Uningnore and track conf files

2026-03-09 19:42:44 +00:00
parent d01362dd2c
commit 53a37dde34
23 changed files with 1668 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 .env
-/data/
+/data/
 !/data/nginx.conf
 !/data/conf.d/**
--- a/data/conf.d/adminer.conf
+++ b/data/conf.d/adminer.conf
@@ -0,0 +1,89 @@
 # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name adminer.novicelab.io;
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name adminer.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # Trusted certificate for OCSP stapling
    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
    # Cloudflare Origin CA certificate for client verification
    # Cloudflare Origin CA for authenticated origin pulls (optional)
    # Only enable if you want to restrict to Cloudflare only
    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
    # ssl_verify_client on;
    # SSL Protocol - TLS 1.2 and 1.3 only
    # ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    # OCSP Stapling
    # ssl_stapling on;
    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # Root and index
    # root /var/www/html;
    # index index.html index.htm;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    set $adminer_backend adminer:8080; 
    location / { #/adminer {
        # rewrite ^/adminer/(.*)$ /$1 break;
        # proxy_pass http://10.0.0.251:9080/;
        proxy_pass http://$adminer_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme; #https;
        #$scheme;
        # Handle redirects (like after login) so they stay under /adminer/
        # proxy_redirect / /adminer/;
    }
 }
--- a/data/conf.d/auth.conf
+++ b/data/conf.d/auth.conf
@@ -0,0 +1,92 @@
 # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name auth.novicelab.io;
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name auth.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # Trusted certificate for OCSP stapling
    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
    # Cloudflare Origin CA certificate for client verification
    # Cloudflare Origin CA for authenticated origin pulls (optional)
    # Only enable if you want to restrict to Cloudflare only
    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
    # ssl_verify_client on;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    # OCSP Stapling
    # ssl_stapling on;
    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # Root and index
    # root /var/www/html;
    # index index.html index.htm;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    set $keycloak_backend keycloak:80; 
    # client_max_body_size 0;
        location / {
        # proxy_pass http://10.0.0.253:8085/auth/;
        proxy_pass http://$keycloak_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  https; #$scheme;
        proxy_set_header X-Forwarded-For    $remote_addr;
        proxy_set_header X-Real-IP		$remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_http_version 1.1;
    }
 }
--- a/data/conf.d/book.conf
+++ b/data/conf.d/book.conf
@@ -0,0 +1,89 @@
 # # Redirect HTTP to HTTPS
 # server {
 #     listen 80;
 #     listen [::]:80;
 #     server_name book.novicelab.io;
 #     # ACME challenge for Let's Encrypt certificate renewal
 #     location /.well-known/acme-challenge/ {
 #         root /var/www/certbot;
 #     }
 #     location / {
 #         return 301 https://$server_name$request_uri;
 #     }
 # }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name book.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # Trusted certificate for OCSP stapling
    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
    # Cloudflare Origin CA certificate for client verification
    # Cloudflare Origin CA for authenticated origin pulls (optional)
    # Only enable if you want to restrict to Cloudflare only
    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
    # ssl_verify_client on;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    # OCSP Stapling
    # ssl_stapling on;
    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # Root and index
    # root /var/www/html;
    # index index.html index.htm;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    set $bookstack_backend bookstack:80;
    # client_max_body_size 0;
    # BookStack (/docs)
    location / {
        # rewrite ^/docs/(.*) /$1 break;
        # proxy_pass http://$bookstack_backend;
        proxy_pass http://10.0.0.251:6875/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; #$scheme;
        # proxy_redirect / /docs/;
    }
 }
--- a/data/conf.d/cluster.conf
+++ b/data/conf.d/cluster.conf
@@ -0,0 +1,65 @@
 upstream haproxy_backend {
