diff --git a/.gitignore b/.gitignore index 37c6b03..e7ff160 100755 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,10 @@ letsencrypt/conf/**/* *.pem *.key *.csr + +# +*.conf.swp +*.log +*.out +*.aux +*.synctex.gz \ No newline at end of file diff --git a/nginx.conf_PortalSSH b/nginx.conf_PortalSSH deleted file mode 100755 index 98366a4..0000000 --- a/nginx.conf_PortalSSH +++ /dev/null @@ -1,432 +0,0 @@ -error_log /var/log/nginx/error.log info; - -resolver 127.0.0.11 valid=30s; -resolver_timeout 5s; - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - - - - -# ------------------------------------------------------------ -# Default HTTP -> HTTPS redirect -# ------------------------------------------------------------ -server { - listen 80 default_server; - server_name _; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$host$request_uri; - } -} - -# ------------------------------------------------------------ -# #***# DEFAULT 443 SERVER (NEU) -# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt" -# ------------------------------------------------------------ -server { - listen 443 ssl http2 default_server; - server_name _; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - # Einfach Verbindung schließen für unbekannte Hosts - return 444; -} - -# ------------------------------------------------------------ -# UI (portal) - nur für server.schooltech.ch -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - - root /usr/share/nginx/html; - index index.html; - - location / { - try_files $uri $uri/ /index.html; - } - - # API forwarding to auth (wie vorher) - nur für server.schooltech.ch - location /api/ { - proxy_pass http://appServer_Auth:3000/api/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - # ------------------------------------------------------------ - # Internal auth endpoint for auth_request (used by other server blocks) - # Einheitlicher nginxauth-Block: Host + URI an Auth-Service - # ------------------------------------------------------------ - location = /nginxauth { - internal; - proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig) - proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben - - #***# AUTH HEADER ERWEITERUNG - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } - - # Security - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - # SSL - tcp_nopush on; - tcp_nodelay on; -} - -# ------------------------------------------------------------ -# abc.server.schooltech.ch - Controller on ThinkCentre -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name abc.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - set $serverBackendControl "appRobot_Control:10010"; - set $auth_backend "appServer_Auth:3000"; - - - location @fallback { - default_type text/html; - return 200 ' - - - Dienst offline - - -

Ein Dienst ist momentan nicht erreichbar

-

Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.

- - '; - } - - # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ---- - location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ { - proxy_pass https://$serverBackendControl; - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - # kein proxy_set_header Connection / Upgrade hier - } - - # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ---- - location /echo { - auth_request /nginxauth; - proxy_pass https://$serverBackendControl/echo; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - } - - # ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ---- - location / { - auth_request /nginxauth; - - proxy_pass https://$serverBackendControl/; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Origin $http_origin; - - proxy_hide_header X-Frame-Options; - add_header X-Frame-Options "ALLOWALL" always; - - proxy_hide_header Content-Security-Policy; - add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; - } - - # /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet) - location = /nginxauth { - internal; - proxy_pass http://$auth_backend/internal/auth; #***# AUTH - proxy_set_header Cookie $http_cookie; #***# AUTH - - #***# AUTH HEADER ERWEITERUNG - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } - - proxy_intercept_errors on; - error_page 502 503 504 = @fallback; -} - -# ------------------------------------------------------------ -# simulation3a29.server.schooltech.ch -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name simulation3a29.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - set $serverBackendSimulation "appRobot_Simulation:1003"; - set $auth_backend "appServer_Auth:3000"; - - location @fallback { - default_type text/html; - return 200 ' - - - Dienst (Simulation) offline - - -

Ein Dienst ist momentan nicht erreichbar

-

Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.

- - '; - } - - # ---- Static assets: keine Auth ---- - location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp|stl)$ { - proxy_pass https://$serverBackendSimulation; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - # kein proxy_set_header Connection / Upgrade hier - proxy_intercept_errors on; - error_page 502 503 504 = @fallback; - } - - # ---- WebSocket-Endpoint ---- - location /echo { - auth_request /nginxauth; - proxy_pass https://$serverBackendSimulation/echo; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - - proxy_intercept_errors on; - error_page 502 503 504 = @fallback; - } - - # ---- Hauptanwendung ---- - location / { - auth_request /nginxauth; - - proxy_pass https://$serverBackendSimulation/; - - proxy_ssl_server_name on; - proxy_ssl_name thinkcentre.local; - proxy_ssl_verify off; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header Host thinkcentre.local; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Origin $http_origin; - - proxy_hide_header X-Frame-Options; - add_header X-Frame-Options "ALLOWALL" always; - - proxy_hide_header Content-Security-Policy; - add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; - - proxy_intercept_errors on; - error_page 502 503 504 = @fallback; - } - - # ------------------------------------------------------------ - # location = /nginxauth (SIMULATION FIX) - # ------------------------------------------------------------ - location = /nginxauth { - internal; - proxy_pass http://$auth_backend/internal/auth; #***# AUTH - proxy_set_header Cookie $http_cookie; #***# AUTH - - #***# AUTH HEADER ERWEITERUNG - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - } -} - -# ------------------------------------------------------------ -# xyz.server.schooltech.ch (Guacamole ) -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name xyz.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - set $serverBackendGuacamole "appServer_guacamole:8080"; - - location @fallback { - default_type text/html; - return 200 ' - - - Dienst (Guacamole) offline - - -

Ein Dienst ist momentan nicht erreichbar

-

Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.

- - '; - } - - location / { - proxy_pass http://$serverBackendGuacamole; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_request_buffering off; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - - add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; - - proxy_intercept_errors on; - error_page 502 503 504 = @fallback; - } - -} - -## ------------------------------------------------------------ -# portainer.server.schooltech.ch -# ------------------------------------------------------------ -server { - listen 443 ssl http2; - server_name portainer.server.schooltech.ch; - - ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem; - - set $auth_backend "appServer_Auth:3000"; - - location @fallback { - default_type text/html; - return 200 ' - - - Dienst (Portainer) offline - - -

Ein Dienst ist momentan nicht erreichbar

-

Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.

- - '; - } - - location / { - - proxy_pass http://portainer:9000; - proxy_http_version 1.1; - - proxy_set_header Upgrade $http_upgrade; - #proxy_set_header Connection "upgrade"; - proxy_set_header Connection $http_connection_upgrade; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # WICHTIG FÜR IFRAME - proxy_hide_header X-Frame-Options; - proxy_hide_header Content-Security-Policy; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; - - proxy_intercept_errors on; - error_page 502 503 504 = @fallback; # <-- Fallback - } - - location = /nginxauth { - internal; - proxy_pass http://$auth_backend/internal/auth; - proxy_set_header Cookie $http_cookie; - - #***# AUTH HEADER ERWEITERUNG - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Original-Host $host; - proxy_set_header X-Forwarded-Host $host; - - proxy_intercept_errors on; - error_page 502 503 504 = @fallback; # <-- Fallback - } -}