Uningnore and track conf files

2026-03-09 19:42:44 +00:00
parent d01362dd2c
commit 53a37dde34
23 changed files with 1668 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 .env
 /data/
+!/data/nginx.conf
+!/data/conf.d/**
--- a/data/conf.d/adminer.conf
+++ b/data/conf.d/adminer.conf
@@ -0,0 +1,89 @@
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name adminer.novicelab.io;
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name adminer.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    
+    # Trusted certificate for OCSP stapling
+    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
+
+    # Cloudflare Origin CA certificate for client verification
+    # Cloudflare Origin CA for authenticated origin pulls (optional)
+    # Only enable if you want to restrict to Cloudflare only
+    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
+    # ssl_verify_client on;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    # ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # OCSP Stapling
+    # ssl_stapling on;
+    # ssl_stapling_verify on;
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # Root and index
+    # root /var/www/html;
+    # index index.html index.htm;
+
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    set $adminer_backend adminer:8080; 
+
+    location / { #/adminer {
+        # rewrite ^/adminer/(.*)$ /$1 break;
+
+        # proxy_pass http://10.0.0.251:9080/;
+        proxy_pass http://$adminer_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme; #https;
+        #$scheme;
+
+        # Handle redirects (like after login) so they stay under /adminer/
+        # proxy_redirect / /adminer/;
+    }
+}
--- a/data/conf.d/auth.conf
+++ b/data/conf.d/auth.conf
@@ -0,0 +1,92 @@
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name auth.novicelab.io;
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name auth.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    
+    # Trusted certificate for OCSP stapling
+    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
+
+    # Cloudflare Origin CA certificate for client verification
+    # Cloudflare Origin CA for authenticated origin pulls (optional)
+    # Only enable if you want to restrict to Cloudflare only
+    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
+    # ssl_verify_client on;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # OCSP Stapling
+    # ssl_stapling on;
+    # ssl_stapling_verify on;
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # Root and index
+    # root /var/www/html;
+    # index index.html index.htm;
+
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    
+    set $keycloak_backend keycloak:80; 
+
+    # client_max_body_size 0;
+        location / {
+        # proxy_pass http://10.0.0.253:8085/auth/;
+        proxy_pass http://$keycloak_backend;
+            
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto  https; #$scheme;
+        proxy_set_header X-Forwarded-For    $remote_addr;
+        proxy_set_header X-Real-IP		$remote_addr;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_http_version 1.1;
+    }
+}
--- a/data/conf.d/book.conf
+++ b/data/conf.d/book.conf
@@ -0,0 +1,89 @@
+# # Redirect HTTP to HTTPS
+# server {
+#     listen 80;
+#     listen [::]:80;
+#     server_name book.novicelab.io;
+    
+#     # ACME challenge for Let's Encrypt certificate renewal
+#     location /.well-known/acme-challenge/ {
+#         root /var/www/certbot;
+#     }
+    
+#     location / {
+#         return 301 https://$server_name$request_uri;
+#     }
+# }
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name book.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    
+    # Trusted certificate for OCSP stapling
+    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
+
+    # Cloudflare Origin CA certificate for client verification
+    # Cloudflare Origin CA for authenticated origin pulls (optional)
+    # Only enable if you want to restrict to Cloudflare only
+    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
+    # ssl_verify_client on;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # OCSP Stapling
+    # ssl_stapling on;
+    # ssl_stapling_verify on;
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # Root and index
+    # root /var/www/html;
+    # index index.html index.htm;
+
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    
+    set $bookstack_backend bookstack:80;
+
+    # client_max_body_size 0;
+    # BookStack (/docs)
+    location / {
+        # rewrite ^/docs/(.*) /$1 break;
+        # proxy_pass http://$bookstack_backend;
+        proxy_pass http://10.0.0.251:6875/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https; #$scheme;
+
+        # proxy_redirect / /docs/;
+    }
+}
--- a/data/conf.d/cluster.conf
+++ b/data/conf.d/cluster.conf
@@ -0,0 +1,65 @@
+upstream haproxy_backend {
+    server 10.0.0.20:80;
+    keepalive 32;
+    keepalive_timeout 60s;
+    keepalive_requests 100;
+}
