root/srvrevproxy02_nginx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: root:62d24a96af3f95b4f02d8ae8ddde9196c1c44560
Branches Tags
root:master root:main
...
compare: root:53d483cdf56444f3dd76c2e60c5520288b1b86d3
Branches Tags
root:main root:master

5 Commits
62d24a96af ... 53d483cdf5

Author SHA1 Message Date
root
53d483cdf5 Forward SMTP to port 10025 for authenticated submissions 2026-01-23 13:19:52 +01:00
root
4102dcef0d Fix SMTP stream proxy to listen on all interfaces for NAT reflection 2026-01-23 12:47:58 +01:00
root
56b650f280 Fix SMTP stream proxy: forward to port 25 to avoid TLS requirement 2026-01-23 12:11:03 +01:00
root
a8c0574ed6 Add SMTP stream proxy configuration for ports 587/465 with Let's Encrypt TLS 2026-01-23 11:05:49 +01:00
root
ef16045880 Backup before adding SMTP stream proxy configuration 2026-01-23 11:02:06 +01:00
44 changed files with 2574 additions and 319 deletions
Expand all files Collapse all files

103
nginx.conf
View File

@@ -1,26 +1,32 @@
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
}
http {
worker_connections 2048;
multi_accept on;
use epoll;
}http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 15;
types_hash_max_size 2048;
# server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 100;
reset_timedout_connection on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# File cache for better performance
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on; # server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
@@ -33,8 +39,9 @@ http {
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
#ssl_stapling on;
#ssl_stapling_verify on;
@@ -54,9 +61,18 @@ http {
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_http_version 1.1;
# Proxy buffer settings
proxy_buffers 16 16k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
@@ -88,3 +104,60 @@ http {
# proxy on;
# }
#}
# Stream block for SMTP proxy with Let's Encrypt TLS termination
stream {
# Logging
log_format smtp_proxy '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time';
# Upstream mail server
upstream mail_submission {
server 10.0.0.21:10025;
}
upstream mail_smtps {
server 10.0.0.21:10025;
}
# SMTP Submission port (STARTTLS) - port 587
server {
listen 587 ssl;
proxy_pass mail_submission;
proxy_connect_timeout 10s;
# Let's Encrypt SSL certificate
ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SMTP:10m;
ssl_session_timeout 10m;
access_log /var/log/nginx/mail-submission-access.log smtp_proxy;
error_log /var/log/nginx/mail-submission-error.log;
}
# SMTPS port (implicit TLS) - port 465
server {
listen 465 ssl;
proxy_pass mail_smtps;
proxy_connect_timeout 10s;
# Let's Encrypt SSL certificate
ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SMTPS:10m;
ssl_session_timeout 10m;
access_log /var/log/nginx/mail-smtps-access.log smtp_proxy;
error_log /var/log/nginx/mail-smtps-error.log;
}
}

90
nginx.conf.backup-20251113-212350 Normal file
View File

@@ -0,0 +1,90 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 15;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
#ssl_stapling on;
#ssl_stapling_verify on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

47
sites-available/default
View File

@@ -13,6 +13,14 @@
# Default server configuration
#
# Upstream for Node.js backend
upstream nodejs_backend {
server 127.0.0.1:3001;
keepalive 8;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
@@ -44,6 +52,45 @@ server {
server_name _;
# Proxy API requests to Node.js backend
# Handle rechner application
location /rechner/ {
proxy_pass http://nodejs_backend/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
# Proxy API requests for rechner to Node.js backend
location /rechner/api/ {
proxy_pass http://nodejs_backend/api/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
location /api/ {
proxy_pass http://nodejs_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.

90
sites-available/default.backup Normal file
View File

@@ -0,0 +1,90 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
location /.well-known {
alias /var/www/sub.domain.com/.well-known;
}
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

129
sites-available/default.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,129 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
location /.well-known {
alias /var/www/sub.domain.com/.well-known;
}
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
# Proxy API requests to Node.js backend
# Handle rechner application
location /rechner/ {
proxy_pass http://127.0.0.1:3001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_Set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
# Proxy API requests for rechner to Node.js backend
location /rechner/api/ {
proxy_pass http://127.0.0.1:3001/api/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
location /api/ {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

