From ef16045880a4d5707792f8705fc0281b72c7290a Mon Sep 17 00:00:00 2001 From: root Date: Fri, 23 Jan 2026 11:02:06 +0100 Subject: [PATCH] Backup before adding SMTP stream proxy configuration --- nginx.conf | 47 ++- nginx.conf.backup-20251113-212350 | 90 +++++ sites-available/default | 47 +++ sites-available/default.backup | 90 +++++ .../default.backup-20251113-212344 | 129 ++++++++ sites-available/default.clean | 115 +++++++ sites-available/element.conf | 33 +- .../element.conf.backup-20251113-212344 | 51 +++ sites-available/feuer.conf | 65 ++++ sites-available/gitea.conf | 33 +- .../gitea.conf.backup-20251113-212344 | 51 +++ sites-available/hoarder.conf | 32 +- .../hoarder.conf.backup-20251113-212344 | 52 +++ sites-available/jitsi.conf | 54 ++- .../jitsi.conf.backup-20251113-212344 | 51 +++ sites-available/matrix.conf | 46 ++- .../matrix.conf.backup-20251113-212344 | 59 ++++ sites-available/nextcloud.conf | 13 +- .../nextcloud.conf.backup-20251113-212344 | 74 +++++ sites-available/office.conf | 42 ++- .../office.conf.backup-20251113-212344 | 62 ++++ sites-available/owa.conf | 310 +++++++++--------- sites-available/owa_backup.conf | 167 ++++++++++ sites-available/plex.conf | 31 +- .../plex.conf.backup-20251113-212344 | 52 +++ sites-available/portal.conf | 123 +++---- sites-available/portal.conf.backup | 87 +++++ .../portal.conf.backup-20251113-212344 | 56 ++++ sites-available/stream.conf | 69 ++-- .../stream.conf.backup-20251113-212344 | 74 +++++ sites-available/sync.conf | 22 +- .../sync.conf.backup-20251113-212344 | 50 +++ sites-available/unifi.conf | 42 ++- .../unifi.conf.backup-20251113-212344 | 52 +++ sites-available/vscode.conf | 55 ++++ sites-available/wallabag.conf | 32 +- .../wallabag.conf.backup-20251113-212344 | 52 +++ sites-available/wiki.conf | 34 +- .../wiki.conf.backup-20251113-212344 | 51 +++ sites-enabled/default | 1 - sites-enabled/feuer.conf | 1 + sites-enabled/portal.conf | 88 ++++- .../portal.conf.backup.working.20250929 | 87 +++++ sites-enabled/rezepte.conf | 63 +++- 44 files changed, 2516 insertions(+), 319 deletions(-) create mode 100644 nginx.conf.backup-20251113-212350 create mode 100644 sites-available/default.backup create mode 100644 sites-available/default.backup-20251113-212344 create mode 100644 sites-available/default.clean create mode 100644 sites-available/element.conf.backup-20251113-212344 create mode 100644 sites-available/feuer.conf create mode 100644 sites-available/gitea.conf.backup-20251113-212344 create mode 100644 sites-available/hoarder.conf.backup-20251113-212344 create mode 100644 sites-available/jitsi.conf.backup-20251113-212344 create mode 100644 sites-available/matrix.conf.backup-20251113-212344 create mode 100644 sites-available/nextcloud.conf.backup-20251113-212344 create mode 100644 sites-available/office.conf.backup-20251113-212344 create mode 100644 sites-available/owa_backup.conf create mode 100644 sites-available/plex.conf.backup-20251113-212344 create mode 100644 sites-available/portal.conf.backup create mode 100644 sites-available/portal.conf.backup-20251113-212344 create mode 100644 sites-available/stream.conf.backup-20251113-212344 create mode 100644 sites-available/sync.conf.backup-20251113-212344 create mode 100644 sites-available/unifi.conf.backup-20251113-212344 create mode 100644 sites-available/vscode.conf create mode 100644 sites-available/wallabag.conf.backup-20251113-212344 create mode 100644 sites-available/wiki.conf.backup-20251113-212344 delete mode 120000 sites-enabled/default create mode 120000 sites-enabled/feuer.conf mode change 120000 => 100644 sites-enabled/portal.conf create mode 100644 sites-enabled/portal.conf.backup.working.20250929 mode change 120000 => 100644 sites-enabled/rezepte.conf diff --git a/nginx.conf b/nginx.conf index 086c578..dfd77fc 100644 --- a/nginx.conf +++ b/nginx.conf @@ -3,24 +3,29 @@ worker_processes auto; pid /run/nginx.pid; events { - worker_connections 1024; - multi_accept on; -} - -http { + worker_connections 2048; + multi_accept on; + use epoll; +}http { ## # Basic Settings ## - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 15; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + keepalive_requests 100; + reset_timedout_connection on; + types_hash_max_size 2048; + # server_tokens off; + + # File cache for better performance + open_file_cache max=10000 inactive=30s; + open_file_cache_valid 60s; + open_file_cache_min_uses 2; + open_file_cache_errors on; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; @@ -33,8 +38,9 @@ http { ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; ssl_ecdh_curve secp521r1:secp384r1:prime256v1; #ssl_stapling on; #ssl_stapling_verify on; @@ -54,9 +60,18 @@ http { gzip_vary on; gzip_proxied any; - gzip_comp_level 6; + gzip_comp_level 5; gzip_buffers 16 8k; gzip_http_version 1.1; + + # Proxy buffer settings + proxy_buffers 16 16k; + proxy_buffer_size 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## diff --git a/nginx.conf.backup-20251113-212350 b/nginx.conf.backup-20251113-212350 new file mode 100644 index 0000000..086c578 --- /dev/null +++ b/nginx.conf.backup-20251113-212350 @@ -0,0 +1,90 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 1024; + multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 15; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_ecdh_curve secp521r1:secp384r1:prime256v1; + #ssl_stapling on; + #ssl_stapling_verify on; + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/sites-available/default b/sites-available/default index 7cd6403..df34a0f 100644 --- a/sites-available/default +++ b/sites-available/default @@ -13,6 +13,14 @@ # Default server configuration # +# Upstream for Node.js backend +upstream nodejs_backend { + server 127.0.0.1:3001; + keepalive 8; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server { listen 80 default_server; listen [::]:80 default_server; @@ -44,6 +52,45 @@ server { server_name _; + # Proxy API requests to Node.js backend + # Handle rechner application + location /rechner/ { + proxy_pass http://nodejs_backend/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + # Proxy API requests for rechner to Node.js backend + location /rechner/api/ { + proxy_pass http://nodejs_backend/api/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + location /api/ { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. diff --git a/sites-available/default.backup b/sites-available/default.backup new file mode 100644 index 0000000..7cd6403 --- /dev/null +++ b/sites-available/default.backup @@ -0,0 +1,90 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + location /.well-known { + alias /var/www/sub.domain.com/.well-known; + } + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php7.0-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php7.0-fpm: + # fastcgi_pass unix:/run/php/php7.0-fpm.sock; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/sites-available/default.backup-20251113-212344 b/sites-available/default.backup-20251113-212344 new file mode 100644 index 0000000..0b4d81d --- /dev/null +++ b/sites-available/default.backup-20251113-212344 @@ -0,0 +1,129 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + location /.well-known { + alias /var/www/sub.domain.com/.well-known; + } + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + # Proxy API requests to Node.js backend + # Handle rechner application + location /rechner/ { + proxy_pass http://127.0.0.1:3001/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_Set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + # Proxy API requests for rechner to Node.js backend + location /rechner/api/ { + proxy_pass http://127.0.0.1:3001/api/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + location /api/ { + proxy_pass http://127.0.0.1:3001; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php7.0-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php7.0-fpm: + # fastcgi_pass unix:/run/php/php7.0-fpm.sock; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/sites-available/default.clean b/sites-available/default.clean new file mode 100644 index 0000000..2315a86 --- /dev/null +++ b/sites-available/default.clean @@ -0,0 +1,115 @@ + +#user nobody; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + server { + listen 80; + server_name localhost; + + #access_log logs/host.access.log main; + + location / { + root html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + } + + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + +} diff --git a/sites-available/element.conf b/sites-available/element.conf index b3c5f40..e218f86 100644 --- a/sites-available/element.conf +++ b/sites-available/element.conf @@ -1,7 +1,16 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/element/ levels=1:2 keys_zone=my_cache_element:10m max_size=10g +proxy_cache_path /var/cache/nginx/element levels=1:2 keys_zone=my_cache_element:10m max_size=2g inactive=60m use_temp_path=off; + +# Upstream with keepalive +upstream element_backend { + server 10.0.0.48:8097; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server{ listen 80; server_name element.egonetix.de; @@ -25,8 +34,28 @@ server { access_log /var/log/nginx/element-access_log; error_log /var/log/nginx/element-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss image/svg+xml; + gzip_min_length 1000; + set $upstream 10.0.0.48; + # Static files with aggressive caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|json)$ { + proxy_pass http://element_backend; + proxy_cache my_cache_element; + proxy_cache_valid 200 24h; + expires 24h; + add_header Cache-Control "public, immutable"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } + location / { proxy_cache my_cache_element; @@ -35,7 +64,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:8097; + proxy_pass http://element_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/element.conf.backup-20251113-212344 b/sites-available/element.conf.backup-20251113-212344 new file mode 100644 index 0000000..b3c5f40 --- /dev/null +++ b/sites-available/element.conf.backup-20251113-212344 @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/element/ levels=1:2 keys_zone=my_cache_element:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name element.egonetix.de; + return 301 https://$server_name/element$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/element.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/element.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name element.egonetix.de; + + access_log /var/log/nginx/element-access_log; + error_log /var/log/nginx/element-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_element; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8097; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/feuer.conf b/sites-available/feuer.conf new file mode 100644 index 0000000..7de8463 --- /dev/null +++ b/sites-available/feuer.conf @@ -0,0 +1,65 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/feuer/ levels=1:2 keys_zone=my_cache_feuer:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ +listen 80; +server_name feuer.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/feuer.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/feuer.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name feuer.egonetix.de; + + access_log /var/log/nginx/feuer-access_log; + error_log /var/log/nginx/feuer-error_log; + + # Firefly III on srvdocker02 (10.0.0.48) + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_feuer; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8094; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 100M; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + # Firefly III specific headers for proper functionality + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + expires 1y; + add_header Cache-Control "public, immutable"; + proxy_pass http://$upstream:8094; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/sites-available/gitea.conf b/sites-available/gitea.conf index eef3d6a..f13aca3 100644 --- a/sites-available/gitea.conf +++ b/sites-available/gitea.conf @@ -1,7 +1,16 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/gitea/ levels=1:2 keys_zone=my_cache_gitea:10m max_size=10g +proxy_cache_path /var/cache/nginx/gitea levels=1:2 keys_zone=my_cache_gitea:10m max_size=2g inactive=60m use_temp_path=off; + +# Upstream with keepalive +upstream gitea_backend { + server 10.0.0.48:4000; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server{ listen 80; server_name gitea.egonetix.de; @@ -25,8 +34,28 @@ server { access_log /var/log/nginx/gitea-access_log; error_log /var/log/nginx/gitea-error_log; + # Gzip compression for Gitea + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss image/svg+xml; + gzip_min_length 1000; + set $upstream 10.0.0.48; + # Static files with aggressive caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://gitea_backend; + proxy_cache my_cache_gitea; + proxy_cache_valid 200 24h; + expires 24h; + add_header Cache-Control "public, immutable"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } + location / { proxy_cache my_cache_gitea; @@ -35,7 +64,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:4000; + proxy_pass http://gitea_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/gitea.conf.backup-20251113-212344 b/sites-available/gitea.conf.backup-20251113-212344 new file mode 100644 index 0000000..eef3d6a --- /dev/null +++ b/sites-available/gitea.conf.backup-20251113-212344 @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/gitea/ levels=1:2 keys_zone=my_cache_gitea:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name gitea.egonetix.de; + return 301 https://$server_name/gitea$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/gitea.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gitea.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name gitea.egonetix.de; + + access_log /var/log/nginx/gitea-access_log; + error_log /var/log/nginx/gitea-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_gitea; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:4000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/hoarder.conf b/sites-available/hoarder.conf index 0dbe5c4..aa857b4 100644 --- a/sites-available/hoarder.conf +++ b/sites-available/hoarder.conf @@ -1,7 +1,16 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/hoarder/ levels=1:2 keys_zone=my_cache_hoarder:10m max_size=10g +proxy_cache_path /var/cache/nginx/hoarder levels=1:2 keys_zone=my_cache_hoarder:10m max_size=2g inactive=60m use_temp_path=off; + +# Upstream with keepalive +upstream hoarder_backend { + server 10.0.0.48:8084; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server{ listen 80; server_name hoarder.egonetix.de; @@ -24,8 +33,27 @@ server { access_log /var/log/nginx/hoarder-access_log; error_log /var/log/nginx/hoarder-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss image/svg+xml; + gzip_min_length 1000; + set $upstream 10.0.0.48; + # Static files with caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://hoarder_backend; + proxy_cache my_cache_hoarder; + proxy_cache_valid 200 24h; + expires 24h; + add_header Cache-Control "public, immutable"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } location / { @@ -35,7 +63,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:8084; + proxy_pass http://hoarder_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/hoarder.conf.backup-20251113-212344 b/sites-available/hoarder.conf.backup-20251113-212344 new file mode 100644 index 0000000..0dbe5c4 --- /dev/null +++ b/sites-available/hoarder.conf.backup-20251113-212344 @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/hoarder/ levels=1:2 keys_zone=my_cache_hoarder:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name hoarder.