diff --git a/.gitignore b/.gitignore index 0737481..2941737 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ .env -/data/ \ No newline at end of file +/data/ +!/data/nginx.conf +!/data/conf.d/** \ No newline at end of file diff --git a/data/conf.d/adminer.conf b/data/conf.d/adminer.conf new file mode 100644 index 0000000..76b5aae --- /dev/null +++ b/data/conf.d/adminer.conf @@ -0,0 +1,89 @@ +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name adminer.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name adminer.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # Trusted certificate for OCSP stapling + # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; + + # Cloudflare Origin CA certificate for client verification + # Cloudflare Origin CA for authenticated origin pulls (optional) + # Only enable if you want to restrict to Cloudflare only + # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; + # ssl_verify_client on; + + # SSL Protocol - TLS 1.2 and 1.3 only + # ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # OCSP Stapling + # ssl_stapling on; + # ssl_stapling_verify on; + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Diffie-Hellman parameter for DHE ciphersuites + # ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # Root and index + # root /var/www/html; + # index index.html index.htm; + + # include /etc/letsencrypt/options-ssl-nginx.conf; + set $adminer_backend adminer:8080; + + location / { #/adminer { + # rewrite ^/adminer/(.*)$ /$1 break; + + # proxy_pass http://10.0.0.251:9080/; + proxy_pass http://$adminer_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; #https; + #$scheme; + + # Handle redirects (like after login) so they stay under /adminer/ + # proxy_redirect / /adminer/; + } +} \ No newline at end of file diff --git a/data/conf.d/auth.conf b/data/conf.d/auth.conf new file mode 100644 index 0000000..5714140 --- /dev/null +++ b/data/conf.d/auth.conf @@ -0,0 +1,92 @@ +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name auth.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name auth.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # Trusted certificate for OCSP stapling + # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; + + # Cloudflare Origin CA certificate for client verification + # Cloudflare Origin CA for authenticated origin pulls (optional) + # Only enable if you want to restrict to Cloudflare only + # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; + # ssl_verify_client on; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # OCSP Stapling + # ssl_stapling on; + # ssl_stapling_verify on; + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Diffie-Hellman parameter for DHE ciphersuites + # ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # Root and index + # root /var/www/html; + # index index.html index.htm; + + # include /etc/letsencrypt/options-ssl-nginx.conf; + + set $keycloak_backend keycloak:80; + + # client_max_body_size 0; + location / { + # proxy_pass http://10.0.0.253:8085/auth/; + proxy_pass http://$keycloak_backend; + + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto https; #$scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; + } +} \ No newline at end of file diff --git a/data/conf.d/book.conf b/data/conf.d/book.conf new file mode 100644 index 0000000..cdd5b48 --- /dev/null +++ b/data/conf.d/book.conf @@ -0,0 +1,89 @@ +# # Redirect HTTP to HTTPS +# server { +# listen 80; +# listen [::]:80; +# server_name book.novicelab.io; + +# # ACME challenge for Let's Encrypt certificate renewal +# location /.well-known/acme-challenge/ { +# root /var/www/certbot; +# } + +# location / { +# return 301 https://$server_name$request_uri; +# } +# } + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name book.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # Trusted certificate for OCSP stapling + # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; + + # Cloudflare Origin CA certificate for client verification + # Cloudflare Origin CA for authenticated origin pulls (optional) + # Only enable if you want to restrict to Cloudflare only + # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; + # ssl_verify_client on; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # OCSP Stapling + # ssl_stapling on; + # ssl_stapling_verify on; + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Diffie-Hellman parameter for DHE ciphersuites + # ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # Root and index + # root /var/www/html; + # index index.html index.htm; + + # include /etc/letsencrypt/options-ssl-nginx.conf; + + set $bookstack_backend bookstack:80; + + # client_max_body_size 0; + # BookStack (/docs) + location / { + # rewrite ^/docs/(.