115
sites-available/default.clean Normal file
View File

@@ -0,0 +1,115 @@
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}

33
sites-available/element.conf
View File

@@ -1,7 +1,16 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/element/ levels=1:2 keys_zone=my_cache_element:10m max_size=10g
proxy_cache_path /var/cache/nginx/element levels=1:2 keys_zone=my_cache_element:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream element_backend {
server 10.0.0.48:8097;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name element.egonetix.de;
@@ -25,8 +34,28 @@ server {
access_log /var/log/nginx/element-access_log;
error_log /var/log/nginx/element-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss image/svg+xml;
gzip_min_length 1000;
set $upstream 10.0.0.48;
# Static files with aggressive caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|json)$ {
proxy_pass http://element_backend;
proxy_cache my_cache_element;
proxy_cache_valid 200 24h;
expires 24h;
add_header Cache-Control "public, immutable";
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location / {
proxy_cache my_cache_element;
@@ -35,7 +64,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8097;
proxy_pass http://element_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

51
sites-available/element.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,51 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/element/ levels=1:2 keys_zone=my_cache_element:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name element.egonetix.de;
return 301 https://$server_name/element$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/element.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/element.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name element.egonetix.de;
access_log /var/log/nginx/element-access_log;
error_log /var/log/nginx/element-error_log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_element;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8097;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

65
sites-available/feuer.conf Normal file
View File

@@ -0,0 +1,65 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/feuer/ levels=1:2 keys_zone=my_cache_feuer:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name feuer.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/feuer.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feuer.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name feuer.egonetix.de;
access_log /var/log/nginx/feuer-access_log;
error_log /var/log/nginx/feuer-error_log;
# Firefly III on srvdocker02 (10.0.0.48)
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_feuer;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8094;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 100M;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
# Firefly III specific headers for proper functionality
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
proxy_pass http://$upstream:8094;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

33
sites-available/gitea.conf
View File

@@ -1,7 +1,16 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/gitea/ levels=1:2 keys_zone=my_cache_gitea:10m max_size=10g
proxy_cache_path /var/cache/nginx/gitea levels=1:2 keys_zone=my_cache_gitea:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream gitea_backend {
server 10.0.0.48:4000;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name gitea.egonetix.de;
@@ -25,8 +34,28 @@ server {
access_log /var/log/nginx/gitea-access_log;
error_log /var/log/nginx/gitea-error_log;
# Gzip compression for Gitea
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss image/svg+xml;
gzip_min_length 1000;
set $upstream 10.0.0.48;
# Static files with aggressive caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://gitea_backend;
proxy_cache my_cache_gitea;
proxy_cache_valid 200 24h;
expires 24h;
add_header Cache-Control "public, immutable";
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location / {
proxy_cache my_cache_gitea;
@@ -35,7 +64,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:4000;
proxy_pass http://gitea_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

51
sites-available/gitea.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,51 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/gitea/ levels=1:2 keys_zone=my_cache_gitea:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name gitea.egonetix.de;
return 301 https://$server_name/gitea$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/gitea.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gitea.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name gitea.egonetix.de;
access_log /var/log/nginx/gitea-access_log;
error_log /var/log/nginx/gitea-error_log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_gitea;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

32
sites-available/hoarder.conf
View File

@@ -1,7 +1,16 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/hoarder/ levels=1:2 keys_zone=my_cache_hoarder:10m max_size=10g
proxy_cache_path /var/cache/nginx/hoarder levels=1:2 keys_zone=my_cache_hoarder:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream hoarder_backend {
server 10.0.0.48:8084;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name hoarder.egonetix.de;
@@ -24,8 +33,27 @@ server {
access_log /var/log/nginx/hoarder-access_log;
error_log /var/log/nginx/hoarder-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss image/svg+xml;
gzip_min_length 1000;
set $upstream 10.0.0.48;
# Static files with caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://hoarder_backend;
proxy_cache my_cache_hoarder;
proxy_cache_valid 200 24h;
expires 24h;
add_header Cache-Control "public, immutable";
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location / {
@@ -35,7 +63,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8084;
proxy_pass http://hoarder_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

52
sites-available/hoarder.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,52 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/hoarder/ levels=1:2 keys_zone=my_cache_hoarder:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name hoarder.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/hoarder.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hoarder.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name hoarder.egonetix.de;
access_log /var/log/nginx/hoarder-access_log;
error_log /var/log/nginx/hoarder-error_log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_hoarder;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8084;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