    server 10.0.0.20:80;
    keepalive 32;
    keepalive_timeout 60s;
    keepalive_requests 100;
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name *.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    location / {
        proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080
        # proxy_pass http://haproxy_backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # Performance optimizations
        proxy_buffering off;
        proxy_request_buffering off;
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
        client_max_body_size 0;
    }
 }
--- a/data/conf.d/collabora.conf
+++ b/data/conf.d/collabora.conf
@@ -0,0 +1,44 @@
 server {
    listen 80;
    server_name collabora.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl; # http2;
    server_name collabora.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $opencloud_backend 10.0.0.251:9980;
    location / {
        proxy_pass              http://10.0.0.251:9980;
        #proxy_pass         http://$opencloud_backend/;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
    }
    location ~ ^/cool/(.*)/ws$ {
        proxy_pass http://10.0.0.251:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }
 }
--- a/data/conf.d/couch.conf
+++ b/data/conf.d/couch.conf
@@ -0,0 +1,92 @@
 server {
    listen 80;
    server_name couch.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl; # http2;
    server_name couch.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    set $couch_backend 10.0.0.251:5984;
    # # Block access to _utils (Fauxton) in production
    # location /_utils {
    #     deny all;
    #     return 403;
    # }
    # # Block _config endpoint externally
    # location /_config {
    #     deny all;
    #     return 403;
    # }
    # # Block _node endpoint externally
    # location /_node {
    #     # deny all;
    #     # return 403;
    #     proxy_pass         http://$couch_backend/_node; 
    #     proxy_redirect     off;
    #     proxy_set_header   Host $host;
    #     proxy_set_header   X-Real-IP $remote_addr;
    #     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header   X-Forwarded-Proto $scheme;
    #     # Timeouts
    #     proxy_connect_timeout 10s;
    #     proxy_read_timeout    60s;
    # }
    location / {
        # Handle CORS preflight without hitting CouchDB auth
        if ($request_method = OPTIONS) {
            add_header Access-Control-Allow-Origin  $http_origin always;
            add_header Access-Control-Allow-Methods "GET, PUT, POST, HEAD, DELETE, OPTIONS" always;
            add_header Access-Control-Allow-Headers "accept, authorization, content-type, origin, referer, x-csrf-token" always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Max-Age 3600;
            add_header Content-Length 0;
            add_header Content-Type text/plain;
            return 204;
        }
        # Pass all other requests to CouchDB
        # proxy_pass              http://127.0.0.1:5984;
        proxy_pass         http://$couch_backend/;
        proxy_redirect          off;
        proxy_buffering         off;
        proxy_method            $request_method;  
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        # Forward CORS headers from CouchDB responses too
        add_header Access-Control-Allow-Origin      $http_origin always;
        add_header Access-Control-Allow-Credentials "true" always;
        proxy_connect_timeout 10s;
        proxy_read_timeout    60s;
        # Headers for WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
--- a/data/conf.d/drone.conf
+++ b/data/conf.d/drone.conf
@@ -0,0 +1,68 @@
 server {
    listen 80;
    server_name drone.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl; # http2;
    server_name drone.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $couch_backend 10.0.0.251:9001;
    set $drone_backend drone:80;
    set $drone_runner_backend drone-runner-1:3000;
    location / {
        proxy_pass http://$drone_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
    }
    # location /runner-1 {
    #     proxy_pass http://$drone_runner_backend;
    #     proxy_set_header Host $http_host;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Forwarded-Proto $scheme;
    #     # WebSocket support for real-time updates
    #     proxy_http_version 1.1;
    #     proxy_set_header Upgrade $http_upgrade;
    #     proxy_set_header Connection "upgrade";
    #     # Timeouts
    #     proxy_connect_timeout 300;
    #     proxy_send_timeout 300;
    #     proxy_read_timeout 300;
    #     send_timeout 300;
    # }
 }
--- a/data/conf.d/gitea.conf
+++ b/data/conf.d/gitea.conf
@@ -0,0 +1,58 @@