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name *.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    location / {
+        proxy_pass http://10.0.0.20:80; # Assuming HAProxy is on port 8080
+        # proxy_pass http://haproxy_backend;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Performance optimizations
+        proxy_buffering off;
+        proxy_request_buffering off;
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+
+        client_max_body_size 0;
+    }
+}
--- a/data/conf.d/collabora.conf
+++ b/data/conf.d/collabora.conf
@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    server_name collabora.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl; # http2;
+    server_name collabora.novicelab.io;
+
+    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_session_cache   shared:SSL:10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # set $opencloud_backend 10.0.0.251:9980;
+
+
+    location / {
+        proxy_pass              http://10.0.0.251:9980;
+        #proxy_pass         http://$opencloud_backend/;
+ 
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+    }
+    location ~ ^/cool/(.*)/ws$ {
+        proxy_pass http://10.0.0.251:9980;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+    }
+}
--- a/data/conf.d/couch.conf
+++ b/data/conf.d/couch.conf
@@ -0,0 +1,92 @@
+server {
+    listen 80;
+    server_name couch.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl; # http2;
+    server_name couch.novicelab.io;
+
+    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_session_cache   shared:SSL:10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    set $couch_backend 10.0.0.251:5984;
+
+    # # Block access to _utils (Fauxton) in production
+    # location /_utils {
+    #     deny all;
+    #     return 403;
+    # }
+
+    # # Block _config endpoint externally
+    # location /_config {
+    #     deny all;
+    #     return 403;
+    # }
+
+    # # Block _node endpoint externally
+    # location /_node {
+    #     # deny all;
+    #     # return 403;
+    #     proxy_pass         http://$couch_backend/_node; 
+    #     proxy_redirect     off;
+    #     proxy_set_header   Host $host;
+    #     proxy_set_header   X-Real-IP $remote_addr;
+    #     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header   X-Forwarded-Proto $scheme;
+
+    #     # Timeouts
+    #     proxy_connect_timeout 10s;
+    #     proxy_read_timeout    60s;
+    # }
+
+    location / {
+        # Handle CORS preflight without hitting CouchDB auth
+        if ($request_method = OPTIONS) {
+            add_header Access-Control-Allow-Origin  $http_origin always;
+            add_header Access-Control-Allow-Methods "GET, PUT, POST, HEAD, DELETE, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "accept, authorization, content-type, origin, referer, x-csrf-token" always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Access-Control-Max-Age 3600;
+            add_header Content-Length 0;
+            add_header Content-Type text/plain;
+            return 204;
+        }
+
+        # Pass all other requests to CouchDB
+        # proxy_pass              http://127.0.0.1:5984;
+        proxy_pass         http://$couch_backend/;
+        proxy_redirect          off;
+        proxy_buffering         off;
+        proxy_method            $request_method;  
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        # Forward CORS headers from CouchDB responses too
+        add_header Access-Control-Allow-Origin      $http_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
+
+        proxy_connect_timeout 10s;
+        proxy_read_timeout    60s;
+
+        # Headers for WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
--- a/data/conf.d/drone.conf
+++ b/data/conf.d/drone.conf
@@ -0,0 +1,68 @@
+server {
+    listen 80;
+    server_name drone.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl; # http2;
+    server_name drone.novicelab.io;
+
+    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_session_cache   shared:SSL:10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # set $couch_backend 10.0.0.251:9001;
+    set $drone_backend drone:80;
+    set $drone_runner_backend drone-runner-1:3000;
+
+    location / {
+        proxy_pass http://$drone_backend;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support for real-time updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+    }
+
+    # location /runner-1 {
+    #     proxy_pass http://$drone_runner_backend;
+    #     proxy_set_header Host $http_host;
+    #     proxy_set_header X-Real-IP $remote_addr;
+    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+
+    #     # WebSocket support for real-time updates
+    #     proxy_http_version 1.1;
+    #     proxy_set_header Upgrade $http_upgrade;
+    #     proxy_set_header Connection "upgrade";
+
+    #     # Timeouts
+    #     proxy_connect_timeout 300;
+    #     proxy_send_timeout 300;
+    #     proxy_read_timeout 300;
+    #     send_timeout 300;
+    # }
+
+}
--- a/data/conf.d/gitea.conf