54
sites-available/jitsi.conf
View File

@@ -1,7 +1,19 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/jitsi/ levels=1:2 keys_zone=my_cache_jitsi:10m max_size=10g
inactive=60m use_temp_path=off;
# Upstream with keepalive for Jitsi
upstream jitsi_backend {
server 10.0.0.48:8000;
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
# WebSocket upgrade map
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server{
listen 80;
server_name jitsi.egonetix.de;
@@ -24,17 +36,43 @@ server {
access_log /var/log/nginx/jitsi-access_log;
error_log /var/log/nginx/jitsi-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
set $upstream 10.0.0.48;
# WebSocket support for Jitsi real-time communication
location /xmpp-websocket {
proxy_pass http://jitsi_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_read_timeout 7200s;
}
# Static files with caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://jitsi_backend;
expires 24h;
add_header Cache-Control "public, immutable";
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location / {
proxy_cache my_cache_jitsi;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8000;
proxy_pass http://jitsi_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

51
sites-available/jitsi.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,51 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/jitsi/ levels=1:2 keys_zone=my_cache_jitsi:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name jitsi.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/jitsi.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jitsi.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name jitsi.egonetix.de;
access_log /var/log/nginx/jitsi-access_log;
error_log /var/log/nginx/jitsi-error_log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_jitsi;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

46
sites-available/matrix.conf
View File

@@ -1,5 +1,13 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
# Upstream with keepalive for Matrix
upstream matrix_backend {
server 10.0.0.48:8008;
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
# Redirect HTTP to HTTPS
server {
listen 10.0.0.29:80;
@@ -19,16 +27,31 @@ server {
access_log /var/log/nginx/matrix-access.log;
error_log /var/log/nginx/matrix-error.log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
set $upstream 10.0.0.48;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://$upstream:8008;
proxy_pass http://matrix_backend;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Better buffering for Matrix
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 32 8k;
client_max_body_size 50M;
proxy_http_version 1.1;
}
}
@@ -44,16 +67,31 @@ server {
access_log /var/log/nginx/matrix-access.log;
error_log /var/log/nginx/matrix-error.log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
set $upstream 10.0.0.48;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://$upstream:8008;
proxy_pass http://matrix_backend;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Better buffering for Matrix
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 32 8k;
client_max_body_size 50M;
proxy_http_version 1.1;
}
}

59
sites-available/matrix.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,59 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
# Redirect HTTP to HTTPS
server {
listen 10.0.0.29:80;
server_name matrix.egonetix.de;
return 301 https://$server_name$request_uri;
}
# HTTPS for client traffic (port 443)
server {
listen 10.0.0.29:443 ssl http2;
server_name matrix.egonetix.de;
ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
access_log /var/log/nginx/matrix-access.log;
error_log /var/log/nginx/matrix-error.log;
set $upstream 10.0.0.48;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://$upstream:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
}
# HTTPS for federation traffic (port 8448)
server {
listen 10.0.0.29:8448 ssl http2;
server_name matrix.egonetix.de;
ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
access_log /var/log/nginx/matrix-access.log;
error_log /var/log/nginx/matrix-error.log;
set $upstream 10.0.0.48;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://$upstream:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
}

13
sites-available/nextcloud.conf
View File

@@ -1,8 +1,17 @@
add_header X-Robots-Tag "no-referrer, noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/nextcloud/ levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=10g
# Reduced cache size due to disk space constraints
proxy_cache_path /var/cache/nginx/nextcloud levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream nextcloud_backend {
server 10.0.0.48:8089;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name nextcloud.egonetix.de;
@@ -39,7 +48,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8089;
proxy_pass http://nextcloud_backend;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;

74
sites-available/nextcloud.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,74 @@
add_header X-Robots-Tag "no-referrer, noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/nextcloud/ levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name nextcloud.egonetix.de;
return 301 https://$server_name/$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/nextcloud.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nextcloud.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name nextcloud.egonetix.de;
access_log /var/log/nginx/nextcloud-access_log;
error_log /var/log/nginx/nextcloud-error_log;
proxy_set_header X-Forwarded-Proto $scheme;
set $upstream 10.0.0.48;
#rewrite ^/$ /nextcloud;
location / {
proxy_cache my_cache_nextcloud;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8089;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# add_header Referrer-Policy no-referrer;
# proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 20G;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
}

