From b50911b9b41e980ef2b150290f65c68be31ee8f6 Mon Sep 17 00:00:00 2001 From: ChK Date: Fri, 13 Feb 2026 17:20:58 +0100 Subject: [PATCH] =?UTF-8?q?l=C3=A4uft=20lokal,=20kein=20Internet?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- __nginx.conf__ohne_Portainer_aber_lief | 375 ++++++++++++++ __split_subpages_nginx.__conf__ | 31 ++ _nginx.conf_vibeCode_zerhauen | 345 ++++++++++++ nginx.conf | 691 +++++++++++++------------ nginxPages/00-http-redirect.conf | 12 + nginxPages/10-server-schooltech.conf | 39 ++ nginxPages/50-subdomains-userA.conf | 117 +++++ 7 files changed, 1265 insertions(+), 345 deletions(-) create mode 100644 __nginx.conf__ohne_Portainer_aber_lief create mode 100644 __split_subpages_nginx.__conf__ create mode 100755 _nginx.conf_vibeCode_zerhauen mode change 100755 => 100644 nginx.conf create mode 100644 nginxPages/00-http-redirect.conf create mode 100644 nginxPages/10-server-schooltech.conf create mode 100644 nginxPages/50-subdomains-userA.conf diff --git a/__nginx.conf__ohne_Portainer_aber_lief b/__nginx.conf__ohne_Portainer_aber_lief new file mode 100644 index 0000000..135a91e --- /dev/null +++ b/__nginx.conf__ohne_Portainer_aber_lief @@ -0,0 +1,375 @@ +error_log /var/log/nginx/error.log info; + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# ------------------------------------------------------------ +# Default HTTP -> HTTPS redirect +# ------------------------------------------------------------ +server { + listen 80 default_server; + server_name _; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$host$request_uri; + } +} + +# ------------------------------------------------------------ +# #***# DEFAULT 443 SERVER (NEU) +# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt" +# ------------------------------------------------------------ +server { + listen 443 ssl http2 default_server; + server_name _; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + + # Einfach Verbindung schließen für unbekannte Hosts + return 444; +} + +# ------------------------------------------------------------ +# UI (portal) - nur für server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + root /usr/share/nginx/html; + index index.html; + + location / { + try_files $uri $uri/ /index.html; + } + + # API forwarding to auth (wie vorher) - nur für server.schooltech.ch + location /api/ { + proxy_pass http://appserverauth:3000/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # ------------------------------------------------------------ + # Internal auth endpoint for auth_request (used by other server blocks) + # Einheitlicher nginxauth-Block: Host + URI an Auth-Service + # ------------------------------------------------------------ + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig) + proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } + + # Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +} + +# ------------------------------------------------------------ +# abc.server.schooltech.ch - Controller on ThinkCentre +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name abc.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ---- + location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { + proxy_pass https://thinkcentre.local:10010; + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + # kein proxy_set_header Connection / Upgrade hier + } + + # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ---- + location /echo { + auth_request /nginxauth; + proxy_pass https://thinkcentre.local:10010/echo; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + + # ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ---- + location / { + auth_request /nginxauth; + + proxy_pass https://thinkcentre.local:10010/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Origin $http_origin; + + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + # /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet) + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# simulation3a29.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name simulation3a29.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # ---- Static assets: keine Auth ---- + location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { + proxy_pass https://thinkcentre.local:1003; + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + # kein proxy_set_header Connection / Upgrade hier + } + + # ---- WebSocket-Endpoint ---- + location /echo { + auth_request /nginxauth; + proxy_pass https://thinkcentre.local:1003/echo; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + + # ---- Hauptanwendung ---- + location / { + auth_request /nginxauth; + + proxy_pass https://thinkcentre.local:1003/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Origin $http_origin; + + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + # ------------------------------------------------------------ + # location = /nginxauth (SIMULATION FIX) + # ------------------------------------------------------------ + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# SIMULATION: fehlende proxy_pass eingefügt + proxy_set_header Cookie $http_cookie; #***# SIMULATION: Cookie weitergeben + + #***# AUTH HEADER ERWEITERUNG (nur einmal) + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# xyz.server.schooltech.ch (Guacamole on ThinkCentre) +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name xyz.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + location / { + auth_request /nginxauth; # Auth prüfen + + proxy_pass http://thinkcentre.local:8080/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Proxy Header (Upstream erwartet thinkcentre.local) + proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation + proxy_set_header Origin $http_origin; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # iFrame erlauben + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors *" always; + } + + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# XYZ: proxy_pass wie überall + proxy_set_header Cookie $http_cookie; + + proxy_set_header X-Original-URI $request_uri; + + #***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks) + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# portainer.