Login
This commit is contained in:
425
nginx.conf
425
nginx.conf
@@ -1,432 +1,29 @@
|
||||
error_log /var/log/nginx/error.log info;
|
||||
|
||||
resolver 127.0.0.11 valid=30s;
|
||||
resolver_timeout 5s;
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# Default HTTP -> HTTPS redirect
|
||||
# ------------------------------------------------------------
|
||||
# /etc/nginx/conf.d/default.conf
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
# ACME HTTP-01 Challenge (Certbot)
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
default_type "text/plain; charset=utf-8";
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# #***# DEFAULT 443 SERVER (NEU)
|
||||
# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt"
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
server_name _;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Einfach Verbindung schließen für unbekannte Hosts
|
||||
return 444;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# UI (portal) - nur für server.schooltech.ch
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name server.schooltech.ch;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
|
||||
# PortalUI root
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# API forwarding to auth (wie vorher) - nur für server.schooltech.ch
|
||||
# === API forwarding for Auth-Service ===
|
||||
location /api/ {
|
||||
proxy_pass http://appServer_Auth:3000/api/;
|
||||
proxy_pass http://appserverauth:3000/api/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# Internal auth endpoint for auth_request (used by other server blocks)
|
||||
# Einheitlicher nginxauth-Block: Host + URI an Auth-Service
|
||||
# ------------------------------------------------------------
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig)
|
||||
proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
|
||||
# Security
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
# SSL
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# abc.server.schooltech.ch - Controller on ThinkCentre
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name abc.server.schooltech.ch;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
set $serverBackendControl "appRobot_Control:10010";
|
||||
set $auth_backend "appServer_Auth:3000";
|
||||
|
||||
|
||||
location @fallback {
|
||||
default_type text/html;
|
||||
return 200 '
|
||||
<html>
|
||||
<head>
|
||||
<title>Dienst offline</title>
|
||||
</head>
|
||||
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||
</body>
|
||||
</html>';
|
||||
}
|
||||
|
||||
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
|
||||
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
|
||||
proxy_pass https://$serverBackendControl;
|
||||
proxy_set_header Host thinkcentre.local;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
# kein proxy_set_header Connection / Upgrade hier
|
||||
}
|
||||
|
||||
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
|
||||
location /echo {
|
||||
auth_request /nginxauth;
|
||||
proxy_pass https://$serverBackendControl/echo;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name thinkcentre.local;
|
||||
proxy_ssl_verify off;
|
||||
|
||||
proxy_set_header Host thinkcentre.local;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
|
||||
# ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ----
|
||||
# === SPA routing (Portal UI) ===
|
||||
location / {
|
||||
auth_request /nginxauth;
|
||||
|
||||
proxy_pass https://$serverBackendControl/;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name thinkcentre.local;
|
||||
proxy_ssl_verify off;
|
||||
|
||||
proxy_set_header Host thinkcentre.local;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Origin $http_origin;
|
||||
|
||||
proxy_hide_header X-Frame-Options;
|
||||
add_header X-Frame-Options "ALLOWALL" always;
|
||||
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet)
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://$auth_backend/internal/auth; #***# AUTH
|
||||
proxy_set_header Cookie $http_cookie; #***# AUTH
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 503 504 = @fallback;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# simulation3a29.server.schooltech.ch
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name simulation3a29.server.schooltech.ch;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
set $serverBackendSimulation "appRobot_Simulation:1003";
|
||||
set $auth_backend "appServer_Auth:3000";
|
||||
|
||||
location @fallback {
|
||||
default_type text/html;
|
||||
return 200 '
|
||||
<html>
|
||||
<head>
|
||||
<title>Dienst (Simulation) offline</title>
|
||||
</head>
|
||||
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||
</body>
|
||||
</html>';
|
||||
}
|
||||
|
||||
# ---- Static assets: keine Auth ----
|
||||
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp|stl)$ {
|
||||
proxy_pass https://$serverBackendSimulation;
|
||||
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name thinkcentre.local;
|
||||
proxy_ssl_verify off;
|
||||
|
||||
proxy_set_header Host thinkcentre.local;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
# kein proxy_set_header Connection / Upgrade hier
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 503 504 = @fallback;
|
||||
}
|
||||
|
||||
# ---- WebSocket-Endpoint ----
|
||||
location /echo {
|
||||
auth_request /nginxauth;
|
||||
proxy_pass https://$serverBackendSimulation/echo;
|
||||
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name thinkcentre.local;
|
||||
proxy_ssl_verify off;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
proxy_set_header Host thinkcentre.local;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 503 504 = @fallback;
|
||||
}
|
||||
|
||||
# ---- Hauptanwendung ----
|
||||
location / {
|
||||
auth_request /nginxauth;
|
||||
|
||||
proxy_pass https://$serverBackendSimulation/;
|
||||
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name thinkcentre.local;
|
||||
proxy_ssl_verify off;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
proxy_set_header Host thinkcentre.local;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Origin $http_origin;
|
||||
|
||||
proxy_hide_header X-Frame-Options;
|
||||
add_header X-Frame-Options "ALLOWALL" always;
|
||||
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 503 504 = @fallback;
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# location = /nginxauth (SIMULATION FIX)
|
||||
# ------------------------------------------------------------
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://$auth_backend/internal/auth; #***# AUTH
|
||||
proxy_set_header Cookie $http_cookie; #***# AUTH
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# xyz.server.schooltech.ch (Guacamole )
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name xyz.server.schooltech.ch;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
set $serverBackendGuacamole "appServer_guacamole:8080";
|
||||
|
||||
location @fallback {
|
||||
default_type text/html;
|
||||
return 200 '
|
||||
<html>
|
||||
<head>
|
||||
<title>Dienst (Guacamole) offline</title>
|
||||
</head>
|
||||
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||
</body>
|
||||
</html>';
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://$serverBackendGuacamole;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 503 504 = @fallback;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
## ------------------------------------------------------------
|
||||
# portainer.server.schooltech.ch
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name portainer.server.schooltech.ch;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||
|
||||
set $auth_backend "appServer_Auth:3000";
|
||||
|
||||
location @fallback {
|
||||
default_type text/html;
|
||||
return 200 '
|
||||
<html>
|
||||
<head>
|
||||
<title>Dienst (Portainer) offline</title>
|
||||
</head>
|
||||
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||
</body>
|
||||
</html>';
|
||||
}
|
||||
|
||||
location / {
|
||||
|
||||
proxy_pass http://portainer:9000;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
#proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Connection $http_connection_upgrade;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
# WICHTIG FÜR IFRAME
|
||||
proxy_hide_header X-Frame-Options;
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 503 504 = @fallback; # <-- Fallback
|
||||
}
|
||||
|
||||
location = /nginxauth {
|
||||
internal;
|
||||
proxy_pass http://$auth_backend/internal/auth;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
|
||||
#***# AUTH HEADER ERWEITERUNG
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Original-Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 503 504 = @fallback; # <-- Fallback
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user