ChK/appServerPortalUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

LetsEncrypt mit neuer URL

Browse Source
This commit is contained in:
ChK
2026-02-05 20:05:52 +01:00
parent e0b41f8461
commit 9115a76a46
4 changed files with 124 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
letsEncrypt_init.sh
View File

@@ -5,6 +5,7 @@ docker exec -it appServer_LetsEncryptFetcher certbot certonly \
-d abc.server.schooltech.ch \
-d xyz.server.schooltech.ch \
-d portainer.server.schooltech.ch \
-d simulation3a29.server.schooltech.ch \
-d controller.server.schooltech.ch \
--email admin@server.schooltech.ch \
--agree-tos \

1
letsencrypt/conf/renewal/server.schooltech.ch.conf
View File

@@ -16,3 +16,4 @@ server.schooltech.ch = /var/www/certbot
xyz.server.schooltech.ch = /var/www/certbot
controller.server.schooltech.ch = /var/www/certbot
portainer.server.schooltech.ch = /var/www/certbot
simulation3a29.server.schooltech.ch = /var/www/certbot

127
nginx.conf
View File

@@ -56,7 +56,7 @@ server {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
# (abc.server.schooltech.ch) - Controller on ThinkCentre
server {
listen 443 ssl http2;
server_name abc.server.schooltech.ch;
@@ -130,8 +130,81 @@ server {
}
}
# Simulation 3a29
server {
listen 443 ssl http2;
server_name simulation3a29.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
proxy_pass https://thinkcentre.local:1003;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# kein proxy_set_header Connection / Upgrade hier
}
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
location /echo {
auth_request /nginxauth;
proxy_pass https://thinkcentre.local:1003/echo;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# ---- Hauptanwendung (HTML, API-Aufrufe aus dem App) - auth prüfen ----
location / {
auth_request /nginxauth;
proxy_pass https://thinkcentre.local:1003/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Origin $http_origin;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
}
location = /nginxauth {
internal;
proxy_pass http://appserverauth:3000/internal/auth;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Original-URI $request_uri;
}
}
# Guacamole on ThinkCentre
server {
listen 443 ssl http2;
server_name xyz.server.schooltech.ch;
@@ -141,18 +214,60 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
auth_request /nginxauth;
location / {
auth_request /nginxauth; # <--- hier
proxy_pass http://thinkcentre.local:8080/;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Connection $connection_upgrade;
# Proxy Header
proxy_set_header Host xyz.server.schooltech.ch;
proxy_set_header Host thinkcentre.local; # <--- Upstream erwartet diesen Host
proxy_set_header Origin $http_origin;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# iFrame erlauben
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors *" always;
}
location = /nginxauth {
internal;
proxy_pass http://appserverauth:3000/internal/auth;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Original-URI $request_uri;
}
}
# Guacamole on ThinkCentre
server {
listen 443 ssl http2;
server_name portainer.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
auth_request /nginxauth; # <--- hier
proxy_pass http://portainer:9000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Proxy Header
proxy_set_header Host thinkcentre.local; # <--- Upstream erwartet diesen Host
proxy_set_header Origin $http_origin;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

1
public/app.js
View File

@@ -4,6 +4,7 @@
const services = [
{ id: "abc", name: "Control GamePad", url: "https://abc.server.schooltech.ch/" },
{ id: "xyz", name: "Guacamole", url: "https://xyz.server.schooltech.ch/" },
{ id: "sim", name: "Simulation", url: "https://simulation3a29.server.schooltech.ch/" },
{ id: "portainer", name: "Portainer", url: "https://portainer.server.schooltech.ch/" }
];