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name gitea.novicelab.io;  
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    set $gitea_backend gitea:3000; 
    location / {
        proxy_pass http://$gitea_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
    }
 }
--- a/data/conf.d/harbor.conf
+++ b/data/conf.d/harbor.conf
@@ -0,0 +1,98 @@
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name harbor.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    set $harbor_backend 10.0.0.251:9090; 
    client_max_body_size 0;
    # Disable absolute redirects which often cause 301 loops
    absolute_redirect off;
    # Docker registry specific headers
    chunked_transfer_encoding on;
    location / {
        proxy_pass http://$harbor_backend;
        proxy_set_header Host $http_host;
        # proxy_set_header X-Real-IP $remote_addr;
        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        client_max_body_size 0;
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
        proxy_set_header Authorization $http_authorization;
        proxy_pass_header Authorization;
        # Performance optimizations
        proxy_request_buffering off;
        proxy_buffering off;
        proxy_set_header Referer $http_referer;
        proxy_redirect off;
        proxy_set_header Cookie $http_cookie;
        # Optional: Increase buffers for large tokens/cookies
        proxy_busy_buffers_size   512k;
        proxy_buffers   4 512k;
        proxy_buffer_size   256k;
    }
    location /v2/ {
        # Do not allow Nginx to add/remove trailing slashes here
        proxy_pass http://$harbor_backend;
        proxy_set_header Host $http_host; # Important for Registry
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # Increase body size for image uploads
        client_max_body_size 0; 
    }
 }
--- a/data/conf.d/hugo.conf
+++ b/data/conf.d/hugo.conf
@@ -0,0 +1,95 @@
 # # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name novicelab.io www.novicelab.io; 
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name novicelab.io www.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # Trusted certificate for OCSP stapling
    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
    # Cloudflare Origin CA certificate for client verification
    # Cloudflare Origin CA for authenticated origin pulls (optional)
    # Only enable if you want to restrict to Cloudflare only
    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
    # ssl_verify_client on;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    # OCSP Stapling
    # ssl_stapling on;
    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # Root and index
    # root /var/www/html;
    # index index.html index.htm;
    # Only allow traffic from Cloudflare IPs (optional but recommended)
    # include /etc/nginx/cloudflare-ips.conf;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    set $hugo_backend hugo:1313; 
    location / {
        # proxy_pass http://10.0.0.251:9200/;
        proxy_pass http://$hugo_backend;
        proxy_set_header Host $host;
        # proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header   X-Real-IP $http_cf_connecting_ip;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_buffering off;
        proxy_set_header Referer $http_referer;
        proxy_redirect off;
        proxy_set_header Cookie $http_cookie;
    }
 }
--- a/data/conf.d/kenvip.conf
+++ b/data/conf.d/kenvip.conf
--- a/data/conf.d/mailcow.conf
+++ b/data/conf.d/mailcow.conf
@@ -0,0 +1,51 @@
 server {
    listen 80;
    server_name mailcow.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl;
    server_name mailcow.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_session_timeout 1d;
    # ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
    # An example config is given below
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
    ssl_prefer_server_ciphers off;
    location /Microsoft-Server-ActiveSync {
        proxy_pass https://10.0.0.251:7443/Microsoft-Server-ActiveSync;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout 75;
        proxy_send_timeout 3650;
        proxy_read_timeout 3650;
        # proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
        client_body_buffer_size 512k;
        client_max_body_size 0;
    }
    location / {
        proxy_pass https://10.0.0.251:7443/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 0;
    # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
    # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
        # proxy_buffer_size 128k;
        proxy_buffers 64 512k;
        proxy_busy_buffers_size 512k;
    }
 }
