ChK/appServerPortalUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c41259dffa5651bd186cdf81adec89e0505f9a9c
appServerPortalUI/__nginx.conf__ohne_Portainer_aber_lief
ChK b50911b9b4 läuft lokal, kein Internet
2026-02-13 17:20:58 +01:00

376 lines
13 KiB
Plaintext
Raw Blame History

error_log /var/log/nginx/error.log info;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# ------------------------------------------------------------
# Default HTTP -> HTTPS redirect
# ------------------------------------------------------------
server {
listen 80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
# ------------------------------------------------------------
# #***# DEFAULT 443 SERVER (NEU)
# Verhindert, dass der erste 443-vHost andere Subdomains "abfängt"
# ------------------------------------------------------------
server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# Einfach Verbindung schließen für unbekannte Hosts
return 444;
}
# ------------------------------------------------------------
# UI (portal) - nur für server.schooltech.ch
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
# API forwarding to auth (wie vorher) - nur für server.schooltech.ch
location /api/ {
proxy_pass http://appserverauth:3000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# ------------------------------------------------------------
# Internal auth endpoint for auth_request (used by other server blocks)
# Einheitlicher nginxauth-Block: Host + URI an Auth-Service
# ------------------------------------------------------------
location = /nginxauth {
internal;
proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH: proxy_pass (wichtig)
proxy_set_header Cookie $http_cookie; #***# AUTH: Cookie weitergeben
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
# Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
# ------------------------------------------------------------
# abc.server.schooltech.ch - Controller on ThinkCentre
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name abc.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
proxy_pass https://thinkcentre.local:10010;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# kein proxy_set_header Connection / Upgrade hier
}
# ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
location /echo {
auth_request /nginxauth;
proxy_pass https://thinkcentre.local:10010/echo;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# ---- Hauptanwendung (HTML, API-Aufrufe) - auth prüfen ----
location / {
auth_request /nginxauth;
proxy_pass https://thinkcentre.local:10010/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Origin $http_origin;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
}
# /nginxauth (lokal für diesen vhost, aber internal request wird an auth-service weitergeleitet)
location = /nginxauth {
internal;
proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH
proxy_set_header Cookie $http_cookie; #***# AUTH
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
# ------------------------------------------------------------
# simulation3a29.server.schooltech.ch
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name simulation3a29.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# ---- Static assets: keine Auth ----
location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
proxy_pass https://thinkcentre.local:1003;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# kein proxy_set_header Connection / Upgrade hier
}
# ---- WebSocket-Endpoint ----
location /echo {
auth_request /nginxauth;
proxy_pass https://thinkcentre.local:1003/echo;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# ---- Hauptanwendung ----
location / {
auth_request /nginxauth;
proxy_pass https://thinkcentre.local:1003/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_ssl_name thinkcentre.local;
proxy_ssl_verify off;
proxy_set_header Host thinkcentre.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Origin $http_origin;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
}
# ------------------------------------------------------------
# location = /nginxauth (SIMULATION FIX)
# ------------------------------------------------------------
location = /nginxauth {
internal;
proxy_pass http://appserverauth:3000/internal/auth; #***# SIMULATION: fehlende proxy_pass eingefügt
proxy_set_header Cookie $http_cookie; #***# SIMULATION: Cookie weitergeben
#***# AUTH HEADER ERWEITERUNG (nur einmal)
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
# ------------------------------------------------------------
# xyz.server.schooltech.ch (Guacamole on ThinkCentre)
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name xyz.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
auth_request /nginxauth; # Auth prüfen
proxy_pass http://thinkcentre.local:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Proxy Header (Upstream erwartet thinkcentre.local)
proxy_set_header Host thinkcentre.local; # bewusst: Upstream Host-Expectation
proxy_set_header Origin $http_origin;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# iFrame erlauben
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors *" always;
}
location = /nginxauth {
internal;
proxy_pass http://appserverauth:3000/internal/auth; #***# XYZ: proxy_pass wie überall
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Original-URI $request_uri;
#***# XYZ AUTH HOST: Original-Host weitergeben (wichtig für Redirects/Checks)
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
# ------------------------------------------------------------
# portainer.server.schooltech.ch
# ------------------------------------------------------------
server {
listen 443 ssl http2;
server_name portainer.server.schooltech.ch;
ssl_certificate /etc/letsencrypt/live/server.schooltech.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.schooltech.ch/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
#***# PORTAINER: API direkt weiterleiten (kein auth_request)
location ^~ /api/ {
proxy_pass http://127.0.0.1:9000; #***# auf lokalen Portainer HTTP Backend zeigen
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#***# PORTAINER: statische Assets / locales ebenfalls ohne auth (wichtig für i18n)
location ~* \.(?:js|css|json|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ^~ /locales/ {
# explizit für i18n Pfade
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
}
# Haupt-UI: auth_request greift nur hier (UI), nicht für /api/ oder Assets
location / {
auth_request /nginxauth;
proxy_pass http://127.0.0.1:9000/; #***# auf lokales Portainer HTTP Backend zeigen
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
#***# PORTAINER HOST FIX:
proxy_set_header Host $host; #***# PORTAINER HOST
proxy_set_header X-Forwarded-Host $host; #***# PORTAINER HOST
proxy_set_header X-Forwarded-Proto https; #***# PORTAINER HOST
proxy_set_header Origin $http_origin;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL" always;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors *" always;
}
location = /nginxauth {
internal;
proxy_pass http://appserverauth:3000/internal/auth; #***# AUTH
proxy_set_header Cookie $http_cookie; #***# AUTH
#***# AUTH HEADER ERWEITERUNG
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Forwarded-Host $host;
}
}
Reference in New Issue View Git Blame Copy Permalink