*) /$1 break; + # proxy_pass http://$bookstack_backend; + proxy_pass http://10.0.0.251:6875/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; #$scheme; + + # proxy_redirect / /docs/; + } +} \ No newline at end of file diff --git a/data/conf.d/cluster.conf b/data/conf.d/cluster.conf new file mode 100644 index 0000000..77add02 --- /dev/null +++ b/data/conf.d/cluster.conf @@ -0,0 +1,65 @@ +upstream haproxy_backend { + server 10.0.0.20:80; + keepalive 32; + keepalive_timeout 60s; + keepalive_requests 100; +} + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name *.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + location / { + proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080 + # proxy_pass http://haproxy_backend; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Performance optimizations + proxy_buffering off; + proxy_request_buffering off; + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + + client_max_body_size 0; + } +} \ No newline at end of file diff --git a/data/conf.d/collabora.conf b/data/conf.d/collabora.conf new file mode 100644 index 0000000..5dac65f --- /dev/null +++ b/data/conf.d/collabora.conf @@ -0,0 +1,44 @@ +server { + listen 80; + server_name collabora.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; # http2; + server_name collabora.novicelab.io; + + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_session_cache shared:SSL:10m; + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # set $opencloud_backend 10.0.0.251:9980; + + + location / { + proxy_pass http://10.0.0.251:9980; + #proxy_pass http://$opencloud_backend/; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://10.0.0.251:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + } +} \ No newline at end of file diff --git a/data/conf.d/couch.conf b/data/conf.d/couch.conf new file mode 100644 index 0000000..3e40bab --- /dev/null +++ b/data/conf.d/couch.conf @@ -0,0 +1,92 @@ +server { + listen 80; + server_name couch.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; # http2; + server_name couch.novicelab.io; + + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_session_cache shared:SSL:10m; + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + set $couch_backend 10.0.0.251:5984; + + # # Block access to _utils (Fauxton) in production + # location /_utils { + # deny all; + # return 403; + # } + + # # Block _config endpoint externally + # location /_config { + # deny all; + # return 403; + # } + + # # Block _node endpoint externally + # location /_node { + # # deny all; + # # return 403; + # proxy_pass http://$couch_backend/_node; + # proxy_redirect off; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + + # # Timeouts + # proxy_connect_timeout 10s; + # proxy_read_timeout 60s; + # } + + location / { + # Handle CORS preflight without hitting CouchDB auth + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "GET, PUT, POST, HEAD, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "accept, authorization, content-type, origin, referer, x-csrf-token" always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Max-Age 3600; + add_header Content-Length 0; + add_header Content-Type text/plain; + return 204; + } + + # Pass all other requests to CouchDB + # proxy_pass http://127.0.0.1:5984; + proxy_pass http://$couch_backend/; + proxy_redirect off; + proxy_buffering off; + proxy_method $request_method; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Forward CORS headers from CouchDB responses too + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Credentials "true" always; + + proxy_connect_timeout 10s; + proxy_read_timeout 60s; + + # Headers for WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/data/conf.d/drone.conf b/data/conf.d/drone.conf new file mode 100644 index 0000000..1111099 --- /dev/null +++ b/data/conf.d/drone.conf @@ -0,0 +1,68 @@ +server { + listen 80; + server_name drone.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; # http2; + server_name drone.novicelab.io; + + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_session_cache shared:SSL:10m; + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # set $couch_backend 10.0.0.251:9001; + set $drone_backend drone:80; + set $drone_runner_backend drone-runner-1:3000; + + location / { + proxy_pass http://$drone_backend; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } + + # location /runner-1 { + # proxy_pass http://$drone_runner_backend; + # proxy_set_header Host $http_host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + + # # WebSocket support for real-time updates + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + + # # Timeouts + # proxy_connect_timeout 300; + # proxy_send_timeout 300; + # proxy_read_timeout 300; + # send_timeout 300; + # } + +} \ No newline at end of file diff --git a/data/conf.d/gitea.conf b/data/conf.d/gitea.conf new file mode 100644 index 0000000..d4b09a6 --- /dev/null +++ b/data/conf.d/gitea.conf @@ -0,0 +1,58 @@ +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name gitea.