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name portainer.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + #***# PORTAINER: API direkt weiterleiten (kein auth_request) + location ^~ /api/ { + proxy_pass http://127.0.0.1:9000; #***# auf lokalen Portainer HTTP Backend zeigen + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + #***# PORTAINER: statische Assets / locales ebenfalls ohne auth (wichtig für i18n) + location ~* \.(?:js|css|json|png|jpg|jpeg|gif|ico|svg|woff2?)$ { + proxy_pass http://127.0.0.1:9000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location ^~ /locales/ { + # explizit für i18n Pfade + proxy_pass http://127.0.0.1:9000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + } + + # Haupt-UI: auth_request greift nur hier (UI), nicht für /api/ oder Assets + location / { + auth_request /nginxauth; + + proxy_pass http://127.0.0.1:9000/; #***# auf lokales Portainer HTTP Backend zeigen + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + #***# PORTAINER HOST FIX: + proxy_set_header Host $host; #***# PORTAINER HOST + proxy_set_header X-Forwarded-Host $host; #***# PORTAINER HOST + proxy_set_header X-Forwarded-Proto https; #***# PORTAINER HOST + + proxy_set_header Origin $http_origin; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors *" always; + } + + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} diff --git a/__split_subpages_nginx.__conf__ b/__split_subpages_nginx.__conf__ new file mode 100644 index 0000000..960b0bd --- /dev/null +++ b/__split_subpages_nginx.__conf__ @@ -0,0 +1,31 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log info; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Upgrade map (WebSockets) + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + sendfile on; + keepalive_timeout 65; + gzip on; + + # Include modulare Server-Configs + include /etc/nginx/conf.d/*.conf; +} + diff --git a/_nginx.conf_vibeCode_zerhauen b/_nginx.conf_vibeCode_zerhauen new file mode 100755 index 0000000..146e954 --- /dev/null +++ b/_nginx.conf_vibeCode_zerhauen @@ -0,0 +1,345 @@ +error_log /var/log/nginx/error.log info; + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# ------------------------------------------------------------ +# Default HTTP -> HTTPS redirect +# ------------------------------------------------------------ +server { + listen 80 default_server; + server_name _; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$host$request_uri; + } +} + +# ------------------------------------------------------------ +# #***# DEFAULT 443 SERVER (NEU) +# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt" +# ------------------------------------------------------------ +server { + listen 443 ssl http2 default_server; + server_name _; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + + # Einfach Verbindung schließen für unbekannte Hosts + return 444; +} + +# ------------------------------------------------------------ +# UI (portal) - nur für server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + root /usr/share/nginx/html; + index index.html; + + location / { + try_files $uri $uri/ /index.html; + } + + # API forwarding to auth (wie vorher) - nur für server.schooltech.ch + location /api/ { + proxy_pass http://appserverauth:3000/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # ------------------------------------------------------------ + # Internal auth endpoint for auth_request (used by other server blocks) + # Einheitlicher nginxauth-Block: Host + URI an Auth-Service + # ------------------------------------------------------------ + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig) + proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } + + # Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +} + +# ------------------------------------------------------------ +# abc.server.schooltech.ch - Controller on ThinkCentre +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name abc.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ---- + location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { + proxy_pass https://thinkcentre.local:10010; + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + # kein proxy_set_header Connection / Upgrade hier + } + + # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ---- + location /echo { + auth_request /nginxauth; + proxy_pass https://thinkcentre.local:10010/echo; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + + # ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ---- + location / { + auth_request /nginxauth; + + proxy_pass https://thinkcentre.local:10010/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Origin $http_origin; + + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + # /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet) + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# simulation3a29.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name simulation3a29.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # ---- Static assets: keine Auth ---- + location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { + proxy_pass https://thinkcentre.local:1003; + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + # kein proxy_set_header Connection / Upgrade hier + } + + # ---- WebSocket-Endpoint ---- + location /echo { + auth_request /nginxauth; + proxy_pass https://thinkcentre.local:1003/echo; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + + # ---- Hauptanwendung ---- + location / { + auth_request /nginxauth; + + proxy_pass https://thinkcentre.local:1003/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Origin $http_origin; + + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + # ------------------------------------------------------------ + # location = /nginxauth (SIMULATION FIX) + # ------------------------------------------------------------ + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# SIMULATION: fehlende proxy_pass eingefügt + proxy_set_header Cookie $http_cookie; #***# SIMULATION: Cookie weitergeben + + #***# AUTH HEADER ERWEITERUNG (nur einmal) + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# xyz.server.schooltech.ch (Guacamole on ThinkCentre) +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name xyz.