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/hoarder.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/hoarder.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name hoarder.egonetix.de; + + access_log /var/log/nginx/hoarder-access_log; + error_log /var/log/nginx/hoarder-error_log; + + set $upstream 10.0.0.48; + + + location / { + + proxy_cache my_cache_hoarder; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8084; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/jitsi.conf b/sites-available/jitsi.conf index 9281222..499951e 100644 --- a/sites-available/jitsi.conf +++ b/sites-available/jitsi.conf @@ -1,7 +1,19 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/jitsi/ levels=1:2 keys_zone=my_cache_jitsi:10m max_size=10g - inactive=60m use_temp_path=off; +# Upstream with keepalive for Jitsi +upstream jitsi_backend { + server 10.0.0.48:8000; + keepalive 32; + keepalive_requests 1000; + keepalive_timeout 60s; +} + +# WebSocket upgrade map +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + server{ listen 80; server_name jitsi.egonetix.de; @@ -24,17 +36,43 @@ server { access_log /var/log/nginx/jitsi-access_log; error_log /var/log/nginx/jitsi-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + set $upstream 10.0.0.48; + # WebSocket support for Jitsi real-time communication + location /xmpp-websocket { + proxy_pass http://jitsi_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + proxy_read_timeout 7200s; + } + + # Static files with caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://jitsi_backend; + expires 24h; + add_header Cache-Control "public, immutable"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } + location / { - proxy_cache my_cache_jitsi; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:8000; + proxy_pass http://jitsi_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/jitsi.conf.backup-20251113-212344 b/sites-available/jitsi.conf.backup-20251113-212344 new file mode 100644 index 0000000..9281222 --- /dev/null +++ b/sites-available/jitsi.conf.backup-20251113-212344 @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/jitsi/ levels=1:2 keys_zone=my_cache_jitsi:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name jitsi.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/jitsi.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/jitsi.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name jitsi.egonetix.de; + + access_log /var/log/nginx/jitsi-access_log; + error_log /var/log/nginx/jitsi-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_jitsi; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/matrix.conf b/sites-available/matrix.conf index e00cca6..f09ae9a 100644 --- a/sites-available/matrix.conf +++ b/sites-available/matrix.conf @@ -1,5 +1,13 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; +# Upstream with keepalive for Matrix +upstream matrix_backend { + server 10.0.0.48:8008; + keepalive 32; + keepalive_requests 1000; + keepalive_timeout 60s; +} + # Redirect HTTP to HTTPS server { listen 10.0.0.29:80; @@ -19,16 +27,31 @@ server { access_log /var/log/nginx/matrix-access.log; error_log /var/log/nginx/matrix-error.log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + set $upstream 10.0.0.48; location ~ ^(/_matrix|/_synapse/client) { - proxy_pass http://$upstream:8008; + proxy_pass http://matrix_backend; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Better buffering for Matrix + proxy_buffering on; + proxy_buffer_size 8k; + proxy_buffers 32 8k; client_max_body_size 50M; - proxy_http_version 1.1; } } @@ -44,16 +67,31 @@ server { access_log /var/log/nginx/matrix-access.log; error_log /var/log/nginx/matrix-error.log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + set $upstream 10.0.0.48; location ~ ^(/_matrix|/_synapse/client) { - proxy_pass http://$upstream:8008; + proxy_pass http://matrix_backend; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Better buffering for Matrix + proxy_buffering on; + proxy_buffer_size 8k; + proxy_buffers 32 8k; client_max_body_size 50M; - proxy_http_version 1.1; } } diff --git a/sites-available/matrix.conf.backup-20251113-212344 b/sites-available/matrix.conf.backup-20251113-212344 new file mode 100644 index 0000000..e00cca6 --- /dev/null +++ b/sites-available/matrix.conf.backup-20251113-212344 @@ -0,0 +1,59 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +# Redirect HTTP to HTTPS +server { + listen 10.0.0.29:80; + server_name matrix.egonetix.de; + return 301 https://$server_name$request_uri; +} + +# HTTPS for client traffic (port 443) +server { + listen 10.0.0.29:443 ssl http2; + server_name matrix.egonetix.de; + + ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + access_log /var/log/nginx/matrix-access.log; + error_log /var/log/nginx/matrix-error.log; + + set $upstream 10.0.0.48; + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://$upstream:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + client_max_body_size 50M; + proxy_http_version 1.1; + } +} + +# HTTPS for federation traffic (port 8448) +server { + listen 10.0.0.29:8448 ssl http2; + server_name matrix.egonetix.de; + + ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + access_log /var/log/nginx/matrix-access.log; + error_log /var/log/nginx/matrix-error.log; + + set $upstream 10.0.0.48; + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://$upstream:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + client_max_body_size 50M; + proxy_http_version 1.1; + } +} + diff --git a/sites-available/nextcloud.conf b/sites-available/nextcloud.conf index 1639031..c4a401a 100644 --- a/sites-available/nextcloud.conf +++ b/sites-available/nextcloud.conf @@ -1,8 +1,17 @@ add_header X-Robots-Tag "no-referrer, noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/nextcloud/ levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=10g +# Reduced cache size due to disk space constraints +proxy_cache_path /var/cache/nginx/nextcloud levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=2g inactive=60m use_temp_path=off; +# Upstream with keepalive +upstream nextcloud_backend { + server 10.0.0.48:8089; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server{ listen 80; server_name nextcloud.egonetix.de; @@ -39,7 +48,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:8089; + proxy_pass http://nextcloud_backend; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; diff --git a/sites-available/nextcloud.conf.backup-20251113-212344 b/sites-available/nextcloud.conf.backup-20251113-212344 new file mode 100644 index 0000000..1639031 --- /dev/null +++ b/sites-available/nextcloud.conf.backup-20251113-212344 @@ -0,0 +1,74 @@ +add_header X-Robots-Tag "no-referrer, noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/nextcloud/ levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ + listen 80; + server_name nextcloud.egonetix.de; + return 301 https://$server_name/$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Referrer-Policy "no-referrer" always; + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/nextcloud.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/nextcloud.