+++ b/data/conf.d/gitea.conf
@@ -0,0 +1,58 @@
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name gitea.novicelab.io;  
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    set $gitea_backend gitea:3000; 
+
+    location / {
+        proxy_pass http://$gitea_backend;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support for real-time updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+    }
+
+}
--- a/data/conf.d/harbor.conf
+++ b/data/conf.d/harbor.conf
@@ -0,0 +1,98 @@
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name harbor.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    set $harbor_backend 10.0.0.251:9090; 
+
+    client_max_body_size 0;
+
+    # Disable absolute redirects which often cause 301 loops
+    absolute_redirect off;
+
+    # Docker registry specific headers
+    chunked_transfer_encoding on;
+
+    location / {
+        proxy_pass http://$harbor_backend;
+        proxy_set_header Host $http_host;
+        # proxy_set_header X-Real-IP $remote_addr;
+        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support for real-time updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        client_max_body_size 0;
+
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+
+        proxy_set_header Authorization $http_authorization;
+        proxy_pass_header Authorization;
+
+        # Performance optimizations
+        proxy_request_buffering off;
+
+        proxy_buffering off;
+        proxy_set_header Referer $http_referer;
+        proxy_redirect off;
+
+        proxy_set_header Cookie $http_cookie;
+
+
+        # Optional: Increase buffers for large tokens/cookies
+        proxy_busy_buffers_size   512k;
+        proxy_buffers   4 512k;
+        proxy_buffer_size   256k;
+    }
+
+    location /v2/ {
+        # Do not allow Nginx to add/remove trailing slashes here
+        proxy_pass http://$harbor_backend;
+        
+        proxy_set_header Host $http_host; # Important for Registry
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Increase body size for image uploads
+        client_max_body_size 0; 
+    }
+}
--- a/data/conf.d/hugo.conf
+++ b/data/conf.d/hugo.conf
@@ -0,0 +1,95 @@
+# # Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name novicelab.io www.novicelab.io; 
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name novicelab.io www.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    
+    # Trusted certificate for OCSP stapling
+    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
+
+    # Cloudflare Origin CA certificate for client verification
+    # Cloudflare Origin CA for authenticated origin pulls (optional)
+    # Only enable if you want to restrict to Cloudflare only
+    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
+    # ssl_verify_client on;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # OCSP Stapling
+    # ssl_stapling on;
+    # ssl_stapling_verify on;
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # Root and index
+    # root /var/www/html;
+    # index index.html index.htm;
+
+    # Only allow traffic from Cloudflare IPs (optional but recommended)
+    # include /etc/nginx/cloudflare-ips.conf;
+
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    set $hugo_backend hugo:1313; 
+
+    location / {
+        # proxy_pass http://10.0.0.251:9200/;
+        proxy_pass http://$hugo_backend;
+        
+        proxy_set_header Host $host;
+        # proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header   X-Real-IP $http_cf_connecting_ip;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https; # $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+
+        proxy_buffering off;
+        proxy_set_header Referer $http_referer;
+        proxy_redirect off;
+
+        proxy_set_header Cookie $http_cookie;
+    }
+}
--- a/data/conf.d/kenvip.conf
+++ b/data/conf.d/kenvip.conf
--- a/data/conf.d/mailcow.conf
+++ b/data/conf.d/mailcow.conf
@@ -0,0 +1,51 @@
+server {
+    listen 80;
+    server_name mailcow.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name mailcow.novicelab.io;
+
+    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_session_timeout 1d;
+    # ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
+    # An example config is given below
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
+    ssl_prefer_server_ciphers off;
+
+    location /Microsoft-Server-ActiveSync {
+        proxy_pass https://10.0.0.251:7443/Microsoft-Server-ActiveSync;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_connect_timeout 75;
+        proxy_send_timeout 3650;
+        proxy_read_timeout 3650;
+        # proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
+        client_body_buffer_size 512k;
+        client_max_body_size 0;
+    }
+
+    location / {
+        proxy_pass https://10.0.0.251:7443/;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        client_max_body_size 0;
+    # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
+    # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