42
sites-available/office.conf
View File

@@ -1,8 +1,22 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/office/ levels=1:2 keys_zone=my_cache_office:10m max_size=10g
proxy_cache_path /var/cache/nginx/office levels=1:2 keys_zone=my_cache_office:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive for Office
upstream office_backend {
server 10.0.0.48:9980;
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
# WebSocket upgrade map
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server{
listen 80;
server_name office.egonetix.de;
@@ -30,12 +44,36 @@ server {
access_log /var/log/nginx/office-access_log;
error_log /var/log/nginx/office-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
proxy_set_header X-Forwarded-Proto $scheme;
set $upstream 10.0.0.48;
# location /
# WebSocket support for collaborative editing
location /lool/ws {
proxy_pass https://office_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_read_timeout 7200s;
proxy_ssl_session_reuse off;
}
location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache) {
proxy_cache my_cache_office;
@@ -44,7 +82,7 @@ location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache) {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream:9980;
proxy_pass https://office_backend;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;

62
sites-available/office.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,62 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/office/ levels=1:2 keys_zone=my_cache_office:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name office.egonetix.de;
return 301 https://$server_name/$request_uri;
access_log /var/log/nginx/office-access_log;
error_log /var/log/nginx/office-error_log;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/office.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/office.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name office.egonetix.de;
access_log /var/log/nginx/office-access_log;
error_log /var/log/nginx/office-error_log;
proxy_set_header X-Forwarded-Proto $scheme;
set $upstream 10.0.0.48;
# location /
location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache) {
proxy_cache my_cache_office;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream:9980;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

310
sites-available/owa.conf
View File

@@ -1,167 +1,161 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g
inactive=60m use_temp_path=off;
# Optimized cache paths
proxy_cache_path /var/cache/nginx/kopano levels=1:2 keys_zone=kopano_static:10m
max_size=2g inactive=24h use_temp_path=off;
# Upstream with connection pooling
upstream kopano_backend {
server 10.0.0.21:443;
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
return 301 https://$server_name/webapp$request_uri;
# WebSocket support map
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
access_log /var/log/nginx/owa-access_log;
error_log /var/log/nginx/owa-error_log;
set $upstream 10.0.0.21;
rewrite ^/$ /webapp;
location /webapp {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /Microsoft-Server-ActiveSync {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /webmeetings {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
listen 80;
server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
return 301 https://$server_name$request_uri;
}
location ~* /Autodiscover/Autodiscover.xml {
access_log /var/log/nginx/z-push-autodiscover-access.log;
error_log /var/log/nginx/z-push-autodiscover-error.log;
fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php;
fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
include fastcgi_params;
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
server {
listen 10.0.0.29:443 ssl http2;
# SSL config
ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
access_log /var/log/nginx/owa-access_log;
error_log /var/log/nginx/owa-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss
application/x-javascript image/svg+xml;
gzip_min_length 1000;
# Default proxy settings
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Connection "";
proxy_ssl_session_reuse on;
proxy_ssl_server_name on;
rewrite ^/$ /webapp redirect;
# Static files - aggressive caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass https://kopano_backend;
proxy_cache kopano_static;
proxy_cache_valid 200 24h;
proxy_cache_valid 404 1m;
expires 24h;
add_header Cache-Control "public, immutable";
# Buffering for static files
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 32 8k;
}
# WebApp - DISABLE buffering for AJAX responsiveness
location /webapp {
proxy_pass https://kopano_backend;
# NO caching
proxy_no_cache 1;
proxy_cache_bypass 1;
# DISABLE buffering for instant AJAX responses
proxy_buffering off;
proxy_read_timeout 300s;
client_max_body_size 100M;
proxy_redirect off;
}
# ActiveSync - disable buffering for real-time sync
location /Microsoft-Server-ActiveSync {
proxy_pass https://kopano_backend;
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_buffering off;
proxy_read_timeout 3660s;
client_max_body_size 100M;
proxy_redirect off;
}
# WebMeetings - WebSocket support
location /webmeetings {
proxy_pass https://kopano_backend;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_read_timeout 7200s;
client_max_body_size 500M;
proxy_redirect off;
}
# Autodiscover
location ~* /Autodiscover/Autodiscover.xml {
access_log /var/log/nginx/z-push-autodiscover-access.log;
error_log /var/log/nginx/z-push-autodiscover-error.log;
proxy_pass https://kopano_backend;
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_buffering off;
proxy_read_timeout 60s;
client_max_body_size 10M;
proxy_redirect off;
}
# OWA compatibility
location /owa {
proxy_pass https://kopano_backend;
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_buffering off;
proxy_read_timeout 300s;
client_max_body_size 100M;
proxy_redirect off;
}
# CalDAV
location /caldav {
proxy_pass http://10.0.0.21:8080;
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_buffering off;
proxy_read_timeout 300s;
client_max_body_size 50M;
proxy_redirect off;
}
}
location /owa {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /caldav {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