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + location / { + auth_request /nginxauth; # Auth prüfen + + proxy_pass http://thinkcentre.local:8080/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Proxy Header (Upstream erwartet thinkcentre.local) + proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation + proxy_set_header Origin $http_origin; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # iFrame erlauben + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors *" always; + } + + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# XYZ: proxy_pass wie überall + proxy_set_header Cookie $http_cookie; + + proxy_set_header X-Original-URI $request_uri; + + #***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks) + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# portainer.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name portainer.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + location / { + auth_request /nginxauth; + + proxy_pass http://portainer:9000; + proxy_http_version 1.1; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WICHTIG FÜR IFRAME + proxy_hide_header X-Frame-Options; + proxy_hide_header Content-Security-Policy; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} diff --git a/nginx.conf b/nginx.conf old mode 100755 new mode 100644 index 146e954..9bdd8b2 --- a/nginx.conf +++ b/nginx.conf @@ -1,345 +1,346 @@ -error_log /var/log/nginx/error.log info; - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -# ------------------------------------------------------------ -# Default HTTP -> HTTPS redirect -# ------------------------------------------------------------ -server { - listen 80 default_server; - server_name _; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$host$request_uri; - } -} - -# ------------------------------------------------------------ -# #***# DEFAULT 443 SERVER (NEU) -# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt" -# ------------------------------------------------------------ -server { - listen 443 ssl http2 default_server; - server_name _; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - - # Einfach Verbindung schließen für unbekannte Hosts - return 444; -} - -# ------------------------------------------------------------ -# UI (portal) - nur für server.schooltech.ch -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - root /usr/share/nginx/html; - index index.html; - - location / { - try_files $uri $uri/ /index.html; - } - - # API forwarding to auth (wie vorher) - nur für server.schooltech.ch - location /api/ { - proxy_pass http://appserverauth:3000/api/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # ------------------------------------------------------------ - # Internal auth endpoint for auth_request (used by other server blocks) - # Einheitlicher nginxauth-Block: Host + URI an Auth-Service - # ------------------------------------------------------------ - location = /nginxauth { - internal; - proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig) - proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben - - #***# AUTH HEADER ERWEITERUNG - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } - - # Security - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; -} - -# ------------------------------------------------------------ -# abc.server.schooltech.ch - Controller on ThinkCentre -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name abc.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ---- - location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { - proxy_pass https://thinkcentre.local:10010; - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - # kein proxy_set_header Connection / Upgrade hier - } - - # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ---- - location /echo { - auth_request /nginxauth; - proxy_pass https://thinkcentre.local:10010/echo; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - } - - # ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ---- - location / { - auth_request /nginxauth; - - proxy_pass https://thinkcentre.local:10010/; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Origin $http_origin; - - proxy_hide_header X-Frame-Options; - add_header X-Frame-Options "ALLOWALL" always; - - proxy_hide_header Content-Security-Policy; - add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; - } - - # /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet) - location = /nginxauth { - internal; - proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH - proxy_set_header Cookie $http_cookie; #***# AUTH - - #***# AUTH HEADER ERWEITERUNG - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } -} - -# ------------------------------------------------------------ -# simulation3a29.server.schooltech.ch -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name simulation3a29.