+        # proxy_buffer_size 128k;
+        proxy_buffers 64 512k;
+        proxy_busy_buffers_size 512k;
+    }
+}
--- a/data/conf.d/minio.conf
+++ b/data/conf.d/minio.conf
@@ -0,0 +1,135 @@
+server {
+    listen 80;
+    server_name minio.novicelab.io; 
+    return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
+}
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name minio.novicelab.io; 
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # ssl_stapling on;
+    # ssl_stapling_verify on;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # resolver 127.0.0.11 valid=30s;
+    set $minio_backend minio:9001; 
+
+    # if ($http_x_forwarded_proto != "https") {
+    #     return 301 https://$host$request_uri;
+    # }
+
+    location / {
+        proxy_pass http://$minio_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme; #https;
+        # proxy_set_header X-NginX-Proxy true;
+
+        # WebSocket support for real-time updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+
+        client_max_body_size 0;
+    }
+}
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name s3.novicelab.io; 
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # resolver 127.0.0.11 valid=30s;
+    set $s3_backend minio:9000; 
+
+    location / {
+        proxy_pass http://$s3_backend;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support for real-time updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+    }
+
+}
--- a/data/conf.d/mkdocs.conf
+++ b/data/conf.d/mkdocs.conf
@@ -0,0 +1,91 @@
+# # # Redirect HTTP to HTTPS
+# # server {
+# #     listen 80;
+# #     listen [::]:80;
+# #     server_name novicelab.io;
+    
+# #     # ACME challenge for Let's Encrypt certificate renewal
+# #     location /.well-known/acme-challenge/ {
+# #         root /var/www/certbot;
+# #     }
+    
+# #     location / {
+# #         return 301 https://$server_name$request_uri;
+# #     }
+# # }
+
+# server {
+#     listen 443 ssl; #http2;
+#     listen [::]:443 ssl; # http2;
+#     server_name novicelab.io;
+
+#     # SSL Certificate paths
+#     ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+#     ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    
+#     # Trusted certificate for OCSP stapling
+#     # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
+
+#     # Cloudflare Origin CA certificate for client verification
+#     # Cloudflare Origin CA for authenticated origin pulls (optional)
+#     # Only enable if you want to restrict to Cloudflare only
+#     # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
+#     # ssl_verify_client on;
+
+#     # SSL Protocol - TLS 1.2 and 1.3 only
+#     ssl_protocols TLSv1.2 TLSv1.3;
+    
+#     # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+#     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+#     ssl_prefer_server_ciphers off;
+
+#     # SSL session configuration
+#     ssl_session_timeout 1d;
+#     ssl_session_cache shared:SSL:10m;
+#     ssl_session_tickets off;
+
+#     # OCSP Stapling
+#     # ssl_stapling on;
+#     # ssl_stapling_verify on;
+#     resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+#     resolver_timeout 5s;
+
+#     # Security Headers
+#     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+#     add_header X-Frame-Options "SAMEORIGIN" always;
+#     add_header X-Content-Type-Options "nosniff" always;
+#     add_header X-XSS-Protection "1; mode=block" always;
+#     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+#     add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+#     # Diffie-Hellman parameter for DHE ciphersuites
+#     # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+#     # Logging
+#     access_log /var/log/nginx/example.com_access.log;
+#     error_log /var/log/nginx/example.com_error.log;
+
+#     # Root and index
+#     # root /var/www/html;
+#     # index index.html index.htm;
+
+#     # include /etc/letsencrypt/options-ssl-nginx.conf;
+#     set $mkdocs_backend mkdocs:8000; 
+
+#     location / {
+#         # proxy_pass http://10.0.0.251:9200/;
+#         proxy_pass http://$mkdocs_backend;
+        
+#         proxy_set_header Host $host;
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto https; # $scheme;
+#         proxy_set_header X-Forwarded-Host $host;
+
+#         proxy_buffering off;
+#         proxy_set_header Referer $http_referer;
+#         proxy_redirect off;
+
+#         proxy_set_header Cookie $http_cookie;
+#     }
+# }
--- a/data/conf.d/opencloud.conf
+++ b/data/conf.d/opencloud.conf
@@ -0,0 +1,59 @@
+server {
+    listen 80;
+    server_name opencloud.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl; # http2;
+    server_name opencloud.novicelab.io;
+
+    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_session_cache   shared:SSL:10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    client_max_body_size 10M;
+
+    # Disable buffering - essential for SSE
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    # Extend timeouts for long connections
