Authentifizierung SubPages überlassen
This commit is contained in:
119
nginx.conf
119
nginx.conf
@@ -56,6 +56,7 @@ server {
|
|||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
|
||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
@@ -110,9 +111,27 @@ server {
|
|||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
set $serverBackendControl "appRobot_Control:10010";
|
||||||
|
set $auth_backend "appServer_Auth:3000";
|
||||||
|
|
||||||
|
|
||||||
|
location @fallback {
|
||||||
|
default_type text/html;
|
||||||
|
return 200 '
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Dienst offline</title>
|
||||||
|
</head>
|
||||||
|
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||||
|
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||||
|
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||||
|
</body>
|
||||||
|
</html>';
|
||||||
|
}
|
||||||
|
|
||||||
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
|
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
|
||||||
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
|
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
|
||||||
proxy_pass https://appRobot_Control:10010;
|
proxy_pass https://$serverBackendControl;
|
||||||
proxy_set_header Host thinkcentre.local;
|
proxy_set_header Host thinkcentre.local;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
@@ -123,7 +142,7 @@ server {
|
|||||||
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
|
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
|
||||||
location /echo {
|
location /echo {
|
||||||
auth_request /nginxauth;
|
auth_request /nginxauth;
|
||||||
proxy_pass https://appRobot_Control:10010/echo;
|
proxy_pass https://$serverBackendControl/echo;
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
@@ -143,7 +162,7 @@ server {
|
|||||||
location / {
|
location / {
|
||||||
auth_request /nginxauth;
|
auth_request /nginxauth;
|
||||||
|
|
||||||
proxy_pass https://appRobot_Control:10010/;
|
proxy_pass https://$serverBackendControl/;
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
@@ -169,7 +188,7 @@ server {
|
|||||||
# /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet)
|
# /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet)
|
||||||
location = /nginxauth {
|
location = /nginxauth {
|
||||||
internal;
|
internal;
|
||||||
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH
|
proxy_pass http://$auth_backend/internal/auth; #***# AUTH
|
||||||
proxy_set_header Cookie $http_cookie; #***# AUTH
|
proxy_set_header Cookie $http_cookie; #***# AUTH
|
||||||
|
|
||||||
#***# AUTH HEADER ERWEITERUNG
|
#***# AUTH HEADER ERWEITERUNG
|
||||||
@@ -177,6 +196,9 @@ server {
|
|||||||
proxy_set_header X-Original-Host $host;
|
proxy_set_header X-Original-Host $host;
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
proxy_intercept_errors on;
|
||||||
|
error_page 502 503 504 = @fallback;
|
||||||
}
|
}
|
||||||
|
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
@@ -194,21 +216,19 @@ server {
|
|||||||
set $serverBackendSimulation "appRobot_Simulation:1003";
|
set $serverBackendSimulation "appRobot_Simulation:1003";
|
||||||
set $auth_backend "appServer_Auth:3000";
|
set $auth_backend "appServer_Auth:3000";
|
||||||
|
|
||||||
############# FALLBACK LOCATION (NEU – RICHTIGER ORT)
|
|
||||||
location @fallback {
|
location @fallback {
|
||||||
default_type text/html;
|
default_type text/html;
|
||||||
return 200 '
|
return 200 '
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<title>Dienst offline</title>
|
<title>Dienst (Simulation) offline</title>
|
||||||
</head>
|
</head>
|
||||||
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||||
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||||
<p>Bitte Seite neu laden – Verbindung wird automatisch erneut versucht.</p>
|
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||||
</body>
|
</body>
|
||||||
</html>';
|
</html>';
|
||||||
}
|
}
|
||||||
#############
|
|
||||||
|
|
||||||
# ---- Static assets: keine Auth ----
|
# ---- Static assets: keine Auth ----
|
||||||
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp|stl)$ {
|
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp|stl)$ {
|
||||||
@@ -295,7 +315,7 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
# xyz.server.schooltech.ch (Guacamole on ThinkCentre)
|
# xyz.server.schooltech.ch (Guacamole )
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
@@ -306,41 +326,43 @@ server {
|
|||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
location / {
|
set $serverBackendGuacamole "appServer_guacamole:8080";
|
||||||
auth_request /nginxauth; # Auth prüfen
|
|
||||||
|
location @fallback {
|
||||||
|
default_type text/html;
|
||||||
|
return 200 '
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Dienst (Guacamole) offline</title>
|
||||||
|
</head>
|
||||||
|
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||||
|
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||||
|
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||||
|
</body>
|
||||||
|
</html>';
|
||||||
|
}
|
||||||
|
|
||||||
proxy_pass http://appRobot_guacamole:8080/;
|
location / {
|
||||||
|
proxy_pass http://$serverBackendGuacamole;
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
# Proxy Header (Upstream erwartet thinkcentre.local)
|
proxy_buffering off;
|
||||||
proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation
|
proxy_request_buffering off;
|
||||||
proxy_set_header Origin $http_origin;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
# iFrame erlauben
|
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||||
proxy_hide_header X-Frame-Options;
|
|
||||||
add_header X-Frame-Options "ALLOWALL" always;
|
proxy_intercept_errors on;
|
||||||
|
error_page 502 503 504 = @fallback;
|
||||||
proxy_hide_header Content-Security-Policy;
|
|
||||||
add_header Content-Security-Policy "frame-ancestors *" always;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /nginxauth {
|
|
||||||
internal;
|
|
||||||
proxy_pass http://appServer_Auth:3000/internal/auth; #***# XYZ: proxy_pass wie überall
|
|
||||||
proxy_set_header Cookie $http_cookie;
|
|
||||||
|
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
|
||||||
|
|
||||||
#***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks)
|
|
||||||
proxy_set_header X-Original-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
## ------------------------------------------------------------
|
## ------------------------------------------------------------
|
||||||
@@ -352,11 +374,24 @@ server {
|
|||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
|
||||||
#ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
#ssl_prefer_server_ciphers on;
|
set $auth_backend "appServer_Auth:3000";
|
||||||
|
|
||||||
|
location @fallback {
|
||||||
|
default_type text/html;
|
||||||
|
return 200 '
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Dienst (Portainer) offline</title>
|
||||||
|
</head>
|
||||||
|
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
|
||||||
|
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
|
||||||
|
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
|
||||||
|
</body>
|
||||||
|
</html>';
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
#auth_request /nginxauth;
|
|
||||||
|
|
||||||
proxy_pass http://portainer:9000;
|
proxy_pass http://portainer:9000;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
@@ -376,16 +411,22 @@ server {
|
|||||||
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
|
||||||
|
|
||||||
|
proxy_intercept_errors on;
|
||||||
|
error_page 502 503 504 = @fallback; # <-- Fallback
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /nginxauth {
|
location = /nginxauth {
|
||||||
internal;
|
internal;
|
||||||
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH
|
proxy_pass http://$auth_backend/internal/auth;
|
||||||
proxy_set_header Cookie $http_cookie; #***# AUTH
|
proxy_set_header Cookie $http_cookie;
|
||||||
|
|
||||||
#***# AUTH HEADER ERWEITERUNG
|
#***# AUTH HEADER ERWEITERUNG
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Original-Host $host;
|
proxy_set_header X-Original-Host $host;
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
|
||||||
|
proxy_intercept_errors on;
|
||||||
|
error_page 502 503 504 = @fallback; # <-- Fallback
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user