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - # ---- Static assets: keine Auth ---- - location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { - proxy_pass https://thinkcentre.local:1003; - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - # kein proxy_set_header Connection / Upgrade hier - } - - # ---- WebSocket-Endpoint ---- - location /echo { - auth_request /nginxauth; - proxy_pass https://thinkcentre.local:1003/echo; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - } - - # ---- Hauptanwendung ---- - location / { - auth_request /nginxauth; - - proxy_pass https://thinkcentre.local:1003/; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Origin $http_origin; - - proxy_hide_header X-Frame-Options; - add_header X-Frame-Options "ALLOWALL" always; - - proxy_hide_header Content-Security-Policy; - add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; - } - - # ------------------------------------------------------------ - # location = /nginxauth (SIMULATION FIX) - # ------------------------------------------------------------ - location = /nginxauth { - internal; - proxy_pass http://appserverauth:3000/internal/auth; #***# SIMULATION: fehlende proxy_pass eingefügt - proxy_set_header Cookie $http_cookie; #***# SIMULATION: Cookie weitergeben - - #***# AUTH HEADER ERWEITERUNG (nur einmal) - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } -} - -# ------------------------------------------------------------ -# xyz.server.schooltech.ch (Guacamole on ThinkCentre) -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name xyz.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - location / { - auth_request /nginxauth; # Auth prüfen - - proxy_pass http://thinkcentre.local:8080/; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - # Proxy Header (Upstream erwartet thinkcentre.local) - proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation - proxy_set_header Origin $http_origin; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - - # iFrame erlauben - proxy_hide_header X-Frame-Options; - add_header X-Frame-Options "ALLOWALL" always; - - proxy_hide_header Content-Security-Policy; - add_header Content-Security-Policy "frame-ancestors *" always; - } - - location = /nginxauth { - internal; - proxy_pass http://appserverauth:3000/internal/auth; #***# XYZ: proxy_pass wie überall - proxy_set_header Cookie $http_cookie; - - proxy_set_header X-Original-URI $request_uri; - - #***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks) - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } -} - -# ------------------------------------------------------------ -# portainer.server.schooltech.ch -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name portainer.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - location / { - auth_request /nginxauth; - - proxy_pass http://portainer:9000; - proxy_http_version 1.1; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # WICHTIG FÜR IFRAME - proxy_hide_header X-Frame-Options; - proxy_hide_header Content-Security-Policy; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; - } - - - location = /nginxauth { - internal; - proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH - proxy_set_header Cookie $http_cookie; #***# AUTH - - #***# AUTH HEADER ERWEITERUNG - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } -} +error_log /var/log/nginx/error.log info; + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# ------------------------------------------------------------ +# Default HTTP -> HTTPS redirect +# ------------------------------------------------------------ +server { + listen 80 default_server; + server_name _; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$host$request_uri; + } +} + +# ------------------------------------------------------------ +# #***# DEFAULT 443 SERVER (NEU) +# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt" +# ------------------------------------------------------------ +server { + listen 443 ssl http2 default_server; + server_name _; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + + # Einfach Verbindung schließen für unbekannte Hosts + return 444; +} + +# ------------------------------------------------------------ +# UI (portal) - nur für server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + root /usr/share/nginx/html; + index index.html; + + location / { + try_files $uri $uri/ /index.html; + } + + # API forwarding to auth (wie vorher) - nur für server.schooltech.ch + location /api/ { + proxy_pass http://appServer_Auth:3000/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # ------------------------------------------------------------ + # Internal auth endpoint for auth_request (used by other server blocks) + # Einheitlicher nginxauth-Block: Host + URI an Auth-Service + # ------------------------------------------------------------ + location = /nginxauth { + internal; + proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig) + proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } + + # Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +} + +# ------------------------------------------------------------ +# abc.server.schooltech.ch - Controller on ThinkCentre +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name abc.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ---- + location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { + proxy_pass https://appRobot_Control:10010; + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + # kein proxy_set_header Connection / Upgrade hier + } + + # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ---- + location /echo { + auth_request /nginxauth; + proxy_pass https://appRobot_Control:10010/echo; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + + # ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ---- + location / { + auth_request /nginxauth; + + proxy_pass https://appRobot_Control:10010/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Origin $http_origin; + + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + # /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet) + location = /nginxauth { + internal; + proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# simulation3a29.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name simulation3a29.