167
sites-available/owa_backup.conf Normal file
View File

@@ -0,0 +1,167 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
return 301 https://$server_name/webapp$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
access_log /var/log/nginx/owa-access_log;
error_log /var/log/nginx/owa-error_log;
set $upstream 10.0.0.21;
rewrite ^/$ /webapp;
location /webapp {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /Microsoft-Server-ActiveSync {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /webmeetings {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location ~* /Autodiscover/Autodiscover.xml {
access_log /var/log/nginx/z-push-autodiscover-access.log;
error_log /var/log/nginx/z-push-autodiscover-error.log;
fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php;
fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
include fastcgi_params;
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /owa {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /caldav {
proxy_cache my_cache_owa;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

31
sites-available/plex.conf
View File

@@ -1,7 +1,13 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/plex/ levels=1:2 keys_zone=my_cache_plex:10m max_size=10g
inactive=60m use_temp_path=off;
# Upstream with keepalive for Plex
upstream plex_backend {
server 10.0.0.48:32400;
keepalive 32;
keepalive_requests 100;
keepalive_timeout 60s;
}
server{
listen 80;
server_name plex.egonetix.de;
@@ -24,25 +30,34 @@ server {
access_log /var/log/nginx/plex-access_log;
error_log /var/log/nginx/plex-error_log;
# Gzip for text content only (not media)
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
set $upstream 10.0.0.48;
#set $upstream 172.20.20.6;
# Don't cache media streams
location / {
proxy_cache my_cache_plex;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream:32400;
proxy_pass https://plex_backend;
proxy_ssl_server_name on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Optimized for media streaming
proxy_buffering off;
proxy_cache off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;

52
sites-available/plex.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,52 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/plex/ levels=1:2 keys_zone=my_cache_plex:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name plex.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/plex.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/plex.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name plex.egonetix.de;
access_log /var/log/nginx/plex-access_log;
error_log /var/log/nginx/plex-error_log;
set $upstream 10.0.0.48;
#set $upstream 172.20.20.6;
location / {
proxy_cache my_cache_plex;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream:32400;
proxy_ssl_server_name on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

121
sites-available/portal.conf
View File

@@ -1,90 +1,65 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
server {
listen 80;
server_name portal.egonetix.de;
listen 80;
server_name portal.egonetix.de;
# Redirect any HTTP request to HTTPS
return 301 https://$server_name$request_uri;
# Redirect all HTTP traffic to HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
# The IP that you forwarded in your router (nginx proxy)
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Remove or update unsupported origin trial features.
# For example, comment out or remove these if not using them:
# add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
# Make site accessible from http://localhost/
server_name portal.egonetix.de;
ssl on;
ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
access_log /var/log/nginx/portal-access_log;
error_log /var/log/nginx/portal-error_log;
server_name portal.egonetix.de;
access_log /var/log/nginx/portal-access_log;
error_log /var/log/nginx/portal-error_log;
# Gzip compression for static content
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss image/svg+xml;
gzip_min_length 1000;
root /var/www/html;
index index.html index.php; # Added index.php as potential index file
# return 301 https://$server_name$request_uri;
# The internal IP of the VM that hosts your Apache config
# set $upstream 10.0.0.10;
# PHP Processing Configuration - Updated for PHP 8.1
location ~ \.php$ {
include snippets/fastcgi-php.conf;
root /var/www/html;
index index.html;
# Use PHP 8.1 socket (most common path on Ubuntu 22.04)
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
# location /.well-known {
# alias /var/www/sub.domain.com/.well-known;
# }
# Alternative options if the above doesn't work:
#fastcgi_pass unix:/run/php/php8.1-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
# location / {
# Increase timeout and buffer size for troubleshooting
fastcgi_connect_timeout 300;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 16 16k;
# Set the correct document root
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
# Reverse proxy for API calls to KidsAI Explorer backend
# Proxy all /api/ requests to the Node.js server running on port 3002
location /api/ {
proxy_pass http://127.0.0.1:3002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Additional headers for better compatibility
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
# Increase timeouts for AI processing
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
# Serve KidsAI Explorer static files
location /kidsai/ {
alias /var/www/html/kidsai/;
try_files $uri $uri/ /kidsai/index.html;
# Cache static assets
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}
# proxy_pass_header Authorization;
# proxy_pass http://$upstream;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_http_version 1.1;
# proxy_set_header Connection "";
# proxy_buffering off;
# client_max_body_size 0;
# proxy_read_timeout 36000s;
# proxy_redirect off;
#}
}