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + set $gitea_backend gitea:3000; + + location / { + proxy_pass http://$gitea_backend; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } + +} \ No newline at end of file diff --git a/data/conf.d/harbor.conf b/data/conf.d/harbor.conf new file mode 100644 index 0000000..02c0c69 --- /dev/null +++ b/data/conf.d/harbor.conf @@ -0,0 +1,98 @@ +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name harbor.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + set $harbor_backend 10.0.0.251:9090; + + client_max_body_size 0; + + # Disable absolute redirects which often cause 301 loops + absolute_redirect off; + + # Docker registry specific headers + chunked_transfer_encoding on; + + location / { + proxy_pass http://$harbor_backend; + proxy_set_header Host $http_host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + client_max_body_size 0; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + + proxy_set_header Authorization $http_authorization; + proxy_pass_header Authorization; + + # Performance optimizations + proxy_request_buffering off; + + proxy_buffering off; + proxy_set_header Referer $http_referer; + proxy_redirect off; + + proxy_set_header Cookie $http_cookie; + + + # Optional: Increase buffers for large tokens/cookies + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; + } + + location /v2/ { + # Do not allow Nginx to add/remove trailing slashes here + proxy_pass http://$harbor_backend; + + proxy_set_header Host $http_host; # Important for Registry + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Increase body size for image uploads + client_max_body_size 0; + } +} \ No newline at end of file diff --git a/data/conf.d/hugo.conf b/data/conf.d/hugo.conf new file mode 100644 index 0000000..6481d93 --- /dev/null +++ b/data/conf.d/hugo.conf @@ -0,0 +1,95 @@ +# # Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name novicelab.io www.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name novicelab.io www.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # Trusted certificate for OCSP stapling + # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; + + # Cloudflare Origin CA certificate for client verification + # Cloudflare Origin CA for authenticated origin pulls (optional) + # Only enable if you want to restrict to Cloudflare only + # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; + # ssl_verify_client on; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # OCSP Stapling + # ssl_stapling on; + # ssl_stapling_verify on; + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Diffie-Hellman parameter for DHE ciphersuites + # ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # Root and index + # root /var/www/html; + # index index.html index.htm; + + # Only allow traffic from Cloudflare IPs (optional but recommended) + # include /etc/nginx/cloudflare-ips.conf; + + # include /etc/letsencrypt/options-ssl-nginx.conf; + set $hugo_backend hugo:1313; + + location / { + # proxy_pass http://10.0.0.251:9200/; + proxy_pass http://$hugo_backend; + + proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $http_cf_connecting_ip; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; # $scheme; + proxy_set_header X-Forwarded-Host $host; + + proxy_buffering off; + proxy_set_header Referer $http_referer; + proxy_redirect off; + + proxy_set_header Cookie $http_cookie; + } +} \ No newline at end of file diff --git a/data/conf.d/kenvip.conf b/data/conf.d/kenvip.conf new file mode 100644 index 0000000..e69de29 diff --git a/data/conf.d/mailcow.conf b/data/conf.d/mailcow.conf new file mode 100644 index 0000000..4f22b2e --- /dev/null +++ b/data/conf.d/mailcow.conf @@ -0,0 +1,51 @@ +server { + listen 80; + server_name mailcow.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name mailcow.novicelab.io; + + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_timeout 1d; + # ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations + # An example config is given below + ssl_protocols TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA; + ssl_prefer_server_ciphers off; + + location /Microsoft-Server-ActiveSync { + proxy_pass https://10.0.0.251:7443/Microsoft-Server-ActiveSync; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 75; + proxy_send_timeout 3650; + proxy_read_timeout 3650; + # proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo + client_body_buffer_size 512k; + client_max_body_size 0; + } + + location / { + proxy_pass https://10.0.0.251:7443/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size 0; + # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update + # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537 + # proxy_buffer_size 128k; + proxy_buffers 64 512k; + proxy_busy_buffers_size 512k; + } +} \ No newline at end of file diff --git a/data/conf.d/minio.conf b/data/conf.d/minio.conf new file mode 100644 index 0000000..1d84c49 --- /dev/null +++ b/data/conf.d/minio.conf @@ -0,0 +1,135 @@ +server { + listen 80; + server_name minio.novicelab.io; + return 301 https://$host$request_uri; # Redirect HTTP to HTTPS +} + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name minio.