--- a/data/conf.d/minio.conf
+++ b/data/conf.d/minio.conf
@@ -0,0 +1,135 @@
 server {
    listen 80;
    server_name minio.novicelab.io; 
    return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name minio.novicelab.io; 
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    # # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    # ssl_stapling on;
    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # resolver 127.0.0.11 valid=30s;
    set $minio_backend minio:9001; 
    # if ($http_x_forwarded_proto != "https") {
    #     return 301 https://$host$request_uri;
    # }
    location / {
        proxy_pass http://$minio_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme; #https;
        # proxy_set_header X-NginX-Proxy true;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
        client_max_body_size 0;
    }
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name s3.novicelab.io; 
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # resolver 127.0.0.11 valid=30s;
    set $s3_backend minio:9000; 
    location / {
        proxy_pass http://$s3_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
    }
 }
--- a/data/conf.d/mkdocs.conf
+++ b/data/conf.d/mkdocs.conf
@@ -0,0 +1,91 @@
 # # # Redirect HTTP to HTTPS
 # # server {
 # #     listen 80;
 # #     listen [::]:80;
 # #     server_name novicelab.io;
 # #     # ACME challenge for Let's Encrypt certificate renewal
 # #     location /.well-known/acme-challenge/ {
 # #         root /var/www/certbot;
 # #     }
 # #     location / {
 # #         return 301 https://$server_name$request_uri;
 # #     }
 # # }
 # server {
 #     listen 443 ssl; #http2;
 #     listen [::]:443 ssl; # http2;
 #     server_name novicelab.io;
 #     # SSL Certificate paths
 #     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
 #     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
 #     # Trusted certificate for OCSP stapling
 #     # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
 #     # Cloudflare Origin CA certificate for client verification
 #     # Cloudflare Origin CA for authenticated origin pulls (optional)
 #     # Only enable if you want to restrict to Cloudflare only
 #     # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
 #     # ssl_verify_client on;
 #     # SSL Protocol - TLS 1.2 and 1.3 only
 #     ssl_protocols TLSv1.2 TLSv1.3;
 #     # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
 #     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
 #     ssl_prefer_server_ciphers off;
 #     # SSL session configuration
 #     ssl_session_timeout 1d;
 #     ssl_session_cache shared:SSL:10m;
 #     ssl_session_tickets off;
 #     # OCSP Stapling
 #     # ssl_stapling on;
 #     # ssl_stapling_verify on;
 #     resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
 #     resolver_timeout 5s;
 #     # Security Headers
 #     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 #     add_header X-Frame-Options "SAMEORIGIN" always;
 #     add_header X-Content-Type-Options "nosniff" always;
 #     add_header X-XSS-Protection "1; mode=block" always;
 #     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 #     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
 #     # Diffie-Hellman parameter for DHE ciphersuites
 #     # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 #     # Logging
 #     access_log /var/log/nginx/example.com_access.log;
 #     error_log /var/log/nginx/example.com_error.log;
 #     # Root and index
 #     # root /var/www/html;
 #     # index index.html index.htm;
 #     # include /etc/letsencrypt/options-ssl-nginx.conf;
 #     set $mkdocs_backend mkdocs:8000; 
 #     location / {
 #         # proxy_pass http://10.0.0.251:9200/;
 #         proxy_pass http://$mkdocs_backend;
 #         proxy_set_header Host $host;
 #         proxy_set_header X-Real-IP $remote_addr;
 #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #         proxy_set_header X-Forwarded-Proto https; # $scheme;
 #         proxy_set_header X-Forwarded-Host $host;
 #         proxy_buffering off;
 #         proxy_set_header Referer $http_referer;
 #         proxy_redirect off;
 #         proxy_set_header Cookie $http_cookie;
 #     }
 # }
--- a/data/conf.d/opencloud.conf
+++ b/data/conf.d/opencloud.conf
@@ -0,0 +1,59 @@
 server {
    listen 80;
    server_name opencloud.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl; # http2;
    server_name opencloud.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    client_max_body_size 10M;
    # Disable buffering - essential for SSE
    proxy_buffering off;
    proxy_request_buffering off;
    # Extend timeouts for long connections