87
sites-available/portal.conf.backup Normal file
View File

@@ -0,0 +1,87 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
server {
listen 80;
server_name portal.egonetix.de;
# Redirect all HTTP traffic to HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;
# Remove or update unsupported origin trial features.
# For example, comment out or remove these if not using them:
# add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
# Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
ssl on;
ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
server_name portal.egonetix.de;
access_log /var/log/nginx/portal-access_log;
error_log /var/log/nginx/portal-error_log;
root /var/www/html;
index index.html index.php; # Added index.php as potential index file
# PHP Processing Configuration - Updated for PHP 8.1
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# Use PHP 8.1 socket (most common path on Ubuntu 22.04)
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
# Alternative options if the above doesn't work:
#fastcgi_pass unix:/run/php/php8.1-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
# Increase timeout and buffer size for troubleshooting
fastcgi_connect_timeout 300;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 16 16k;
# Set the correct document root
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
# Reverse proxy for KidsAI Explorer API calls
location /api/ {
proxy_pass http://127.0.0.1:3002/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Add CORS headers for API requests
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always;
add_header Access-Control-Allow-Credentials true always;
# Handle preflight requests
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE";
add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
}
}

56
sites-available/portal.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,56 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
server {
listen 80;
server_name portal.egonetix.de;
# Redirect any HTTP request to HTTPS
return 301 https://$server_name$request_uri;
}
server {
# The IP that you forwarded in your router (nginx proxy)
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name portal.egonetix.de;
access_log /var/log/nginx/portal-access_log;
error_log /var/log/nginx/portal-error_log;
# return 301 https://$server_name$request_uri;
# The internal IP of the VM that hosts your Apache config
# set $upstream 10.0.0.10;
root /var/www/html;
index index.html;
# location /.well-known {
# alias /var/www/sub.domain.com/.well-known;
# }
# location / {
# proxy_pass_header Authorization;
# proxy_pass http://$upstream;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_http_version 1.1;
# proxy_set_header Connection "";
# proxy_buffering off;
# client_max_body_size 0;
# proxy_read_timeout 36000s;
# proxy_redirect off;
#}
}

67
sites-available/stream.conf
View File

@@ -1,7 +1,19 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/stream/ levels=1:2 keys_zone=my_cache_stream:10m max_size=10g
inactive=60m use_temp_path=off;
# Upstream with keepalive for streaming
upstream stream_backend {
server 10.0.0.48:8096;
keepalive 32;
keepalive_requests 100;
keepalive_timeout 60s;
}
# WebSocket upgrade map
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server{
listen 80;
server_name stream.egonetix.de;
@@ -24,46 +36,43 @@ server {
access_log /var/log/nginx/stream-access.log;
error_log /var/log/nginx/stream-error.log;
# Gzip for text content only
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
set $upstream 10.0.0.48;
# WebSocket for real-time updates
location /socket {
proxy_pass http://stream_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_read_timeout 7200s;
}
location / {
proxy_cache my_cache_stream;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8096;
proxy_pass http://stream_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
# No caching for media streams
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /socket {
proxy_cache my_cache_stream;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;

74
sites-available/stream.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,74 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/stream/ levels=1:2 keys_zone=my_cache_stream:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name stream.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/stream.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stream.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name stream.egonetix.de;
access_log /var/log/nginx/stream-access.log;
error_log /var/log/nginx/stream-error.log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_stream;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
location /socket {
proxy_cache my_cache_stream;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

22
sites-available/sync.conf
View File

@@ -1,7 +1,16 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/sync/ levels=1:2 keys_zone=my_cache_sync:10m max_size=10g
proxy_cache_path /var/cache/nginx/sync levels=1:2 keys_zone=my_cache_sync:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream sync_backend {
server 10.0.0.48:18089;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name sync.egonetix.de;
@@ -24,6 +33,15 @@ server {
access_log /var/log/nginx/sync-access_log;
error_log /var/log/nginx/sync-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
set $upstream 10.0.0.48;
location / {
@@ -34,7 +52,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:18089;
proxy_pass http://sync_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

50
sites-available/sync.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,50 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/sync/ levels=1:2 keys_zone=my_cache_sync:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name sync.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/sync.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sync.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name sync.egonetix.de;
access_log /var/log/nginx/sync-access_log;
error_log /var/log/nginx/sync-error_log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_sync;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:18089;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