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name nextcloud.egonetix.de; + + access_log /var/log/nginx/nextcloud-access_log; + error_log /var/log/nginx/nextcloud-error_log; + + proxy_set_header X-Forwarded-Proto $scheme; + + set $upstream 10.0.0.48; + +#rewrite ^/$ /nextcloud; + + location / { + + proxy_cache my_cache_nextcloud; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8089; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# add_header Referrer-Policy no-referrer; +# proxy_set_header X-Forwarded-Proto https; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 20G; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + } + +location = /.well-known/carddav { +return 301 $scheme://$host/remote.php/dav; +} +location = /.well-known/caldav { +return 301 $scheme://$host/remote.php/dav; +} +} + diff --git a/sites-available/office.conf b/sites-available/office.conf index eb91597..e718f49 100644 --- a/sites-available/office.conf +++ b/sites-available/office.conf @@ -1,8 +1,22 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/office/ levels=1:2 keys_zone=my_cache_office:10m max_size=10g +proxy_cache_path /var/cache/nginx/office levels=1:2 keys_zone=my_cache_office:10m max_size=2g inactive=60m use_temp_path=off; +# Upstream with keepalive for Office +upstream office_backend { + server 10.0.0.48:9980; + keepalive 32; + keepalive_requests 1000; + keepalive_timeout 60s; +} + +# WebSocket upgrade map +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + server{ listen 80; server_name office.egonetix.de; @@ -30,12 +44,36 @@ server { access_log /var/log/nginx/office-access_log; error_log /var/log/nginx/office-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + proxy_set_header X-Forwarded-Proto $scheme; set $upstream 10.0.0.48; # location / +# WebSocket support for collaborative editing +location /lool/ws { + proxy_pass https://office_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_read_timeout 7200s; + proxy_ssl_session_reuse off; +} + location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache) { proxy_cache my_cache_office; @@ -44,7 +82,7 @@ location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache) { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass https://$upstream:9980; + proxy_pass https://office_backend; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; diff --git a/sites-available/office.conf.backup-20251113-212344 b/sites-available/office.conf.backup-20251113-212344 new file mode 100644 index 0000000..eb91597 --- /dev/null +++ b/sites-available/office.conf.backup-20251113-212344 @@ -0,0 +1,62 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/office/ levels=1:2 keys_zone=my_cache_office:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ + listen 80; + server_name office.egonetix.de; + return 301 https://$server_name/$request_uri; + + access_log /var/log/nginx/office-access_log; + error_log /var/log/nginx/office-error_log; + + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + +# SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/office.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/office.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name office.egonetix.de; + + access_log /var/log/nginx/office-access_log; + error_log /var/log/nginx/office-error_log; + + proxy_set_header X-Forwarded-Proto $scheme; + + set $upstream 10.0.0.48; + +# location / + +location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache) { + + proxy_cache my_cache_office; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:9980; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Connection ""; + proxy_http_version 1.1; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} + diff --git a/sites-available/owa.conf b/sites-available/owa.conf index c716044..a20d0cf 100644 --- a/sites-available/owa.conf +++ b/sites-available/owa.conf @@ -1,167 +1,161 @@ -add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g - inactive=60m use_temp_path=off; +# Optimized cache paths +proxy_cache_path /var/cache/nginx/kopano levels=1:2 keys_zone=kopano_static:10m + max_size=2g inactive=24h use_temp_path=off; +# Upstream with connection pooling +upstream kopano_backend { + server 10.0.0.21:443; + keepalive 32; + keepalive_requests 1000; + keepalive_timeout 60s; +} -server{ - listen 80; - server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; - return 301 https://$server_name/webapp$request_uri; - +# WebSocket support map +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; } server { - listen 10.0.0.29:443 ssl http2; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - # SSL config - ssl on; - ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - - # Make site accessible from http://localhost/ - server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; - - access_log /var/log/nginx/owa-access_log; - error_log /var/log/nginx/owa-error_log; - - - set $upstream 10.0.0.21; - -rewrite ^/$ /webapp; - - location /webapp { - - proxy_cache my_cache_owa; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_pass_header Authorization; - proxy_pass https://$upstream; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_buffering off; - client_max_body_size 0; - proxy_read_timeout 36000s; - proxy_redirect off; - proxy_ssl_session_reuse off; -} - location /Microsoft-Server-ActiveSync { - proxy_cache my_cache_owa; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_pass_header Authorization; - proxy_pass https://$upstream; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_buffering off; - client_max_body_size 0; - proxy_read_timeout 36000s; - proxy_redirect off; - proxy_ssl_session_reuse off; - - } - - location /webmeetings { - - proxy_cache my_cache_owa; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_pass_header Authorization; - proxy_pass https://$upstream; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_buffering off; - client_max_body_size 0; - proxy_read_timeout 36000s; - proxy_redirect off; - proxy_ssl_session_reuse off; + listen 80; + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + return 301 https://$server_name$request_uri; } - location ~* /Autodiscover/Autodiscover.xml { - access_log /var/log/nginx/z-push-autodiscover-access.log; - error_log /var/log/nginx/z-push-autodiscover-error.log; - fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php; - fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities - fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe - fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; - include fastcgi_params; - proxy_cache my_cache_owa; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_pass_header Authorization; - proxy_pass https://$upstream; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_buffering off; - client_max_body_size 0; - proxy_read_timeout 36000s; - proxy_redirect off; - proxy_ssl_session_reuse off; +server { + listen 10.0.0.29:443 ssl http2; + + # SSL config + ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + + access_log /var/log/nginx/owa-access_log; + error_log /var/log/nginx/owa-error_log; + + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss + application/x-javascript image/svg+xml; + gzip_min_length 1000; + + # Default proxy settings + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Connection ""; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + + rewrite ^/$ /webapp redirect; + + # Static files - aggressive caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass https://kopano_backend; + proxy_cache kopano_static; + proxy_cache_valid 200 24h; + proxy_cache_valid 404 1m; + expires 24h; + add_header Cache-Control "public, immutable"; + + # Buffering for static files + proxy_buffering on; + proxy_buffer_size 8k; + proxy_buffers 32 8k; + } + + # WebApp - DISABLE buffering for AJAX responsiveness + location /webapp { + proxy_pass https://kopano_backend; + + # NO caching + proxy_no_cache 1; + proxy_cache_bypass 1; + + # DISABLE buffering for instant AJAX responses + proxy_buffering off; + + proxy_read_timeout 300s; + client_max_body_size 100M; + proxy_redirect off; + } + + # ActiveSync - disable buffering for real-time sync + location /Microsoft-Server-ActiveSync { + proxy_pass https://kopano_backend; + + proxy_no_cache 1; + proxy_cache_bypass 1; + proxy_buffering off; + + proxy_read_timeout 3660s; + client_max_body_size 100M; + proxy_redirect off; + } + + # WebMeetings - WebSocket support + location /webmeetings { + proxy_pass https://kopano_backend; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_buffering