ChK/appServerPortalUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8b5d74a6fbe6d21b7b6353acd78921d49b5824e8
appServerPortalUI/nginx.conf
ChKendel 8b5d74a6fb Update nginx.conf
2026-02-14 10:39:06 +01:00

374 lines
13 KiB
Nginx Configuration File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
error_log /var/log/nginx/error.log info;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# ------------------------------------------------------------
# Default HTTP -> HTTPS redirect
# ------------------------------------------------------------
server {
listen 80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
# ------------------------------------------------------------
# #***# DEFAULT 443 SERVER (NEU)
# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt"
# ------------------------------------------------------------
server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# Einfach Verbindung schließen für unbekannte Hosts
return 444;
}
# ------------------------------------------------------------
# UI (portal) - nur für server.schooltech.ch
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
# API forwarding to auth (wie vorher) - nur für server.schooltech.ch
location /api/ {
proxy_pass http://appServer_Auth:3000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# ------------------------------------------------------------
# Internal auth endpoint for auth_request (used by other server blocks)
# Einheitlicher nginxauth-Block: Host + URI an Auth-Service
# ------------------------------------------------------------
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig)
proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
# Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
# ------------------------------------------------------------
# abc.server.schooltech.ch - Controller on ThinkCentre
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name abc.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
proxy_pass https://appRobot_Control:10010;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# kein proxy_set_header Connection / Upgrade hier
}
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
location /echo {
auth_request /nginxauth;
proxy_pass https://appRobot_Control:10010/echo;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ----
location / {
auth_request /nginxauth;
proxy_pass https://appRobot_Control:10010/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Origin $http_origin;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
}
# /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet)
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH
proxy_set_header Cookie $http_cookie; #***# AUTH
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
# ------------------------------------------------------------
# simulation3a29.server.schooltech.ch
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name simulation3a29.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
############# FALLBACK LOCATION (NEU RICHTIGER ORT)
location @fallback {
default_type text/html;
return 200 '
<html>
<head>
<title>Dienst offline</title>
</head>
<body style="font-family:sans-serif;text-align:center;padding-top:10%">
<h1>Ein Dienst ist momentan nicht erreichbar</h1>
<p>Bitte Seite neu laden Verbindung wird automatisch erneut versucht.</p>
</body>
</html>';
}
#############
# ---- Static assets: keine Auth ----
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
proxy_pass https://appRobot_Simulation:1003;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# kein proxy_set_header Connection / Upgrade hier
proxy_intercept_errors on;
error_page 502 503 504 = @fallback;
}
# ---- WebSocket-Endpoint ----
location /echo {
auth_request /nginxauth;
proxy_pass https://appRobot_Simulation:1003/echo;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_intercept_errors on;
error_page 502 503 504 = @fallback;
}
# ---- Hauptanwendung ----
location / {
auth_request /nginxauth;
proxy_pass https://appRobot_Simulation:1003/;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Origin $http_origin;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
proxy_intercept_errors on;
error_page 502 503 504 = @fallback;
}
# ------------------------------------------------------------
# location = /nginxauth (SIMULATION FIX)
# ------------------------------------------------------------
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH
proxy_set_header Cookie $http_cookie; #***# AUTH
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
# ------------------------------------------------------------
# xyz.server.schooltech.ch (Guacamole on ThinkCentre)
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name xyz.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
auth_request /nginxauth; # Auth prüfen
proxy_pass http://appRobot_guacamole:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Proxy Header (Upstream erwartet thinkcentre.local)
proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation
proxy_set_header Origin $http_origin;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# iFrame erlauben
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors *" always;
}
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# XYZ: proxy_pass wie überall
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Original-URI $request_uri;
#***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks)
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
## ------------------------------------------------------------
# portainer.server.schooltech.ch
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name portainer.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_prefer_server_ciphers on;
location / {
#auth_request /nginxauth;
proxy_pass http://portainer:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
proxy_set_header Connection $http_connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WICHTIG FÜR IFRAME
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
}
location = /nginxauth {
internal;
proxy_pass http://appServer_Auth:3000/internal/auth; #***# AUTH
proxy_set_header Cookie $http_cookie; #***# AUTH
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
Reference in New Issue View Git Blame Copy Permalink