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + # # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # ssl_stapling on; + # ssl_stapling_verify on; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # resolver 127.0.0.11 valid=30s; + set $minio_backend minio:9001; + + # if ($http_x_forwarded_proto != "https") { + # return 301 https://$host$request_uri; + # } + + location / { + proxy_pass http://$minio_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; #https; + # proxy_set_header X-NginX-Proxy true; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + + client_max_body_size 0; + } +} + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name s3.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # resolver 127.0.0.11 valid=30s; + set $s3_backend minio:9000; + + location / { + proxy_pass http://$s3_backend; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } + +} \ No newline at end of file diff --git a/data/conf.d/mkdocs.conf b/data/conf.d/mkdocs.conf new file mode 100644 index 0000000..f18865c --- /dev/null +++ b/data/conf.d/mkdocs.conf @@ -0,0 +1,91 @@ +# # # Redirect HTTP to HTTPS +# # server { +# # listen 80; +# # listen [::]:80; +# # server_name novicelab.io; + +# # # ACME challenge for Let's Encrypt certificate renewal +# # location /.well-known/acme-challenge/ { +# # root /var/www/certbot; +# # } + +# # location / { +# # return 301 https://$server_name$request_uri; +# # } +# # } + +# server { +# listen 443 ssl; #http2; +# listen [::]:443 ssl; # http2; +# server_name novicelab.io; + +# # SSL Certificate paths +# ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + +# # Trusted certificate for OCSP stapling +# # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; + +# # Cloudflare Origin CA certificate for client verification +# # Cloudflare Origin CA for authenticated origin pulls (optional) +# # Only enable if you want to restrict to Cloudflare only +# # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; +# # ssl_verify_client on; + +# # SSL Protocol - TLS 1.2 and 1.3 only +# ssl_protocols TLSv1.2 TLSv1.3; + +# # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) +# ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; +# ssl_prefer_server_ciphers off; + +# # SSL session configuration +# ssl_session_timeout 1d; +# ssl_session_cache shared:SSL:10m; +# ssl_session_tickets off; + +# # OCSP Stapling +# # ssl_stapling on; +# # ssl_stapling_verify on; +# resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; +# resolver_timeout 5s; + +# # Security Headers +# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; +# add_header X-Frame-Options "SAMEORIGIN" always; +# add_header X-Content-Type-Options "nosniff" always; +# add_header X-XSS-Protection "1; mode=block" always; +# add_header Referrer-Policy "strict-origin-when-cross-origin" always; +# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + +# # Diffie-Hellman parameter for DHE ciphersuites +# # ssl_dhparam /etc/nginx/ssl/dhparam.pem; + +# # Logging +# access_log /var/log/nginx/example.com_access.log; +# error_log /var/log/nginx/example.com_error.log; + +# # Root and index +# # root /var/www/html; +# # index index.html index.htm; + +# # include /etc/letsencrypt/options-ssl-nginx.conf; +# set $mkdocs_backend mkdocs:8000; + +# location / { +# # proxy_pass http://10.0.0.251:9200/; +# proxy_pass http://$mkdocs_backend; + +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto https; # $scheme; +# proxy_set_header X-Forwarded-Host $host; + +# proxy_buffering off; +# proxy_set_header Referer $http_referer; +# proxy_redirect off; + +# proxy_set_header Cookie $http_cookie; +# } +# } \ No newline at end of file diff --git a/data/conf.d/opencloud.conf b/data/conf.d/opencloud.conf new file mode 100644 index 0000000..5341b4f --- /dev/null +++ b/data/conf.d/opencloud.conf @@ -0,0 +1,59 @@ +server { + listen 80; + server_name opencloud.