off; + proxy_read_timeout 7200s; + client_max_body_size 500M; + proxy_redirect off; + } + + # Autodiscover + location ~* /Autodiscover/Autodiscover.xml { + access_log /var/log/nginx/z-push-autodiscover-access.log; + error_log /var/log/nginx/z-push-autodiscover-error.log; + + proxy_pass https://kopano_backend; + proxy_no_cache 1; + proxy_cache_bypass 1; + proxy_buffering off; + proxy_read_timeout 60s; + client_max_body_size 10M; + proxy_redirect off; + } + + # OWA compatibility + location /owa { + proxy_pass https://kopano_backend; + + proxy_no_cache 1; + proxy_cache_bypass 1; + proxy_buffering off; + + proxy_read_timeout 300s; + client_max_body_size 100M; + proxy_redirect off; + } + + # CalDAV + location /caldav { + proxy_pass http://10.0.0.21:8080; + + proxy_no_cache 1; + proxy_cache_bypass 1; + proxy_buffering off; + + proxy_read_timeout 300s; + client_max_body_size 50M; + proxy_redirect off; + } } - - location /owa { - proxy_cache my_cache_owa; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_pass_header Authorization; - proxy_pass https://$upstream; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_buffering off; - client_max_body_size 0; - proxy_read_timeout 36000s; - proxy_redirect off; - proxy_ssl_session_reuse off; - - } - - location /caldav { - proxy_cache my_cache_owa; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_pass_header Authorization; - proxy_pass http://$upstream:8080; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_buffering off; - client_max_body_size 0; - proxy_read_timeout 36000s; - proxy_redirect off; - proxy_ssl_session_reuse off; - - } - -} - diff --git a/sites-available/owa_backup.conf b/sites-available/owa_backup.conf new file mode 100644 index 0000000..c716044 --- /dev/null +++ b/sites-available/owa_backup.conf @@ -0,0 +1,167 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g + inactive=60m use_temp_path=off; + + +server{ + listen 80; + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + return 301 https://$server_name/webapp$request_uri; + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + + access_log /var/log/nginx/owa-access_log; + error_log /var/log/nginx/owa-error_log; + + + set $upstream 10.0.0.21; + +rewrite ^/$ /webapp; + + location /webapp { + + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + location /Microsoft-Server-ActiveSync { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /webmeetings { + + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + + location ~* /Autodiscover/Autodiscover.xml { + access_log /var/log/nginx/z-push-autodiscover-access.log; + error_log /var/log/nginx/z-push-autodiscover-error.log; + fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php; + fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + include fastcgi_params; + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + + location /owa { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /caldav { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} + diff --git a/sites-available/plex.conf b/sites-available/plex.conf index e6ab145..51072cc 100644 --- a/sites-available/plex.conf +++ b/sites-available/plex.conf @@ -1,7 +1,13 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/plex/ levels=1:2 keys_zone=my_cache_plex:10m max_size=10g - inactive=60m use_temp_path=off; +# Upstream with keepalive for Plex +upstream plex_backend { + server 10.0.0.48:32400; + keepalive 32; + keepalive_requests 100; + keepalive_timeout 60s; +} + server{ listen 80; server_name plex.egonetix.de; @@ -24,25 +30,34 @@ server { access_log /var/log/nginx/plex-access_log; error_log /var/log/nginx/plex-error_log; + # Gzip for text content only (not media) + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + set $upstream 10.0.0.48; #set $upstream 172.20.20.6; + # Don't cache media streams location / { - proxy_cache my_cache_plex; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass https://$upstream:32400; + proxy_pass https://plex_backend; proxy_ssl_server_name on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; + + # Optimized for media streaming proxy_buffering off; + proxy_cache off; + client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; diff --git a/sites-available/plex.conf.backup-20251113-212344 b/sites-available/plex.conf.backup-20251113-212344 new file mode 100644 index 0000000..e6ab145 --- /dev/null +++ b/sites-available/plex.conf.backup-20251113-212344 @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/plex/ levels=1:2 keys_zone=my_cache_plex:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name plex.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/plex.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/plex.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name plex.egonetix.de; + + access_log /var/log/nginx/plex-access_log; + error_log /var/log/nginx/plex-error_log; + + set $upstream 10.0.0.48; + #set $upstream 172.20.20.6; + + location / { + + proxy_cache my_cache_plex; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:32400; + proxy_ssl_server_name on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/portal.conf b/sites-available/portal.conf index c0fb796..0deb82f 100644 --- a/sites-available/portal.conf +++ b/sites-available/portal.conf @@ -1,90 +1,65 @@ -add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; - +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; server { - listen 80; - server_name portal.egonetix.de; + listen 80; + server_name portal.egonetix.de; + + # Redirect any HTTP request to HTTPS + return 301 https://$server_name$request_uri; - # Redirect all HTTP traffic to HTTPS - return 301 https://$server_name$request_uri; } + server { - listen 10.0.0.29:443 ssl http2; +# The IP that you forwarded in your router (nginx proxy) + listen 10.0.0.29:443 ssl http2; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - # Remove or update unsupported origin trial features. - # For example, comment out or remove these if not using them: - # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()"; + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; - # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources. +# Make site accessible from http://localhost/ + server_name portal.egonetix.de; - ssl on; - ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; - ssl_dhparam /etc/ssl/certs/dhparam.pem; + access_log /var/log/nginx/portal-access_log; + error_log /var/log/nginx/portal-error_log; - server_name portal.egonetix.de; - access_log /var/log/nginx/portal-access_log; - error_log /var/log/nginx/portal-error_log; + # Gzip compression for static content + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss image/svg+xml; + gzip_min_length 1000; - root /var/www/html; - index index.html index.php; # Added index.php as potential index file +# return 301 https://$server_name$request_uri; +# The internal IP of the VM that hosts your Apache config +# set $upstream 10.0.0.10; - # PHP Processing Configuration - Updated for PHP 8.1 - location ~ \.php$ { - include snippets/fastcgi-php.conf; - - # Use PHP 8.1 socket (most common path on Ubuntu 22.04) - fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; - - # Alternative options if the above doesn't work: - #fastcgi_pass unix:/run/php/php8.1-fpm.sock; - #fastcgi_pass 127.0.0.1:9000; - - # Increase timeout and buffer size for troubleshooting - fastcgi_connect_timeout 300; - fastcgi_read_timeout 300; - fastcgi_send_timeout 300; - fastcgi_buffer_size 32k; - fastcgi_buffers 16 16k; - - # Set the correct document root - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_intercept_errors on; - } +root /var/www/html; + index index.html; - # Reverse proxy for API calls to KidsAI Explorer backend - # Proxy all /api/ requests to the Node.js server running on port 3002 - location /api/ { - proxy_pass