+    proxy_read_timeout 3600s;
+    proxy_send_timeout 3600s;
+    keepalive_requests 100000;
+    keepalive_timeout 5m;
+    http2_max_concurrent_streams 512;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # set $opencloud_backend 10.0.0.251:9200;
+    # Prevent nginx from trying other upstreams
+    proxy_next_upstream off;
+
+
+    location / {
+        # Pass all other requests to CouchDB
+        proxy_pass              http://10.0.0.251:9200;
+        #proxy_pass         http://$opencloud_backend/;
+
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        # Headers for WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
--- a/data/conf.d/plane.conf
+++ b/data/conf.d/plane.conf
@@ -0,0 +1,182 @@
+server {
+    if ($host = plane.novicelab.io) {
+        return 301 https://$host$request_uri;
+    }
+
+    # listen 80;
+    # server_name plane.novicelab.io;
+    # return 404;
+}
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name plane.novicelab.io; 
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # resolver 127.0.0.11 valid=30s;
+    # set $plane_backend 10.0.0.251:9020; 
+    set $backend_web    plane-web:3000;
+    set $backend_space  plane-space:3000;
+    set $backend_admin  plane-admin:3000;
+    set $backend_live   plane-live:3000;
+    set $backend_api    plane-api:8000;
+    set $backend_minio  minio:9000;
+
+
+    client_max_body_size 0;
+    # Set the bucket name as a variable for the regex location
+    set $bucket_name "plane";
+
+    # if ($http_x_forwarded_proto != "https") {
+    #     return 301 https://$host$request_uri;
+    # }
+
+    # --- Routes ---
+
+    # Spaces
+    location = /spaces {
+        return 301 /spaces/;
+    }
+    location /spaces/ {
+        proxy_pass http://$backend_space;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # God-Mode
+    location = /god-mode {
+        return 301 /god-mode/;
+    }
+    location /god-mode/ {
+        proxy_pass http://$backend_admin;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Live
+    location /live/ {
+        proxy_pass http://$backend_live;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # API & Auth
+    location /api/ {
+        proxy_pass http://$backend_api;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /auth/ {
+        proxy_pass http://$backend_api;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Minio (Bucket)
+    # Handles both /bucket and /bucket/*
+    # location ~ ^/${BUCKET_NAME}(/.*)?$ {
+    location ~ ^/plane(/.*)?$ {
+        proxy_pass http://$backend_minio/plane;
+        # proxy_pass https://s3.novicelab.io/plane;
+    # location ~ ^/test(/.*)?$ {
+    #     proxy_pass http://$backend_minio/test;
+        proxy_set_header Host $host; 
+        
+        # Standard proxy headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+        
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+
+        client_max_body_size 0;
+        # proxy_pass https://s3.novicelab.io/plane;
+    }
+    # location ~* ^/(?<bucket>.+)(?<path>/.*)?$ {
+    #     # Check if the first part of the URI matches our bucket variable
+    #     if ($bucket = $bucket_name) {
+    #         proxy_pass http://$backend_minio;
+    #         break;
+    #     }
+
+    #     # Fallback to the main web app if the path isn't the bucket
+    #     set $upstream_web "web:3000";
+    #     proxy_pass http://$upstream_web;
+    # }
+
+    # Web (Default catch-all)
+    location / {
+        proxy_pass http://$backend_web;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # location / {
+    #     # proxy_pass http://10.0.0.251:9020;
+    #     proxy_pass http://$plane_backend;
+    #     # Set headers for proxied request
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    #     proxy_set_header X-Forwarded-Host  $host;
+    #     proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Real-IP         $remote_addr;
+
+    #     proxy_set_header Upgrade $http_upgrade;
+    #     proxy_set_header Connection "upgrade";
+    #     proxy_set_header Host $http_host;
+    #     proxy_http_version 1.1;
+    # }
+}
--- a/data/conf.d/s3.conf
+++ b/data/conf.d/s3.conf
--- a/data/conf.d/tre.conf
+++ b/data/conf.d/tre.conf
@@ -0,0 +1,58 @@
+server {
+    # listen 80;
+    # server_name *.novicelab.io;
+    # resolver 127.0.0.11 valid=30s;
+    # set $haproxy_backend haproxy:80;
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name tre.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    location /data-catalog {
+        proxy_pass https://10.0.0.251:8888; # Assuming HAProxy is on port 8080
+        # proxy_pass http://haproxy_backend;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Performance optimizations
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_connect_timeout 5s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+    }
+}
--- a/data/conf.d/umami.conf
+++ b/data/conf.d/umami.conf
@@ -0,0 +1,91 @@
+# # Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name umami.novicelab.io;