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; # http2; + server_name opencloud.novicelab.io; + + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_session_cache shared:SSL:10m; + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + client_max_body_size 10M; + + # Disable buffering - essential for SSE + proxy_buffering off; + proxy_request_buffering off; + + # Extend timeouts for long connections + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + keepalive_requests 100000; + keepalive_timeout 5m; + http2_max_concurrent_streams 512; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # set $opencloud_backend 10.0.0.251:9200; + # Prevent nginx from trying other upstreams + proxy_next_upstream off; + + + location / { + # Pass all other requests to CouchDB + proxy_pass http://10.0.0.251:9200; + #proxy_pass http://$opencloud_backend/; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Headers for WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/data/conf.d/plane.conf b/data/conf.d/plane.conf new file mode 100644 index 0000000..5aae9fd --- /dev/null +++ b/data/conf.d/plane.conf @@ -0,0 +1,182 @@ +server { + if ($host = plane.novicelab.io) { + return 301 https://$host$request_uri; + } + + # listen 80; + # server_name plane.novicelab.io; + # return 404; +} +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name plane.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # resolver 127.0.0.11 valid=30s; + # set $plane_backend 10.0.0.251:9020; + set $backend_web plane-web:3000; + set $backend_space plane-space:3000; + set $backend_admin plane-admin:3000; + set $backend_live plane-live:3000; + set $backend_api plane-api:8000; + set $backend_minio minio:9000; + + + client_max_body_size 0; + # Set the bucket name as a variable for the regex location + set $bucket_name "plane"; + + # if ($http_x_forwarded_proto != "https") { + # return 301 https://$host$request_uri; + # } + + # --- Routes --- + + # Spaces + location = /spaces { + return 301 /spaces/; + } + location /spaces/ { + proxy_pass http://$backend_space; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # God-Mode + location = /god-mode { + return 301 /god-mode/; + } + location /god-mode/ { + proxy_pass http://$backend_admin; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Live + location /live/ { + proxy_pass http://$backend_live; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # API & Auth + location /api/ { + proxy_pass http://$backend_api; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + location /auth/ { + proxy_pass http://$backend_api; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Minio (Bucket) + # Handles both /bucket and /bucket/* + # location ~ ^/${BUCKET_NAME}(/.*)?$ { + location ~ ^/plane(/.*)?$ { + proxy_pass http://$backend_minio/plane; + # proxy_pass https://s3.novicelab.io/plane; + # location ~ ^/test(/.*)?$ { + # proxy_pass http://$backend_minio/test; + proxy_set_header Host $host; + + # Standard proxy headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + + if ($request_method = 'OPTIONS') { + return 204; + } + + client_max_body_size 0; + # proxy_pass https://s3.novicelab.io/plane; + } + # location ~* ^/(?.+)(?/.*)?$ { + # # Check if the first part of the URI matches our bucket variable + # if ($bucket = $bucket_name) { + # proxy_pass http://$backend_minio; + # break; + # } + + # # Fallback to the main web app if the path isn't the bucket + # set $upstream_web "web:3000"; + # proxy_pass http://$upstream_web; + # } + + # Web (Default catch-all) + location / { + proxy_pass http://$backend_web; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # location / { + # # proxy_pass http://10.0.0.251:9020; + # proxy_pass http://$plane_backend; + # # Set headers for proxied request + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Host $host; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Real-IP $remote_addr; + + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + # proxy_set_header Host $http_host; + # proxy_http_version 1.1; + # } +} \ No newline at end of file diff --git a/data/conf.d/s3.conf b/data/conf.d/s3.conf new file mode 100644 index 0000000..e69de29 diff --git a/data/conf.d/tre.conf b/data/conf.d/tre.conf new file mode 100644 index 0000000..bfef2bf --- /dev/null +++ b/data/conf.d/tre.conf @@ -0,0 +1,58 @@ +server { + # listen 80; + # server_name *.novicelab.io; + # resolver 127.0.0.11 valid=30s; + # set $haproxy_backend haproxy:80; + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name tre.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + location /data-catalog { + proxy_pass https://10.0.0.251:8888; # Assuming HAProxy is on port 8080 + # proxy_pass http://haproxy_backend; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Performance optimizations + proxy_buffering off; + proxy_request_buffering off; + proxy_connect_timeout 5s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + } +} \ No newline at end of file diff --git a/data/conf.d/umami.conf b/data/conf.d/umami.conf new file mode 100644 index 0000000..dc0f241 --- /dev/null +++ b/data/conf.d/umami.conf @@ -0,0 +1,91 @@ +# # Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name umami.novicelab.io; + + # ACME challenge for Let's Encrypt certificate renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name umami.