http://127.0.0.1:3002; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # Additional headers for better compatibility - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - - # Increase timeouts for AI processing - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - send_timeout 300; - } +# location /.well-known { +# alias /var/www/sub.domain.com/.well-known; +# } - # Serve KidsAI Explorer static files - location /kidsai/ { - alias /var/www/html/kidsai/; - try_files $uri $uri/ /kidsai/index.html; - - # Cache static assets - location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { - expires 1y; - add_header Cache-Control "public, immutable"; - } - } +# location / { + +# proxy_pass_header Authorization; +# proxy_pass http://$upstream; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_http_version 1.1; +# proxy_set_header Connection ""; +# proxy_buffering off; +# client_max_body_size 0; +# proxy_read_timeout 36000s; +# proxy_redirect off; +#} } diff --git a/sites-available/portal.conf.backup b/sites-available/portal.conf.backup new file mode 100644 index 0000000..5420b58 --- /dev/null +++ b/sites-available/portal.conf.backup @@ -0,0 +1,87 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +server { + listen 80; + server_name portal.egonetix.de; + + # Redirect all HTTP traffic to HTTPS + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always; + + # Remove or update unsupported origin trial features. + # For example, comment out or remove these if not using them: + # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()"; + + # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources. + + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + server_name portal.egonetix.de; + access_log /var/log/nginx/portal-access_log; + error_log /var/log/nginx/portal-error_log; + + root /var/www/html; + index index.html index.php; # Added index.php as potential index file + + # PHP Processing Configuration - Updated for PHP 8.1 + location ~ \.php$ { + include snippets/fastcgi-php.conf; + + # Use PHP 8.1 socket (most common path on Ubuntu 22.04) + fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; + + # Alternative options if the above doesn't work: + #fastcgi_pass unix:/run/php/php8.1-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + + # Increase timeout and buffer size for troubleshooting + fastcgi_connect_timeout 300; + fastcgi_read_timeout 300; + fastcgi_send_timeout 300; + fastcgi_buffer_size 32k; + fastcgi_buffers 16 16k; + + # Set the correct document root + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors on; + } + + # Reverse proxy for KidsAI Explorer API calls + location /api/ { + proxy_pass http://127.0.0.1:3002/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Add CORS headers for API requests + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always; + add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always; + add_header Access-Control-Allow-Credentials true always; + + # Handle preflight requests + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin $http_origin; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE"; + add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With"; + add_header Access-Control-Allow-Credentials true; + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + } +} + diff --git a/sites-available/portal.conf.backup-20251113-212344 b/sites-available/portal.conf.backup-20251113-212344 new file mode 100644 index 0000000..d9454d8 --- /dev/null +++ b/sites-available/portal.conf.backup-20251113-212344 @@ -0,0 +1,56 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; +server { + listen 80; + server_name portal.egonetix.de; + + # Redirect any HTTP request to HTTPS + return 301 https://$server_name$request_uri; + +} + + +server { +# The IP that you forwarded in your router (nginx proxy) + listen 10.0.0.29:443 ssl http2; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + +# Make site accessible from http://localhost/ + server_name portal.egonetix.de; + + access_log /var/log/nginx/portal-access_log; + error_log /var/log/nginx/portal-error_log; + +# return 301 https://$server_name$request_uri; +# The internal IP of the VM that hosts your Apache config +# set $upstream 10.0.0.10; + +root /var/www/html; + index index.html; + +# location /.well-known { +# alias /var/www/sub.domain.com/.well-known; +# } + +# location / { + +# proxy_pass_header Authorization; +# proxy_pass http://$upstream; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_http_version 1.1; +# proxy_set_header Connection ""; +# proxy_buffering off; +# client_max_body_size 0; +# proxy_read_timeout 36000s; +# proxy_redirect off; +#} +} + diff --git a/sites-available/stream.conf b/sites-available/stream.conf index 66ff2dc..152c5c5 100644 --- a/sites-available/stream.conf +++ b/sites-available/stream.conf @@ -1,7 +1,19 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/stream/ levels=1:2 keys_zone=my_cache_stream:10m max_size=10g - inactive=60m use_temp_path=off; +# Upstream with keepalive for streaming +upstream stream_backend { + server 10.0.0.48:8096; + keepalive 32; + keepalive_requests 100; + keepalive_timeout 60s; +} + +# WebSocket upgrade map +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + server{ listen 80; server_name stream.egonetix.de; @@ -24,46 +36,43 @@ server { access_log /var/log/nginx/stream-access.log; error_log /var/log/nginx/stream-error.log; + # Gzip for text content only + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + set $upstream 10.0.0.48; + # WebSocket for real-time updates + location /socket { + proxy_pass http://stream_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + proxy_read_timeout 7200s; + } location / { - proxy_cache my_cache_stream; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:8096; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_buffering off; - client_max_body_size 0; - proxy_read_timeout 36000s; - proxy_redirect off; - proxy_ssl_session_reuse off; - - } - - location /socket { - - proxy_cache my_cache_stream; - proxy_cache_revalidate on; - proxy_cache_min_uses 3; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_pass_header Authorization; - proxy_pass http://$upstream:8096; + proxy_pass http://stream_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; + + # No caching for media streams proxy_buffering off; + client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; diff --git a/sites-available/stream.conf.backup-20251113-212344 b/sites-available/stream.conf.backup-20251113-212344 new file mode 100644 index 0000000..66ff2dc --- /dev/null +++ b/sites-available/stream.conf.backup-20251113-212344 @@ -0,0 +1,74 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/stream/ levels=1:2 keys_zone=my_cache_stream:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name stream.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/stream.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/stream.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name stream.egonetix.de; + + access_log /var/log/nginx/stream-access.log; + error_log /var/log/nginx/stream-error.log; + + set $upstream 10.0.0.48; + + + location / { + + proxy_cache my_cache_stream; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8096; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /socket { + + proxy_cache my_cache_stream; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8096; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/sync.conf b/sites-available/sync.conf index ef10a4b..00e017a 100644 --- a/sites-available/sync.conf +++ b/sites-available/sync.conf @@ -1,7 +1,16 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/sync/ levels=1:2 keys_zone=my_cache_sync:10m max_size=10g +proxy_cache_path /var/cache/nginx/sync levels=1:2 keys_zone=my_cache_sync:10m max_size=2g inactive=60m use_temp_path=off; + +# Upstream with keepalive +upstream sync_backend { + server 10.0.0.48:18089; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server{ listen 80; server_name sync.egonetix.de; @@ -24,6 +33,15 @@ server { access_log /var/log/nginx/sync-access_log; error_log /var/log/nginx/sync-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + set $upstream 10.0.0.48; location / { @@ -34,7 +52,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:18089; + proxy_pass http://sync_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/sync.conf.backup-20251113-212344 b/sites-available/sync.conf.backup-20251113-212344 new file mode 100644 index 0000000..ef10a4b --- /dev/null +++ b/sites-available/sync.conf.backup-20251113-212344 @@ -0,0 +1,50 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/sync/ levels=1:2 keys_zone=my_cache_sync:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name sync.