+    
+    # ACME challenge for Let's Encrypt certificate renewal
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name umami.novicelab.io;
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    
+    # Trusted certificate for OCSP stapling
+    # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
+
+    # Cloudflare Origin CA certificate for client verification
+    # Cloudflare Origin CA for authenticated origin pulls (optional)
+    # Only enable if you want to restrict to Cloudflare only
+    # ssl_client_certificate /etc/nginx/ssl/client-cert.pem;
+    # ssl_verify_client on;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # OCSP Stapling
+    # ssl_stapling on;
+    # ssl_stapling_verify on;
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+
+    # Root and index
+    # root /var/www/html;
+    # index index.html index.htm;
+
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    set $umami_backend umami:3000; 
+
+    location / {
+        # proxy_pass http://10.0.0.251:9200/;
+        proxy_pass http://$umami_backend;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https; # $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+
+        proxy_buffering off;
+        proxy_set_header Referer $http_referer;
+        proxy_redirect off;
+
+        proxy_set_header Cookie $http_cookie;
+    }
+}
--- a/data/conf.d/vault.conf
+++ b/data/conf.d/vault.conf
@@ -0,0 +1,58 @@
+server {
+    listen 443 ssl; #http2;
+    listen [::]:443 ssl; # http2;
+    server_name vault.novicelab.io; 
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+
+    # SSL Protocol - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+    # Logging
+    access_log /var/log/nginx/example.com_access.log;
+    error_log /var/log/nginx/example.com_error.log;
+    set $vault_backend vaultwarden:443;
+
+    location / {
+        # proxy_pass http://$vault_backend;
+        # proxy_pass https://10.0.0.251:8100;
+        proxy_pass http://10.0.0.251:8090;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support for real-time updates
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;
+        send_timeout 300;
+    }
+}
--- a/data/conf.d/wopi.conf
+++ b/data/conf.d/wopi.conf
@@ -0,0 +1,43 @@
+server {
+    listen 80;
+    server_name wopi.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl; # http2;
+    server_name wopi.novicelab.io;
+
+    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_session_cache   shared:SSL:10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # set $opencloud_backend 10.0.0.251:9300;
+
+
+    location / {
+        proxy_pass              http://10.0.0.251:9300;
+        #proxy_pass         http://$opencloud_backend/;
+
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        # Headers for WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
--- a/data/nginx.conf
+++ b/data/nginx.conf
@@ -0,0 +1,107 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+    use epoll;
+    multi_accept on;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    keepalive_timeout 65;
+    keepalive_requests 100000;
+
+    variables_hash_max_size 2048;
+    server_names_hash_bucket_size 128;
+    server_tokens off;
+
+    resolver 8.8.8.8 valid=30s ipv6=off;
+    resolver_timeout 11s;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log;
+    error_log   /var/log/nginx/error.log;
+    
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    types_hash_max_size 2048;
+
+    # Important for MinIO
+    client_max_body_size 0;
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    # Increase the buffer for the request line and headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 32k;
+
+    # If using Nginx as a proxy to the Harbor core/registry
+    proxy_buffer_size 16k;
+    proxy_buffers 4 32k;
+    proxy_busy_buffers_size 64k;
+
+    proxy_connect_timeout 300;
+    proxy_send_timeout 300;
+    proxy_read_timeout 300;
+
+    # Add extra headers
+    add_header X-Frame-Options DENY;
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+
+    # SSL Settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+
+    # Gzip Settings
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
+
+
+    # Include all server configurations
+    include /etc/nginx/conf.d/*.conf;
+}
+
+# Existing http {} block stays as-is...
+
+# TCP stream proxy for SMTP ports
+# stream {
+
+#     upstream mailserver_smtp {
+#         server mailserver:25;   # docker-mailserver container name
+#     }
+
+#     upstream mailserver_submission {
+#         server mailserver:587;
+#     }
+
+#     # Port 25 — inbound MTA-to-MTA (if you ever receive external mail)
+#     server {
+#         listen 25;
+#         proxy_pass mailserver_smtp;
+#         proxy_timeout 1m;
+#         proxy_connect_timeout 10s;
+#     }
+
+#     # Port 587 — STARTTLS submission (for mail clients or apps)
+#     server {
+#         listen 587;
+#         proxy_pass mailserver_submission;
+#         proxy_timeout 1m;
+#         proxy_connect_timeout 10s;
+#     }
+# }