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # Trusted certificate for OCSP stapling + # ssl_trusted_certificate /etc/nginx/ssl/chain.pem; + + # Cloudflare Origin CA certificate for client verification + # Cloudflare Origin CA for authenticated origin pulls (optional) + # Only enable if you want to restrict to Cloudflare only + # ssl_client_certificate /etc/nginx/ssl/client-cert.pem; + # ssl_verify_client on; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # OCSP Stapling + # ssl_stapling on; + # ssl_stapling_verify on; + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Diffie-Hellman parameter for DHE ciphersuites + # ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + + # Root and index + # root /var/www/html; + # index index.html index.htm; + + # include /etc/letsencrypt/options-ssl-nginx.conf; + set $umami_backend umami:3000; + + location / { + # proxy_pass http://10.0.0.251:9200/; + proxy_pass http://$umami_backend; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; # $scheme; + proxy_set_header X-Forwarded-Host $host; + + proxy_buffering off; + proxy_set_header Referer $http_referer; + proxy_redirect off; + + proxy_set_header Cookie $http_cookie; + } +} \ No newline at end of file diff --git a/data/conf.d/vault.conf b/data/conf.d/vault.conf new file mode 100644 index 0000000..6599799 --- /dev/null +++ b/data/conf.d/vault.conf @@ -0,0 +1,58 @@ +server { + listen 443 ssl; #http2; + listen [::]:443 ssl; # http2; + server_name vault.novicelab.io; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + + # SSL Protocol - TLS 1.2 and 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback) + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session configuration + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; + + # Logging + access_log /var/log/nginx/example.com_access.log; + error_log /var/log/nginx/example.com_error.log; + set $vault_backend vaultwarden:443; + + location / { + # proxy_pass http://$vault_backend; + # proxy_pass https://10.0.0.251:8100; + proxy_pass http://10.0.0.251:8090; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; + } +} \ No newline at end of file diff --git a/data/conf.d/wopi.conf b/data/conf.d/wopi.conf new file mode 100644 index 0000000..8dfee34 --- /dev/null +++ b/data/conf.d/wopi.conf @@ -0,0 +1,43 @@ +server { + listen 80; + server_name wopi.novicelab.io; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; # http2; + server_name wopi.novicelab.io; + + ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_session_cache shared:SSL:10m; + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + # set $opencloud_backend 10.0.0.251:9300; + + + location / { + proxy_pass http://10.0.0.251:9300; + #proxy_pass http://$opencloud_backend/; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Headers for WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/data/nginx.conf b/data/nginx.conf new file mode 100644 index 0000000..0e051d7 --- /dev/null +++ b/data/nginx.conf @@ -0,0 +1,107 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + +http { + include mime.types; + default_type application/octet-stream; + keepalive_timeout 65; + keepalive_requests 100000; + + variables_hash_max_size 2048; + server_names_hash_bucket_size 128; + server_tokens off; + + resolver 8.8.8.8 valid=30s ipv6=off; + resolver_timeout 11s; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + types_hash_max_size 2048; + + # Important for MinIO + client_max_body_size 0; + proxy_buffering off; + proxy_request_buffering off; + + # Increase the buffer for the request line and headers + client_header_buffer_size 16k; + large_client_header_buffers 4 32k; + + # If using Nginx as a proxy to the Harbor core/registry + proxy_buffer_size 16k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + # SSL Settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + + # Gzip Settings + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; + + + # Include all server configurations + include /etc/nginx/conf.d/*.conf; +} + +# Existing http {} block stays as-is... + +# TCP stream proxy for SMTP ports +# stream { + +# upstream mailserver_smtp { +# server mailserver:25; # docker-mailserver container name +# } + +# upstream mailserver_submission { +# server mailserver:587; +# } + +# # Port 25 — inbound MTA-to-MTA (if you ever receive external mail) +# server { +# listen 25; +# proxy_pass mailserver_smtp; +# proxy_timeout 1m; +# proxy_connect_timeout 10s; +# } + +# # Port 587 — STARTTLS submission (for mail clients or apps) +# server { +# listen 587; +# proxy_pass mailserver_submission; +# proxy_timeout 1m; +# proxy_connect_timeout 10s; +# } +# } \ No newline at end of file