
+        proxy_ssl_name thinkcentre.local; # proxy_ssl_name abc.server.schooltech.ch;
         proxy_ssl_verify off;
 
-        proxy_set_header Host abc.server.schooltech.ch;
+        # Standard Proxy Header
+        proxy_set_header Host thinkcentre.local; # proxy_set_header Host abc.server.schooltech.ch;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto https;
         proxy_set_header Origin $http_origin;
 
         # iFrame erlauben
         proxy_hide_header X-Frame-Options;
-        add_header X-Frame-Options "ALLOWALL";
+        add_header X-Frame-Options "ALLOWALL" always;
+
         proxy_hide_header Content-Security-Policy;
-        add_header Content-Security-Policy "frame-ancestors *";
+        add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; # add_header Content-Security-Policy "frame-ancestors *" always;
     }
 
     location = /nginxauth {
         internal;
         proxy_pass http://appserverauth:3000/internal/auth;
         proxy_set_header Cookie $http_cookie;
+        proxy_set_header X-Original-URI $request_uri;
     }
 }
 
+
 server {
-    listen 80;
+    listen 443 ssl http2;
     server_name xyz.server.schooltech.ch;
 
+    ssl_certificate /etc/ssl/certs/server.crt;
+    ssl_certificate_key /etc/ssl/private/server.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
     auth_request /nginxauth;
 
     location / {
@@ -71,22 +113,25 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
+        # Proxy Header
         proxy_set_header Host xyz.server.schooltech.ch;
         proxy_set_header Origin $http_origin;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto https;
 
-                # iFrame erlauben
+        # iFrame erlauben
         proxy_hide_header X-Frame-Options;
-        add_header X-Frame-Options "ALLOWALL";
+        add_header X-Frame-Options "ALLOWALL" always;
+
         proxy_hide_header Content-Security-Policy;
-        add_header Content-Security-Policy "frame-ancestors *";
+        add_header Content-Security-Policy "frame-ancestors *" always;
     }
 
     location = /nginxauth {
         internal;
         proxy_pass http://appserverauth:3000/internal/auth;
         proxy_set_header Cookie $http_cookie;
+        proxy_set_header X-Original-URI $request_uri;
     }
 }