    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;
    keepalive_requests 100000;
    keepalive_timeout 5m;
    http2_max_concurrent_streams 512;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $opencloud_backend 10.0.0.251:9200;
    # Prevent nginx from trying other upstreams
    proxy_next_upstream off;
    location / {
        # Pass all other requests to CouchDB
        proxy_pass              http://10.0.0.251:9200;
        #proxy_pass         http://$opencloud_backend/;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        # Headers for WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
--- a/data/conf.d/plane.conf
+++ b/data/conf.d/plane.conf
@@ -0,0 +1,182 @@
 server {
    if ($host = plane.novicelab.io) {
        return 301 https://$host$request_uri;
    }
    # listen 80;
    # server_name plane.novicelab.io;
    # return 404;
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name plane.novicelab.io; 
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # resolver 127.0.0.11 valid=30s;
    # set $plane_backend 10.0.0.251:9020; 
    set $backend_web    plane-web:3000;
    set $backend_space  plane-space:3000;
    set $backend_admin  plane-admin:3000;
    set $backend_live   plane-live:3000;
    set $backend_api    plane-api:8000;
    set $backend_minio  minio:9000;
    client_max_body_size 0;
    # Set the bucket name as a variable for the regex location
    set $bucket_name "plane";
    # if ($http_x_forwarded_proto != "https") {
    #     return 301 https://$host$request_uri;
    # }
    # --- Routes ---
    # Spaces
    location = /spaces {
        return 301 /spaces/;
    }
    location /spaces/ {
        proxy_pass http://$backend_space;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    # God-Mode
    location = /god-mode {
        return 301 /god-mode/;
    }
    location /god-mode/ {
        proxy_pass http://$backend_admin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    # Live
    location /live/ {
        proxy_pass http://$backend_live;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    # API & Auth
    location /api/ {
        proxy_pass http://$backend_api;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /auth/ {
        proxy_pass http://$backend_api;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    # Minio (Bucket)
    # Handles both /bucket and /bucket/*
    # location ~ ^/${BUCKET_NAME}(/.*)?$ {
    location ~ ^/plane(/.*)?$ {
        proxy_pass http://$backend_minio/plane;
        # proxy_pass https://s3.novicelab.io/plane;
    # location ~ ^/test(/.*)?$ {
    #     proxy_pass http://$backend_minio/test;
        proxy_set_header Host $host; 
        # Standard proxy headers
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
        if ($request_method = 'OPTIONS') {
            return 204;
        }
        client_max_body_size 0;
        # proxy_pass https://s3.novicelab.io/plane;
    }
    # location ~* ^/(?<bucket>.+)(?<path>/.*)?$ {
    #     # Check if the first part of the URI matches our bucket variable
    #     if ($bucket = $bucket_name) {
    #         proxy_pass http://$backend_minio;
    #         break;
    #     }
    #     # Fallback to the main web app if the path isn't the bucket
    #     set $upstream_web "web:3000";
    #     proxy_pass http://$upstream_web;
    # }
    # Web (Default catch-all)
    location / {
        proxy_pass http://$backend_web;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    # location / {
    #     # proxy_pass http://10.0.0.251:9020;
    #     proxy_pass http://$plane_backend;
    #     # Set headers for proxied request
    #     proxy_set_header X-Forwarded-Proto $scheme;
    #     proxy_set_header X-Forwarded-Host  $host;
    #     proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Real-IP         $remote_addr;
    #     proxy_set_header Upgrade $http_upgrade;
    #     proxy_set_header Connection "upgrade";
    #     proxy_set_header Host $http_host;
    #     proxy_http_version 1.1;
    # }
 }
--- a/data/conf.d/s3.conf
+++ b/data/conf.d/s3.conf
--- a/data/conf.d/tre.conf
+++ b/data/conf.d/tre.conf
@@ -0,0 +1,58 @@
 server {
    # listen 80;
    # server_name *.novicelab.io;
    # resolver 127.0.0.11 valid=30s;
    # set $haproxy_backend haproxy:80;
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name tre.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    location /data-catalog {
        proxy_pass https://10.0.0.251:8888; # Assuming HAProxy is on port 8080
        # proxy_pass http://haproxy_backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # Performance optimizations