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/sync.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/sync.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name sync.egonetix.de; + + access_log /var/log/nginx/sync-access_log; + error_log /var/log/nginx/sync-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_sync; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:18089; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/unifi.conf b/sites-available/unifi.conf index 7f2076b..ca68f92 100644 --- a/sites-available/unifi.conf +++ b/sites-available/unifi.conf @@ -1,7 +1,22 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/unifi/ levels=1:2 keys_zone=my_cache_unifi:10m max_size=10g +proxy_cache_path /var/cache/nginx/unifi levels=1:2 keys_zone=my_cache_unifi:10m max_size=2g inactive=60m use_temp_path=off; + +# Upstream with keepalive +upstream unifi_backend { + server 10.0.0.48:8443; + keepalive 32; + keepalive_requests 1000; + keepalive_timeout 60s; +} + +# WebSocket upgrade map +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + server{ listen 80; server_name unifi.egonetix.de; @@ -25,8 +40,31 @@ server { access_log /var/log/nginx/unifi-access_log; error_log /var/log/nginx/unifi-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss; + gzip_min_length 1000; + set $upstream 10.0.0.48; + # WebSocket support for UniFi real-time updates + location /wss/ { + proxy_pass https://unifi_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + proxy_read_timeout 7200s; + proxy_ssl_session_reuse off; + } + location / { proxy_cache my_cache_unifi; @@ -35,7 +73,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass https://$upstream:8443; + proxy_pass https://unifi_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/unifi.conf.backup-20251113-212344 b/sites-available/unifi.conf.backup-20251113-212344 new file mode 100644 index 0000000..7f2076b --- /dev/null +++ b/sites-available/unifi.conf.backup-20251113-212344 @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/unifi/ levels=1:2 keys_zone=my_cache_unifi:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name unifi.egonetix.de; +return 301 https://$server_name$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/unifi.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/unifi.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name unifi.egonetix.de; + + access_log /var/log/nginx/unifi-access_log; + error_log /var/log/nginx/unifi-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_unifi; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:8443; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} + diff --git a/sites-available/vscode.conf b/sites-available/vscode.conf new file mode 100644 index 0000000..511e717 --- /dev/null +++ b/sites-available/vscode.conf @@ -0,0 +1,55 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +# Upstream with keepalive +upstream vscode_backend { + server 10.0.0.48:8099; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + +server{ + listen 80; + server_name vscode.egonetix.de; + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/vscode.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/vscode.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + server_name vscode.egonetix.de; + + access_log /var/log/nginx/vscode-access_log; + error_log /var/log/nginx/vscode-error_log; + + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss image/svg+xml; + gzip_min_length 1000; + + location / { + proxy_pass http://vscode_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + } +} diff --git a/sites-available/wallabag.conf b/sites-available/wallabag.conf index 021f9f5..b5adff1 100644 --- a/sites-available/wallabag.conf +++ b/sites-available/wallabag.conf @@ -1,7 +1,16 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/wallabag/ levels=1:2 keys_zone=my_cache_wallabag:10m max_size=10g +proxy_cache_path /var/cache/nginx/wallabag levels=1:2 keys_zone=my_cache_wallabag:10m max_size=2g inactive=60m use_temp_path=off; + +# Upstream with keepalive +upstream wallabag_backend { + server 10.0.0.48:8087; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server{ listen 80; server_name wallabag.egonetix.de; @@ -24,8 +33,27 @@ server { access_log /var/log/nginx/wallabag-access_log; error_log /var/log/nginx/wallabag-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss image/svg+xml; + gzip_min_length 1000; + set $upstream 10.0.0.48; + # Static files with caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://wallabag_backend; + proxy_cache my_cache_wallabag; + proxy_cache_valid 200 24h; + expires 24h; + add_header Cache-Control "public, immutable"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } location / { @@ -35,7 +63,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass http://$upstream:8087; + proxy_pass http://wallabag_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/wallabag.conf.backup-20251113-212344 b/sites-available/wallabag.conf.backup-20251113-212344 new file mode 100644 index 0000000..021f9f5 --- /dev/null +++ b/sites-available/wallabag.conf.backup-20251113-212344 @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/wallabag/ levels=1:2 keys_zone=my_cache_wallabag:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name wallabag.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/wallabag.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wallabag.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name wallabag.egonetix.de; + + access_log /var/log/nginx/wallabag-access_log; + error_log /var/log/nginx/wallabag-error_log; + + set $upstream 10.0.0.48; + + + location / { + + proxy_cache my_cache_wallabag; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8087; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/wiki.conf b/sites-available/wiki.conf index 19b6781..fbb5a48 100644 --- a/sites-available/wiki.conf +++ b/sites-available/wiki.conf @@ -1,7 +1,16 @@ add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; -proxy_cache_path /tmp/wiki/ levels=1:2 keys_zone=my_cache_wiki:10m max_size=10g +proxy_cache_path /var/cache/nginx/wiki levels=1:2 keys_zone=my_cache_wiki:10m max_size=2g inactive=60m use_temp_path=off; + +# Upstream with keepalive +upstream wiki_backend { + server 10.0.0.10:443; + keepalive 16; + keepalive_requests 1000; + keepalive_timeout 60s; +} + server{ listen 80; server_name wiki.egonetix.de; @@ -25,8 +34,29 @@ server { access_log /var/log/nginx/wiki-access_log; error_log /var/log/nginx/wiki-error_log; + # Gzip compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css text/xml text/javascript + application/json application/javascript application/xml+rss image/svg+xml; + gzip_min_length 1000; + set $upstream 10.0.0.10; + # Static files with aggressive caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass https://wiki_backend; + proxy_cache my_cache_wiki; + proxy_cache_valid 200 24h; + expires 24h; + add_header Cache-Control "public, immutable"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_ssl_session_reuse off; + } + location /wiki { proxy_cache my_cache_wiki; @@ -35,7 +65,7 @@ server { proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_pass_header Authorization; - proxy_pass https://$upstream; + proxy_pass https://wiki_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/sites-available/wiki.conf.backup-20251113-212344 b/sites-available/wiki.conf.backup-20251113-212344 new file mode 100644 index 0000000..19b6781 --- /dev/null +++ b/sites-available/wiki.conf.backup-20251113-212344 @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/wiki/ levels=1:2 keys_zone=my_cache_wiki:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name wiki.egonetix.de; + return 301 https://$server_name/wiki$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/wiki.