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # ---- Static assets: keine Auth ---- + location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { + proxy_pass https://appRobot_Simulation:1003; + proxy_ssl_verify off; + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + # kein proxy_set_header Connection / Upgrade hier + } + + # ---- WebSocket-Endpoint ---- + location /echo { + auth_request /nginxauth; + proxy_pass https://appRobot_Simulation:1003/echo; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + + # ---- Hauptanwendung ---- + location / { + auth_request /nginxauth; + + proxy_pass https://appRobot_Simulation:1003/; + + proxy_ssl_server_name on; + proxy_ssl_name thinkcentre.local; + proxy_ssl_verify off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host thinkcentre.local; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Origin $http_origin; + + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + # ------------------------------------------------------------ + # location = /nginxauth (SIMULATION FIX) + # ------------------------------------------------------------ + location = /nginxauth { + internal; + proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# xyz.server.schooltech.ch (Guacamole on ThinkCentre) +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name xyz.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + location / { + auth_request /nginxauth; # Auth prüfen + + proxy_pass http://appRobot_guacamole:8080/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Proxy Header (Upstream erwartet thinkcentre.local) + proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation + proxy_set_header Origin $http_origin; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # iFrame erlauben + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors *" always; + } + + location = /nginxauth { + internal; + proxy_pass http://appServer_Auth:3000/internal/auth; #***# XYZ: proxy_pass wie überall + proxy_set_header Cookie $http_cookie; + + proxy_set_header X-Original-URI $request_uri; + + #***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks) + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +## ------------------------------------------------------------ +# portainer.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name portainer.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + #ssl_protocols TLSv1.2 TLSv1.3; + #ssl_prefer_server_ciphers on; + + location / { + #auth_request /nginxauth; + + proxy_pass http://portainer:9000; + proxy_http_version 1.1; + + proxy_set_header Upgrade $http_upgrade; + #proxy_set_header Connection "upgrade"; + proxy_set_header Connection $http_connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WICHTIG FÜR IFRAME + proxy_hide_header X-Frame-Options; + proxy_hide_header Content-Security-Policy; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; + } + + location = /nginxauth { + internal; + proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH + proxy_set_header Cookie $http_cookie; #***# AUTH + + #***# AUTH HEADER ERWEITERUNG + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} diff --git a/nginxPages/00-http-redirect.conf b/nginxPages/00-http-redirect.conf new file mode 100644 index 0000000..d853c2f --- /dev/null +++ b/nginxPages/00-http-redirect.conf @@ -0,0 +1,12 @@ +server { + listen 80 default_server; + server_name _; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/nginxPages/10-server-schooltech.conf b/nginxPages/10-server-schooltech.conf new file mode 100644 index 0000000..c000cd2 --- /dev/null +++ b/nginxPages/10-server-schooltech.conf @@ -0,0 +1,39 @@ +server { + listen 443 ssl http2; + server_name server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + root /usr/share/nginx/html; + index index.html; + + # UI / SPA + location / { + try_files $uri $uri/ /index.html; + } + + # API forwarding (auth) + location /api/ { + proxy_pass http://appserverauth:3000/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Internal auth endpoint for auth_request + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; + proxy_set_header Cookie $http_cookie; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +} diff --git a/nginxPages/50-subdomains-userA.conf b/nginxPages/50-subdomains-userA.conf new file mode 100644 index 0000000..e915539 --- /dev/null +++ b/nginxPages/50-subdomains-userA.conf @@ -0,0 +1,117 @@ +# Default 443 für unbekannte Subdomains +server { + listen 443 ssl http2 default_server; + server_name _; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + + return 444; +} + +# ------------------------------------------------------------ +# portainer.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name portainer.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # Auth nur auf UI + location / { + auth_request /nginxauth; + + proxy_pass http://portainer:9000; + proxy_http_version 1.1; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # iFrame-freundlich + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors *" always; + } + + location = /nginxauth { + internal; + proxy_pass http://appserverauth:3000/internal/auth; + proxy_set_header Cookie $http_cookie; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Host $host; + proxy_set_header X-Forwarded-Host $host; + } +} + +# ------------------------------------------------------------ +# abc.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name abc.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + + root /usr/share/nginx/abc; + index index.html; + + location / { + try_files $uri $uri/ /index.html; + } +} + +# ------------------------------------------------------------ +# xyz.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name xyz.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + + root /usr/share/nginx/xyz; + index index.html; + + location / { + try_files $uri $uri/ /index.html; + } +} + +# ------------------------------------------------------------ +# guacamole.server.schooltech.ch +# ------------------------------------------------------------ +server { + listen 443 ssl http2; + server_name guacamole.server.schooltech.ch; + + ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; + + location / { + proxy_pass http://guacamole:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # iFrame-freundlich + proxy_hide_header X-Frame-Options; + add_header X-Frame-Options "ALLOWALL" always; + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-ancestors *" always; + } +} +