ChK/appServerPortalUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Authentifizierung SubPages überlassen

Browse Source
This commit is contained in:
ChK
2026-02-14 18:53:13 +01:00
parent c41259dffa
commit fd89de5282
1 changed files with 80 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
nginx.conf
View File

@@ -56,6 +56,7 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
index index.html;
@@ -110,9 +111,27 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
set $serverBackendControl "appRobot_Control:10010";
set $auth_backend "appServer_Auth:3000";
location @fallback {
default_type text/html;
return 200 '
<html>
<head>
<title>Dienst offline</title>
</head>
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
</body>
</html>';
}
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
proxy_pass https://appRobot_Control:10010;
proxy_pass https://$serverBackendControl;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -123,7 +142,7 @@ server {
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
location /echo {
auth_request /nginxauth;
proxy_pass https://appRobot_Control:10010/echo;
proxy_pass https://$serverBackendControl/echo;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@@ -143,7 +162,7 @@ server {
location / {
auth_request /nginxauth;
proxy_pass https://appRobot_Control:10010/;
proxy_pass https://$serverBackendControl/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@@ -169,7 +188,7 @@ server {
# /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet)
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH
proxy_pass http://$auth_backend/internal/auth; #***# AUTH
proxy_set_header Cookie $http_cookie; #***# AUTH
#***# AUTH HEADER ERWEITERUNG
@@ -177,6 +196,9 @@ server {
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
proxy_intercept_errors on;
error_page 502 503 504 = @fallback;
}
# ------------------------------------------------------------
@@ -194,21 +216,19 @@ server {
set $serverBackendSimulation "appRobot_Simulation:1003";
set $auth_backend "appServer_Auth:3000";
############# FALLBACK LOCATION (NEU RICHTIGER ORT)
location @fallback {
default_type text/html;
return 200 '
<html>
<head>
<title>Dienst offline</title>
<title>Dienst (Simulation) offline</title>
</head>
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
<p>Bitte Seite neu laden Verbindung wird automatisch erneut versucht.</p>
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
</body>
</html>';
}
#############
# ---- Static assets: keine Auth ----
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp|stl)$ {
@@ -295,7 +315,7 @@ server {
}
# ------------------------------------------------------------
# xyz.server.schooltech.ch (Guacamole on ThinkCentre)
# xyz.server.schooltech.ch (Guacamole )
# ------------------------------------------------------------
server {
listen 443 ssl http2;
@@ -306,41 +326,43 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
auth_request /nginxauth; # Auth prüfen
set $serverBackendGuacamole "appServer_guacamole:8080";
proxy_pass http://appRobot_guacamole:8080/;
location @fallback {
default_type text/html;
return 200 '
<html>
<head>
<title>Dienst (Guacamole) offline</title>
</head>
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
</body>
</html>';
}
location / {
proxy_pass http://$serverBackendGuacamole;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Proxy Header (Upstream erwartet thinkcentre.local)
proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation
proxy_set_header Origin $http_origin;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
# iFrame erlauben
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors *" always;
proxy_intercept_errors on;
error_page 502 503 504 = @fallback;
}
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# XYZ: proxy_pass wie überall
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Original-URI $request_uri;
#***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks)
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
## ------------------------------------------------------------
@@ -352,11 +374,24 @@ server {
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_prefer_server_ciphers on;
set $auth_backend "appServer_Auth:3000";
location @fallback {
default_type text/html;
return 200 '
<html>
<head>
<title>Dienst (Portainer) offline</title>
</head>
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
<p>Bitte Seite neu laden - Verbindung wird automatisch erneut versucht.</p>
</body>
</html>';
}
location / {
#auth_request /nginxauth;
proxy_pass http://portainer:9000;
proxy_http_version 1.1;
@@ -376,16 +411,22 @@ server {
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
proxy_intercept_errors on;
error_page 502 503 504 = @fallback; # <-- Fallback
}
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH
proxy_set_header Cookie $http_cookie; #***# AUTH
proxy_pass http://$auth_backend/internal/auth;
proxy_set_header Cookie $http_cookie;
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_intercept_errors on;
error_page 502 503 504 = @fallback; # <-- Fallback
}
}