From 9115a76a46bdae467f9274edc866c9a38b330ac3 Mon Sep 17 00:00:00 2001
From: ChK <ckendel@gmail.com>
Date: Thu, 5 Feb 2026 20:05:52 +0100
Subject: [PATCH] LetsEncrypt mit neuer URL

---
 letsEncrypt_init.sh                           |   1 +
 .../conf/renewal/server.schooltech.ch.conf    |   1 +
 nginx.conf                                    | 127 +++++++++++++++++-
 public/app.js                                 |   1 +
 4 files changed, 124 insertions(+), 6 deletions(-)

diff --git a/letsEncrypt_init.sh b/letsEncrypt_init.sh
index c8738e8..20cdb95 100755
--- a/letsEncrypt_init.sh
+++ b/letsEncrypt_init.sh
@@ -5,6 +5,7 @@ docker exec -it appServer_LetsEncryptFetcher certbot certonly \
   -d abc.server.schooltech.ch \
   -d xyz.server.schooltech.ch \
   -d portainer.server.schooltech.ch \
+  -d simulation3a29.server.schooltech.ch \
   -d controller.server.schooltech.ch \
   --email admin@server.schooltech.ch \
   --agree-tos \
diff --git a/letsencrypt/conf/renewal/server.schooltech.ch.conf b/letsencrypt/conf/renewal/server.schooltech.ch.conf
index db46aa1..c1ac545 100644
--- a/letsencrypt/conf/renewal/server.schooltech.ch.conf
+++ b/letsencrypt/conf/renewal/server.schooltech.ch.conf
@@ -16,3 +16,4 @@ server.schooltech.ch = /var/www/certbot
 xyz.server.schooltech.ch = /var/www/certbot
 controller.server.schooltech.ch = /var/www/certbot
 portainer.server.schooltech.ch = /var/www/certbot
+simulation3a29.server.schooltech.ch = /var/www/certbot
diff --git a/nginx.conf b/nginx.conf
index 543c1f5..957cefc 100755
--- a/nginx.conf
+++ b/nginx.conf
@@ -56,7 +56,7 @@ server {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 }
 
-
+# (abc.server.schooltech.ch) - Controller on ThinkCentre
 server {
     listen 443 ssl http2;
     server_name abc.server.schooltech.ch;
@@ -130,8 +130,81 @@ server {
     }
 }
 
+# Simulation 3a29
+server {
+    listen 443 ssl http2;
+    server_name simulation3a29.server.schooltech.ch;
 
+    ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
 
+    # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
+    location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
+        proxy_pass https://thinkcentre.local:1003;
+        proxy_set_header Host thinkcentre.local;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        # kein proxy_set_header Connection / Upgrade hier
+    }
+
+    # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
+    location /echo {
+        auth_request /nginxauth;
+        proxy_pass https://thinkcentre.local:1003/echo;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_ssl_server_name on;
+        proxy_ssl_name thinkcentre.local;
+        proxy_ssl_verify off;
+
+        proxy_set_header Host thinkcentre.local;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+
+    # ---- Hauptanwendung (HTML, API-Aufrufe aus dem App) - auth prüfen ----
+    location / {
+        auth_request /nginxauth;
+
+        proxy_pass https://thinkcentre.local:1003/;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_ssl_server_name on;
+        proxy_ssl_name thinkcentre.local;
+        proxy_ssl_verify off;
+
+        proxy_set_header Host thinkcentre.local;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Origin $http_origin;
+
+        proxy_hide_header X-Frame-Options;
+        add_header X-Frame-Options "ALLOWALL" always;
+
+        proxy_hide_header Content-Security-Policy;
+        add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
+    }
+
+    location = /nginxauth {
+        internal;
+        proxy_pass http://appserverauth:3000/internal/auth;
+        proxy_set_header Cookie $http_cookie;
+        proxy_set_header X-Original-URI $request_uri;
+    }
+}
+
+# Guacamole on ThinkCentre
 server {
     listen 443 ssl http2;
     server_name xyz.server.schooltech.ch;
@@ -141,18 +214,60 @@ server {
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
 
-    auth_request /nginxauth;
-
     location / {
+        auth_request /nginxauth;  # <--- hier
+
         proxy_pass http://thinkcentre.local:8080/;
 
-        # WebSocket support
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $connection_upgrade;
 
         # Proxy Header
-        proxy_set_header Host xyz.server.schooltech.ch;
+        proxy_set_header Host thinkcentre.local;  # <--- Upstream erwartet diesen Host
+        proxy_set_header Origin $http_origin;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+
+        # iFrame erlauben
+        proxy_hide_header X-Frame-Options;
+        add_header X-Frame-Options "ALLOWALL" always;
+
+        proxy_hide_header Content-Security-Policy;
+        add_header Content-Security-Policy "frame-ancestors *" always;
+    }
+
+    location = /nginxauth {
+        internal;
+        proxy_pass http://appserverauth:3000/internal/auth;
+        proxy_set_header Cookie $http_cookie;
+        proxy_set_header X-Original-URI $request_uri;
+    }
+}
+
+
+# Guacamole on ThinkCentre
+server {
+    listen 443 ssl http2;
+    server_name portainer.server.schooltech.ch;
+
+    ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        auth_request /nginxauth;  # <--- hier
+
+        proxy_pass http://portainer:9000/;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # Proxy Header
+        proxy_set_header Host thinkcentre.local;  # <--- Upstream erwartet diesen Host
         proxy_set_header Origin $http_origin;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/public/app.js b/public/app.js
index f1f8bb4..f0a027b 100755
--- a/public/app.js
+++ b/public/app.js
@@ -4,6 +4,7 @@
 const services = [
   { id: "abc", name: "Control GamePad", url: "https://abc.server.schooltech.ch/" },
   { id: "xyz", name: "Guacamole", url: "https://xyz.server.schooltech.ch/" },
+  { id: "sim", name: "Simulation", url: "https://simulation3a29.server.schooltech.ch/" },
   { id: "portainer", name: "Portainer", url: "https://portainer.server.schooltech.ch/" }
 ];