42
sites-available/unifi.conf
View File

@@ -1,7 +1,22 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/unifi/ levels=1:2 keys_zone=my_cache_unifi:10m max_size=10g
proxy_cache_path /var/cache/nginx/unifi levels=1:2 keys_zone=my_cache_unifi:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream unifi_backend {
server 10.0.0.48:8443;
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
# WebSocket upgrade map
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server{
listen 80;
server_name unifi.egonetix.de;
@@ -25,8 +40,31 @@ server {
access_log /var/log/nginx/unifi-access_log;
error_log /var/log/nginx/unifi-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
gzip_min_length 1000;
set $upstream 10.0.0.48;
# WebSocket support for UniFi real-time updates
location /wss/ {
proxy_pass https://unifi_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_read_timeout 7200s;
proxy_ssl_session_reuse off;
}
location / {
proxy_cache my_cache_unifi;
@@ -35,7 +73,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream:8443;
proxy_pass https://unifi_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

52
sites-available/unifi.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,52 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/unifi/ levels=1:2 keys_zone=my_cache_unifi:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name unifi.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/unifi.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/unifi.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name unifi.egonetix.de;
access_log /var/log/nginx/unifi-access_log;
error_log /var/log/nginx/unifi-error_log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_unifi;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

55
sites-available/vscode.conf Normal file
View File

@@ -0,0 +1,55 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
# Upstream with keepalive
upstream vscode_backend {
server 10.0.0.48:8099;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name vscode.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/vscode.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vscode.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
server_name vscode.egonetix.de;
access_log /var/log/nginx/vscode-access_log;
error_log /var/log/nginx/vscode-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss image/svg+xml;
gzip_min_length 1000;
location / {
proxy_pass http://vscode_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
}
}

32
sites-available/wallabag.conf
View File

@@ -1,7 +1,16 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/wallabag/ levels=1:2 keys_zone=my_cache_wallabag:10m max_size=10g
proxy_cache_path /var/cache/nginx/wallabag levels=1:2 keys_zone=my_cache_wallabag:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream wallabag_backend {
server 10.0.0.48:8087;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name wallabag.egonetix.de;
@@ -24,8 +33,27 @@ server {
access_log /var/log/nginx/wallabag-access_log;
error_log /var/log/nginx/wallabag-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss image/svg+xml;
gzip_min_length 1000;
set $upstream 10.0.0.48;
# Static files with caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://wallabag_backend;
proxy_cache my_cache_wallabag;
proxy_cache_valid 200 24h;
expires 24h;
add_header Cache-Control "public, immutable";
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location / {
@@ -35,7 +63,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8087;
proxy_pass http://wallabag_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

52
sites-available/wallabag.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,52 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/wallabag/ levels=1:2 keys_zone=my_cache_wallabag:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name wallabag.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/wallabag.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wallabag.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name wallabag.egonetix.de;
access_log /var/log/nginx/wallabag-access_log;
error_log /var/log/nginx/wallabag-error_log;
set $upstream 10.0.0.48;
location / {
proxy_cache my_cache_wallabag;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8087;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

34
sites-available/wiki.conf
View File

@@ -1,7 +1,16 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/wiki/ levels=1:2 keys_zone=my_cache_wiki:10m max_size=10g
proxy_cache_path /var/cache/nginx/wiki levels=1:2 keys_zone=my_cache_wiki:10m max_size=2g
inactive=60m use_temp_path=off;
# Upstream with keepalive
upstream wiki_backend {
server 10.0.0.10:443;
keepalive 16;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server{
listen 80;
server_name wiki.egonetix.de;
@@ -25,8 +34,29 @@ server {
access_log /var/log/nginx/wiki-access_log;
error_log /var/log/nginx/wiki-error_log;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss image/svg+xml;
gzip_min_length 1000;
set $upstream 10.0.0.10;
# Static files with aggressive caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass https://wiki_backend;
proxy_cache my_cache_wiki;
proxy_cache_valid 200 24h;
expires 24h;
add_header Cache-Control "public, immutable";
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_session_reuse off;
}
location /wiki {
proxy_cache my_cache_wiki;
@@ -35,7 +65,7 @@ server {
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_pass https://wiki_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

51
sites-available/wiki.conf.backup-20251113-212344 Normal file
View File

@@ -0,0 +1,51 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/wiki/ levels=1:2 keys_zone=my_cache_wiki:10m max_size=10g
inactive=60m use_temp_path=off;
server{
listen 80;
server_name wiki.egonetix.de;
return 301 https://$server_name/wiki$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/wiki.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name wiki.egonetix.de;
access_log /var/log/nginx/wiki-access_log;
error_log /var/log/nginx/wiki-error_log;
set $upstream 10.0.0.10;
location /wiki {
proxy_cache my_cache_wiki;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}

1
sites-enabled/default
View File

@@ -1 +0,0 @@
/etc/nginx/sites-available/default

1
sites-enabled/feuer.conf Symbolic link
View File

@@ -0,0 +1 @@
/etc/nginx/sites-available/feuer.conf

1
sites-enabled/portal.conf
View File

@@ -1 +0,0 @@
/etc/nginx/sites-available/portal.conf

87
sites-enabled/portal.conf Normal file
View File

@@ -0,0 +1,87 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
server {
listen 80;
server_name portal.egonetix.de;
# Redirect all HTTP traffic to HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;
# Remove or update unsupported origin trial features.
# For example, comment out or remove these if not using them:
# add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
# Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
ssl on;
ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
server_name portal.egonetix.de;
access_log /var/log/nginx/portal-access_log;
error_log /var/log/nginx/portal-error_log;
root /var/www/html;
index index.html index.php; # Added index.php as potential index file
# PHP Processing Configuration - Updated for PHP 8.1
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# Use PHP 8.1 socket (most common path on Ubuntu 22.04)
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
# Alternative options if the above doesn't work:
#fastcgi_pass unix:/run/php/php8.1-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
# Increase timeout and buffer size for troubleshooting
fastcgi_connect_timeout 300;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 16 16k;
# Set the correct document root
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
# Reverse proxy for KidsAI Explorer API calls
location /api/ {
proxy_pass http://127.0.0.1:3001/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Add CORS headers for API requests
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always;
add_header Access-Control-Allow-Credentials true always;
# Handle preflight requests
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE";
add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
}
}

87
sites-enabled/portal.conf.backup.working.20250929 Normal file
View File

@@ -0,0 +1,87 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
server {
listen 80;
server_name portal.egonetix.de;
# Redirect all HTTP traffic to HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;
# Remove or update unsupported origin trial features.
# For example, comment out or remove these if not using them:
# add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
# Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
ssl on;
ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
server_name portal.egonetix.de;
access_log /var/log/nginx/portal-access_log;
error_log /var/log/nginx/portal-error_log;
root /var/www/html;
index index.html index.php; # Added index.php as potential index file
# PHP Processing Configuration - Updated for PHP 8.1
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# Use PHP 8.1 socket (most common path on Ubuntu 22.04)
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
# Alternative options if the above doesn't work:
#fastcgi_pass unix:/run/php/php8.1-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
# Increase timeout and buffer size for troubleshooting
fastcgi_connect_timeout 300;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 16 16k;
# Set the correct document root
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
# Reverse proxy for KidsAI Explorer API calls
location /api/ {
proxy_pass http://127.0.0.1:3001/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Add CORS headers for API requests
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always;
add_header Access-Control-Allow-Credentials true always;
# Handle preflight requests
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE";
add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
}
}

1
sites-enabled/rezepte.conf
View File

@@ -1 +0,0 @@
/etc/nginx/sites-available/rezepte.conf

62
sites-enabled/rezepte.conf Normal file
View File

@@ -0,0 +1,62 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
proxy_cache_path /tmp/rezepte/ levels=1:2 keys_zone=my_cache_rezepte:10m max_size=10g
inactive=60m use_temp_path=off;
upstream swarm_nodes {
server 10.0.0.48:8090;
}
resolver 10.0.0.21;
server{
listen 80;
server_name rezepte.egonetix.de;
return 301 https://$server_name$request_uri;
}
server {
listen 10.0.0.29:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# SSL config
ssl on;
ssl_certificate /etc/letsencrypt/live/rezepte.egonetix.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rezepte.egonetix.de/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Make site accessible from http://localhost/
server_name rezepte.egonetix.de;
access_log /var/log/nginx/rezepte-access_log;
error_log /var/log/nginx/rezepte-error_log;
set $upstream 10.0.0.48;
#set $upstream swarm_nodes;
#set $upstream 10.0.0.46;
location / {
proxy_cache my_cache_rezepte;
proxy_cache_revalidate on;
proxy_cache_min_uses 3;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
proxy_pass_header Authorization;
proxy_pass http://$upstream:8090;
# proxy_pass http://swarm_nodes;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
}
}