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_connect_timeout 5s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;
    }
 }
--- a/data/conf.d/umami.conf
+++ b/data/conf.d/umami.conf
@@ -0,0 +1,91 @@
 # # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name umami.novicelab.io;
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name umami.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # Trusted certificate for OCSP stapling
    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
    # Cloudflare Origin CA certificate for client verification
    # Cloudflare Origin CA for authenticated origin pulls (optional)
    # Only enable if you want to restrict to Cloudflare only
    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
    # ssl_verify_client on;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    # OCSP Stapling
    # ssl_stapling on;
    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    # Root and index
    # root /var/www/html;
    # index index.html index.htm;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    set $umami_backend umami:3000; 
    location / {
        # proxy_pass http://10.0.0.251:9200/;
        proxy_pass http://$umami_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_buffering off;
        proxy_set_header Referer $http_referer;
        proxy_redirect off;
        proxy_set_header Cookie $http_cookie;
    }
 }
--- a/data/conf.d/vault.conf
+++ b/data/conf.d/vault.conf
@@ -0,0 +1,58 @@
 server {
    listen 443 ssl; #http2;
    listen [::]:443 ssl; # http2;
    server_name vault.novicelab.io; 
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Logging
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;
    set $vault_backend vaultwarden:443;
    location / {
        # proxy_pass http://$vault_backend;
        # proxy_pass https://10.0.0.251:8100;
        proxy_pass http://10.0.0.251:8090;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
    }
 }
--- a/data/conf.d/wopi.conf
+++ b/data/conf.d/wopi.conf
@@ -0,0 +1,43 @@
 server {
    listen 80;
    server_name wopi.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl; # http2;
    server_name wopi.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $opencloud_backend 10.0.0.251:9300;
    location / {
        proxy_pass              http://10.0.0.251:9300;
        #proxy_pass         http://$opencloud_backend/;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        # Headers for WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
--- a/data/nginx.conf
+++ b/data/nginx.conf
@@ -0,0 +1,107 @@
 user nginx;
 worker_processes auto;
 error_log /var/log/nginx/error.log warn;
 pid /var/run/nginx.pid;
 events {
    worker_connections 1024;
    use epoll;
    multi_accept on;
 }
 http {
    include       mime.types;
    default_type  application/octet-stream;
    keepalive_timeout 65;
    keepalive_requests 100000;
    variables_hash_max_size 2048;
    server_names_hash_bucket_size 128;
    server_tokens off;
    resolver 8.8.8.8 valid=30s ipv6=off;
    resolver_timeout 11s;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    types_hash_max_size 2048;
    # Important for MinIO
    client_max_body_size 0;
    proxy_buffering off;
    proxy_request_buffering off;
    # Increase the buffer for the request line and headers
    client_header_buffer_size 16k;
    large_client_header_buffers 4 32k;
    # If using Nginx as a proxy to the Harbor core/registry
    proxy_buffer_size 16k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_connect_timeout 300;
    proxy_send_timeout 300;
    proxy_read_timeout 300;
    # Add extra headers
    add_header X-Frame-Options DENY;
    add_header Content-Security-Policy "frame-ancestors 'none'";
    # SSL Settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    # Gzip Settings
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    # Include all server configurations
    include /etc/nginx/conf.d/*.conf;
 }
 # Existing http {} block stays as-is...
 # TCP stream proxy for SMTP ports
 # stream {
 #     upstream mailserver_smtp {
 #         server mailserver:25;   # docker-mailserver container name
 #     }
 #     upstream mailserver_submission {
 #         server mailserver:587;
 #     }
 #     # Port 25 — inbound MTA-to-MTA (if you ever receive external mail)
 #     server {
 #         listen 25;
 #         proxy_pass mailserver_smtp;
 #         proxy_timeout 1m;
 #         proxy_connect_timeout 10s;
 #     }
 #     # Port 587 — STARTTLS submission (for mail clients or apps)
 #     server {
 #         listen 587;
 #         proxy_pass mailserver_submission;
 #         proxy_timeout 1m;
 #         proxy_connect_timeout 10s;
 #     }
 # }