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wiki.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name wiki.egonetix.de; + + access_log /var/log/nginx/wiki-access_log; + error_log /var/log/nginx/wiki-error_log; + + set $upstream 10.0.0.10; + + location /wiki { + + proxy_cache my_cache_wiki; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-enabled/default b/sites-enabled/default deleted file mode 120000 index ad35b83..0000000 --- a/sites-enabled/default +++ /dev/null @@ -1 +0,0 @@ -/etc/nginx/sites-available/default \ No newline at end of file diff --git a/sites-enabled/feuer.conf b/sites-enabled/feuer.conf new file mode 120000 index 0000000..c6a5d3e --- /dev/null +++ b/sites-enabled/feuer.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/feuer.conf \ No newline at end of file diff --git a/sites-enabled/portal.conf b/sites-enabled/portal.conf deleted file mode 120000 index 41c24df..0000000 --- a/sites-enabled/portal.conf +++ /dev/null @@ -1 +0,0 @@ -/etc/nginx/sites-available/portal.conf \ No newline at end of file diff --git a/sites-enabled/portal.conf b/sites-enabled/portal.conf new file mode 100644 index 0000000..4b88d2c --- /dev/null +++ b/sites-enabled/portal.conf @@ -0,0 +1,87 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +server { + listen 80; + server_name portal.egonetix.de; + + # Redirect all HTTP traffic to HTTPS + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always; + + # Remove or update unsupported origin trial features. + # For example, comment out or remove these if not using them: + # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()"; + + # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources. + + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + server_name portal.egonetix.de; + access_log /var/log/nginx/portal-access_log; + error_log /var/log/nginx/portal-error_log; + + root /var/www/html; + index index.html index.php; # Added index.php as potential index file + + # PHP Processing Configuration - Updated for PHP 8.1 + location ~ \.php$ { + include snippets/fastcgi-php.conf; + + # Use PHP 8.1 socket (most common path on Ubuntu 22.04) + fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; + + # Alternative options if the above doesn't work: + #fastcgi_pass unix:/run/php/php8.1-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + + # Increase timeout and buffer size for troubleshooting + fastcgi_connect_timeout 300; + fastcgi_read_timeout 300; + fastcgi_send_timeout 300; + fastcgi_buffer_size 32k; + fastcgi_buffers 16 16k; + + # Set the correct document root + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors on; + } + + # Reverse proxy for KidsAI Explorer API calls + location /api/ { + proxy_pass http://127.0.0.1:3001/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Add CORS headers for API requests + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always; + add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always; + add_header Access-Control-Allow-Credentials true always; + + # Handle preflight requests + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin $http_origin; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE"; + add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With"; + add_header Access-Control-Allow-Credentials true; + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + } +} + diff --git a/sites-enabled/portal.conf.backup.working.20250929 b/sites-enabled/portal.conf.backup.working.20250929 new file mode 100644 index 0000000..4b88d2c --- /dev/null +++ b/sites-enabled/portal.conf.backup.working.20250929 @@ -0,0 +1,87 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +server { + listen 80; + server_name portal.egonetix.de; + + # Redirect all HTTP traffic to HTTPS + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always; + + # Remove or update unsupported origin trial features. + # For example, comment out or remove these if not using them: + # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()"; + + # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources. + + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + server_name portal.egonetix.de; + access_log /var/log/nginx/portal-access_log; + error_log /var/log/nginx/portal-error_log; + + root /var/www/html; + index index.html index.php; # Added index.php as potential index file + + # PHP Processing Configuration - Updated for PHP 8.1 + location ~ \.php$ { + include snippets/fastcgi-php.conf; + + # Use PHP 8.1 socket (most common path on Ubuntu 22.04) + fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; + + # Alternative options if the above doesn't work: + #fastcgi_pass unix:/run/php/php8.1-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + + # Increase timeout and buffer size for troubleshooting + fastcgi_connect_timeout 300; + fastcgi_read_timeout 300; + fastcgi_send_timeout 300; + fastcgi_buffer_size 32k; + fastcgi_buffers 16 16k; + + # Set the correct document root + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors on; + } + + # Reverse proxy for KidsAI Explorer API calls + location /api/ { + proxy_pass http://127.0.0.1:3001/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Add CORS headers for API requests + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always; + add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always; + add_header Access-Control-Allow-Credentials true always; + + # Handle preflight requests + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin $http_origin; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE"; + add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With"; + add_header Access-Control-Allow-Credentials true; + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + } +} + diff --git a/sites-enabled/rezepte.conf b/sites-enabled/rezepte.conf deleted file mode 120000 index 975b401..0000000 --- a/sites-enabled/rezepte.conf +++ /dev/null @@ -1 +0,0 @@ -/etc/nginx/sites-available/rezepte.conf \ No newline at end of file diff --git a/sites-enabled/rezepte.conf b/sites-enabled/rezepte.conf new file mode 100644 index 0000000..db73492 --- /dev/null +++ b/sites-enabled/rezepte.conf @@ -0,0 +1,62 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/rezepte/ levels=1:2 keys_zone=my_cache_rezepte:10m max_size=10g + inactive=60m use_temp_path=off; + +upstream swarm_nodes { +server 10.0.0.48:8090; +} + + +resolver 10.0.0.21; + +server{ +listen 80; +server_name rezepte.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/rezepte.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rezepte.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name rezepte.egonetix.de; + + access_log /var/log/nginx/rezepte-access_log; + error_log /var/log/nginx/rezepte-error_log; + + set $upstream 10.0.0.48; + #set $upstream swarm_nodes; + #set $upstream 10.0.0.46; + + + location / { + + proxy_cache my_cache_rezepte; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8090; +# proxy_pass http://swarm_nodes; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + } + +}