Forward SMTP to port 10025 for authenticated submissions

.htpasswd

@@ -0,0 +1 @@
+monitor:$apr1$1x9tjm1m$N43cIk6gjONIUOPnwOSyZ/

conf.d/default.conf

@@ -0,0 +1,45 @@
+server {
+    listen       80;
+    server_name  localhost;
+
+    #charset koi8-r;
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+    #
+    #location ~ \.php$ {
+    #    proxy_pass   http://127.0.0.1;
+    #}
+
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    #
+    #location ~ \.php$ {
+    #    root           html;
+    #    fastcgi_pass   127.0.0.1:9000;
+    #    fastcgi_index  index.php;
+    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+    #    include        fastcgi_params;
+    #}
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #    deny  all;
+    #}
+}
+

fastcgi.conf

@@ -0,0 +1,27 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  REMOTE_USER        $remote_user;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

fastcgi_params

@@ -0,0 +1,26 @@
+
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  REMOTE_USER        $remote_user;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

koi-utf

@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters.  Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map  koi8-r  utf-8 {
+
+    80  E282AC ; # euro
+
+    95  E280A2 ; # bullet
+
+    9A  C2A0 ;   # &nbsp;
+
+    9E  C2B7 ;   # &middot;
+
+    A3  D191 ;   # small yo
+    A4  D194 ;   # small Ukrainian ye
+
+    A6  D196 ;   # small Ukrainian i
+    A7  D197 ;   # small Ukrainian yi
+
+    AD  D291 ;   # small Ukrainian soft g
+    AE  D19E ;   # small Byelorussian short u
+
+    B0  C2B0 ;   # &deg;
+
+    B3  D081 ;   # capital YO
+    B4  D084 ;   # capital Ukrainian YE
+
+    B6  D086 ;   # capital Ukrainian I
+    B7  D087 ;   # capital Ukrainian YI
+
+    B9  E28496 ; # numero sign
+
+    BD  D290 ;   # capital Ukrainian soft G
+    BE  D18E ;   # capital Byelorussian short U
+
+    BF  C2A9 ;   # (C)
+
+    C0  D18E ;   # small yu
+    C1  D0B0 ;   # small a
+    C2  D0B1 ;   # small b
+    C3  D186 ;   # small ts
+    C4  D0B4 ;   # small d
+    C5  D0B5 ;   # small ye
+    C6  D184 ;   # small f
+    C7  D0B3 ;   # small g
+    C8  D185 ;   # small kh
+    C9  D0B8 ;   # small i
+    CA  D0B9 ;   # small j
+    CB  D0BA ;   # small k
+    CC  D0BB ;   # small l
+    CD  D0BC ;   # small m
+    CE  D0BD ;   # small n
+    CF  D0BE ;   # small o
+
+    D0  D0BF ;   # small p
+    D1  D18F ;   # small ya
+    D2  D180 ;   # small r
+    D3  D181 ;   # small s
+    D4  D182 ;   # small t
+    D5  D183 ;   # small u
+    D6  D0B6 ;   # small zh
+    D7  D0B2 ;   # small v
+    D8  D18C ;   # small soft sign
+    D9  D18B ;   # small y
+    DA  D0B7 ;   # small z
+    DB  D188 ;   # small sh
+    DC  D18D ;   # small e
+    DD  D189 ;   # small shch
+    DE  D187 ;   # small ch
+    DF  D18A ;   # small hard sign
+
+    E0  D0AE ;   # capital YU
+    E1  D090 ;   # capital A
+    E2  D091 ;   # capital B
+    E3  D0A6 ;   # capital TS
+    E4  D094 ;   # capital D
+    E5  D095 ;   # capital YE
+    E6  D0A4 ;   # capital F
+    E7  D093 ;   # capital G
+    E8  D0A5 ;   # capital KH
+    E9  D098 ;   # capital I
+    EA  D099 ;   # capital J
+    EB  D09A ;   # capital K
+    EC  D09B ;   # capital L
+    ED  D09C ;   # capital M
+    EE  D09D ;   # capital N
+    EF  D09E ;   # capital O
+
+    F0  D09F ;   # capital P
+    F1  D0AF ;   # capital YA
+    F2  D0A0 ;   # capital R
+    F3  D0A1 ;   # capital S
+    F4  D0A2 ;   # capital T
+    F5  D0A3 ;   # capital U
+    F6  D096 ;   # capital ZH
+    F7  D092 ;   # capital V
+    F8  D0AC ;   # capital soft sign
+    F9  D0AB ;   # capital Y
+    FA  D097 ;   # capital Z
+    FB  D0A8 ;   # capital SH
+    FC  D0AD ;   # capital E
+    FD  D0A9 ;   # capital SHCH
+    FE  D0A7 ;   # capital CH
+    FF  D0AA ;   # capital hard sign
+}

koi-win

@@ -0,0 +1,103 @@
+
+charset_map  koi8-r  windows-1251 {
+
+    80  88 ; # euro
+
+    95  95 ; # bullet
+
+    9A  A0 ; #  
+
+    9E  B7 ; # ·
+
+    A3  B8 ; # small yo
+    A4  BA ; # small Ukrainian ye
+
+    A6  B3 ; # small Ukrainian i
+    A7  BF ; # small Ukrainian yi
+
+    AD  B4 ; # small Ukrainian soft g
+    AE  A2 ; # small Byelorussian short u
+
+    B0  B0 ; # °
+
+    B3  A8 ; # capital YO
+    B4  AA ; # capital Ukrainian YE
+
+    B6  B2 ; # capital Ukrainian I
+    B7  AF ; # capital Ukrainian YI
+
+    B9  B9 ; # numero sign
+
+    BD  A5 ; # capital Ukrainian soft G
+    BE  A1 ; # capital Byelorussian short U
+
+    BF  A9 ; # (C)
+
+    C0  FE ; # small yu
+    C1  E0 ; # small a
+    C2  E1 ; # small b
+    C3  F6 ; # small ts
+    C4  E4 ; # small d
+    C5  E5 ; # small ye
+    C6  F4 ; # small f
+    C7  E3 ; # small g
+    C8  F5 ; # small kh
+    C9  E8 ; # small i
+    CA  E9 ; # small j
+    CB  EA ; # small k
+    CC  EB ; # small l
+    CD  EC ; # small m
+    CE  ED ; # small n
+    CF  EE ; # small o
+
+    D0  EF ; # small p
+    D1  FF ; # small ya
+    D2  F0 ; # small r
+    D3  F1 ; # small s
+    D4  F2 ; # small t
+    D5  F3 ; # small u
+    D6  E6 ; # small zh
+    D7  E2 ; # small v
+    D8  FC ; # small soft sign
+    D9  FB ; # small y
+    DA  E7 ; # small z
+    DB  F8 ; # small sh
+    DC  FD ; # small e
+    DD  F9 ; # small shch
+    DE  F7 ; # small ch
+    DF  FA ; # small hard sign
+
+    E0  DE ; # capital YU
+    E1  C0 ; # capital A
+    E2  C1 ; # capital B
+    E3  D6 ; # capital TS
+    E4  C4 ; # capital D
+    E5  C5 ; # capital YE
+    E6  D4 ; # capital F
+    E7  C3 ; # capital G
+    E8  D5 ; # capital KH
+    E9  C8 ; # capital I
+    EA  C9 ; # capital J
+    EB  CA ; # capital K
+    EC  CB ; # capital L
+    ED  CC ; # capital M
+    EE  CD ; # capital N
+    EF  CE ; # capital O
+
+    F0  CF ; # capital P
+    F1  DF ; # capital YA
+    F2  D0 ; # capital R
+    F3  D1 ; # capital S
+    F4  D2 ; # capital T
+    F5  D3 ; # capital U
+    F6  C6 ; # capital ZH
+    F7  C2 ; # capital V
+    F8  DC ; # capital soft sign
+    F9  DB ; # capital Y
+    FA  C7 ; # capital Z
+    FB  D8 ; # capital SH
+    FC  DD ; # capital E
+    FD  D9 ; # capital SHCH
+    FE  D7 ; # capital CH
+    FF  DA ; # capital hard sign
+}

mime.types

@@ -0,0 +1,89 @@
+
+types {
+    text/html                             html htm shtml;
+    text/css                              css;
+    text/xml                              xml;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    application/javascript                js;
+    application/atom+xml                  atom;
+    application/rss+xml                   rss;
+
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/x-component                      htc;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+    image/svg+xml                         svg svgz;
+    image/webp                            webp;
+
+    application/font-woff                 woff;
+    application/java-archive              jar war ear;
+    application/json                      json;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.apple.mpegurl         m3u8;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-fontobject         eot;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/x-7z-compressed           7z;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-perl                    pl pm;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            der pem crt;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/xspf+xml                  xspf;
+    application/zip                       zip;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/ogg                             ogg;
+    audio/x-m4a                           m4a;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mp2t                            ts;
+    video/mp4                             mp4;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-m4v                           m4v;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}

modules-enabled/50-mod-http-auth-pam.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-auth-pam.conf

modules-enabled/50-mod-http-dav-ext.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-dav-ext.conf

modules-enabled/50-mod-http-echo.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-echo.conf

modules-enabled/50-mod-http-geoip.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-geoip.conf

modules-enabled/50-mod-http-geoip2.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-geoip2.conf

modules-enabled/50-mod-http-image-filter.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-image-filter.conf

modules-enabled/50-mod-http-subs-filter.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-subs-filter.conf

modules-enabled/50-mod-http-upstream-fair.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-upstream-fair.conf

modules-enabled/50-mod-http-xslt-filter.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-http-xslt-filter.conf

modules-enabled/50-mod-mail.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-mail.conf

modules-enabled/50-mod-stream.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-stream.conf

modules-enabled/70-mod-stream-geoip2.conf

@@ -0,0 +1 @@
+/usr/share/nginx/modules-available/mod-stream-geoip2.conf

nginx.conf

@@ -1,13 +1,13 @@
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 
 events {
-	worker_connections 1024;
+        worker_connections 2048;
         multi_accept on;
-}
-
-http {
+        use epoll;
+}http {
 
 	##
 	# Basic Settings
@@ -16,11 +16,17 @@ http {
         sendfile on;
         tcp_nopush on;
         tcp_nodelay on;
-	keepalive_timeout 15;
+        keepalive_timeout 65;
+        keepalive_requests 100;
+        reset_timedout_connection on;
         types_hash_max_size 2048;
         # server_tokens off;
         
-	# server_names_hash_bucket_size 64;
+        # File cache for better performance
+        open_file_cache max=10000 inactive=30s;
+        open_file_cache_valid 60s;
+        open_file_cache_min_uses 2;
+        open_file_cache_errors on;	# server_names_hash_bucket_size 64;
 	# server_name_in_redirect off;
 
 	include /etc/nginx/mime.types;
@@ -33,8 +39,9 @@ http {
 	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_timeout 10m;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_timeout 1d;
+    ssl_session_tickets off;
 	ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
 	#ssl_stapling on;
 	#ssl_stapling_verify on;
@@ -54,9 +61,18 @@ http {
 
 	 gzip_vary on;
 	 gzip_proxied any;
-	 gzip_comp_level 6;
+	 gzip_comp_level 5;
 	 gzip_buffers 16 8k;
 	 gzip_http_version 1.1;
+
+    # Proxy buffer settings
+    proxy_buffers 16 16k;
+    proxy_buffer_size 32k;
+    proxy_busy_buffers_size 64k;
+    proxy_temp_file_write_size 64k;
+    proxy_connect_timeout 90;
+    proxy_send_timeout 90;
+    proxy_read_timeout 90;
 	 gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
 	##
@@ -88,3 +104,60 @@ http {
 #               proxy      on;
 #       }
 #}
+
+# Stream block for SMTP proxy with Let's Encrypt TLS termination
+stream {
+    # Logging
+    log_format smtp_proxy '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time';
+    
+    # Upstream mail server
+    upstream mail_submission {
+        server 10.0.0.21:10025;
+    }
+    
+    upstream mail_smtps {
+        server 10.0.0.21:10025;
+    }
+    
+    # SMTP Submission port (STARTTLS) - port 587
+    server {
+        listen 587 ssl;
+        proxy_pass mail_submission;
+        proxy_connect_timeout 10s;
+        
+        # Let's Encrypt SSL certificate
+        ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
+        
+        # SSL settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SMTP:10m;
+        ssl_session_timeout 10m;
+        
+        access_log /var/log/nginx/mail-submission-access.log smtp_proxy;
+        error_log /var/log/nginx/mail-submission-error.log;
+    }
+    
+    # SMTPS port (implicit TLS) - port 465
+    server {
+        listen 465 ssl;
+        proxy_pass mail_smtps;
+        proxy_connect_timeout 10s;
+        
+        # Let's Encrypt SSL certificate
+        ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
+        
+        # SSL settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SMTPS:10m;
+        ssl_session_timeout 10m;
+        
+        access_log /var/log/nginx/mail-smtps-access.log smtp_proxy;
+        error_log /var/log/nginx/mail-smtps-error.log;
+    }
+}

nginx.conf.backup-20251113-212350

@@ -0,0 +1,90 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 1024;
+	 multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 15;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 10m;
+	ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+	#ssl_stapling on;
+	#ssl_stapling_verify on;
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	 gzip_vary on;
+	 gzip_proxied any;
+	 gzip_comp_level 6;
+	 gzip_buffers 16 8k;
+	 gzip_http_version 1.1;
+	 gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#       # See sample authentication script at:
+#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#       # auth_http localhost/auth.php;
+#       # pop3_capabilities "TOP" "USER";
+#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#       server {
+#               listen     localhost:110;
+#               protocol   pop3;
+#               proxy      on;
+#       }
+#
+#       server {
+#               listen     localhost:143;
+#               protocol   imap;
+#               proxy      on;
+#       }
+#}

nginx.conf.dpkg-dist

@@ -0,0 +1,83 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}

proxy_params

@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;

scgi_params

@@ -0,0 +1,17 @@
+
+scgi_param  REQUEST_METHOD     $request_method;
+scgi_param  REQUEST_URI        $request_uri;
+scgi_param  QUERY_STRING       $query_string;
+scgi_param  CONTENT_TYPE       $content_type;
+
+scgi_param  DOCUMENT_URI       $document_uri;
+scgi_param  DOCUMENT_ROOT      $document_root;
+scgi_param  SCGI               1;
+scgi_param  SERVER_PROTOCOL    $server_protocol;
+scgi_param  REQUEST_SCHEME     $scheme;
+scgi_param  HTTPS              $https if_not_empty;
+
+scgi_param  REMOTE_ADDR        $remote_addr;
+scgi_param  REMOTE_PORT        $remote_port;
+scgi_param  SERVER_PORT        $server_port;
+scgi_param  SERVER_NAME        $server_name;

sites-available/default

@@ -13,6 +13,14 @@
 
 # Default server configuration
 #
+# Upstream for Node.js backend
+upstream nodejs_backend {
+    server 127.0.0.1:3001;
+    keepalive 8;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;
@@ -44,6 +52,45 @@ server {
 
 	server_name _;
 
+     # Proxy API requests to Node.js backend
+     # Handle rechner application
+     location /rechner/ {
+             proxy_pass http://nodejs_backend/;
+             proxy_http_version 1.1;
+             proxy_set_header Upgrade $http_upgrade;
+             proxy_set_header Connection 'upgrade';
+             proxy_set_header Host $host;
+             proxy_set_header X-Real-IP $remote_addr;
+             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+             proxy_set_header X-Forwarded-Proto $scheme;
+             proxy_cache_bypass $http_upgrade;
+     }
+
+     # Proxy API requests for rechner to Node.js backend
+     location /rechner/api/ {
+             proxy_pass http://nodejs_backend/api/;
+             proxy_http_version 1.1;
+             proxy_set_header Upgrade $http_upgrade;
+             proxy_set_header Connection 'upgrade';
+             proxy_set_header Host $host;
+             proxy_set_header X-Real-IP $remote_addr;
+             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+             proxy_set_header X-Forwarded-Proto $scheme;
+             proxy_cache_bypass $http_upgrade;
+     }
+
+     location /api/ {
+             proxy_pass http://nodejs_backend;
+             proxy_http_version 1.1;
+             proxy_set_header Upgrade $http_upgrade;
+             proxy_set_header Connection 'upgrade';
+             proxy_set_header Host $host;
+             proxy_set_header X-Real-IP $remote_addr;
+             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+             proxy_set_header X-Forwarded-Proto $scheme;
+             proxy_cache_bypass $http_upgrade;
+     }
+
 	location / {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.

sites-available/default.backup

@@ -0,0 +1,90 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+#
+# Generally, you will want to move this file somewhere, and start with a clean
+# file but keep this around for reference. Or just disable in sites-enabled.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+    location /.well-known {
+            alias /var/www/sub.domain.com/.well-known;
+    }
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php7.0-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php7.0-fpm:
+	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

sites-available/default.backup-20251113-212344

@@ -0,0 +1,129 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+#
+# Generally, you will want to move this file somewhere, and start with a clean
+# file but keep this around for reference. Or just disable in sites-enabled.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+    location /.well-known {
+            alias /var/www/sub.domain.com/.well-known;
+    }
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+     # Proxy API requests to Node.js backend
+     # Handle rechner application
+     location /rechner/ {
+             proxy_pass http://127.0.0.1:3001/;
+             proxy_http_version 1.1;
+             proxy_set_header Upgrade $http_upgrade;
+             proxy_set_header Connection 'upgrade';
+             proxy_set_header Host $host;
+             proxy_set_header X-Real-IP $remote_addr;
+             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+             proxy_Set_header X-Forwarded-Proto $scheme;
+             proxy_cache_bypass $http_upgrade;
+     }
+
+     # Proxy API requests for rechner to Node.js backend
+     location /rechner/api/ {
+             proxy_pass http://127.0.0.1:3001/api/;
+             proxy_http_version 1.1;
+             proxy_set_header Upgrade $http_upgrade;
+             proxy_set_header Connection 'upgrade';
+             proxy_set_header Host $host;
+             proxy_set_header X-Real-IP $remote_addr;
+             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+             proxy_set_header X-Forwarded-Proto $scheme;
+             proxy_cache_bypass $http_upgrade;
+     }
+
+     location /api/ {
+             proxy_pass http://127.0.0.1:3001;
+             proxy_http_version 1.1;
+             proxy_set_header Upgrade $http_upgrade;
+             proxy_set_header Connection 'upgrade';
+             proxy_set_header Host $host;
+             proxy_set_header X-Real-IP $remote_addr;
+             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+             proxy_set_header X-Forwarded-Proto $scheme;
+             proxy_cache_bypass $http_upgrade;
+     }
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php7.0-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php7.0-fpm:
+	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

sites-available/default.clean

@@ -0,0 +1,115 @@
+
+#user  nobody;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    server {
+        listen       80;
+        server_name  localhost;
+
+        #access_log  logs/host.access.log  main;
+
+        location / {
+            root   html;
+            index  index.html index.htm;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   html;
+        }
+
+        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+        #
+        #location ~ \.php$ {
+        #    proxy_pass   http://127.0.0.1;
+        #}
+
+        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+        #
+        #location ~ \.php$ {
+        #    root           html;
+        #    fastcgi_pass   127.0.0.1:9000;
+        #    fastcgi_index  index.php;
+        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+        #    include        fastcgi_params;
+        #}
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #    deny  all;
+        #}
+    }
+
+
+    # another virtual host using mix of IP-, name-, and port-based configuration
+    #
+    #server {
+    #    listen       8000;
+    #    listen       somename:8080;
+    #    server_name  somename  alias  another.alias;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+
+    # HTTPS server
+    #
+    #server {
+    #    listen       443 ssl;
+    #    server_name  localhost;
+
+    #    ssl_certificate      cert.pem;
+    #    ssl_certificate_key  cert.key;
+
+    #    ssl_session_cache    shared:SSL:1m;
+    #    ssl_session_timeout  5m;
+
+    #    ssl_ciphers  HIGH:!aNULL:!MD5;
+    #    ssl_prefer_server_ciphers  on;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+}

sites-available/element.conf

@@ -0,0 +1,80 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /var/cache/nginx/element levels=1:2 keys_zone=my_cache_element:10m max_size=2g         
+                 inactive=60m use_temp_path=off;
+
+# Upstream with keepalive
+upstream element_backend {
+    server 10.0.0.48:8097;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
+server{
+	listen 80;
+	server_name element.egonetix.de;
+	return 301 https://$server_name/element$request_uri;
+}
+
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/element.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/element.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name element.egonetix.de;
+
+ access_log /var/log/nginx/element-access_log;
+ error_log /var/log/nginx/element-error_log;
+
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss image/svg+xml;
+ gzip_min_length 1000;
+
+ set $upstream 10.0.0.48;
+
+ # Static files with aggressive caching
+ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|json)$ {
+     proxy_pass http://element_backend;
+     proxy_cache my_cache_element;
+     proxy_cache_valid 200 24h;
+     expires 24h;
+     add_header Cache-Control "public, immutable";
+     proxy_http_version 1.1;
+     proxy_set_header Connection "";
+ }
+
+ location / {
+
+ proxy_cache my_cache_element;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://element_backend;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-available/element.conf.backup-20251113-212344

@@ -0,0 +1,51 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/element/ levels=1:2 keys_zone=my_cache_element:10m max_size=10g         
+                 inactive=60m use_temp_path=off;
+server{
+	listen 80;
+	server_name element.egonetix.de;
+	return 301 https://$server_name/element$request_uri;
+}
+
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/element.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/element.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name element.egonetix.de;
+
+ access_log /var/log/nginx/element-access_log;
+ error_log /var/log/nginx/element-error_log;
+
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_element;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8097;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-available/feuer.conf

@@ -0,0 +1,65 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/feuer/ levels=1:2 keys_zone=my_cache_feuer:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+
+server{
+listen 80;
+server_name feuer.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/feuer.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/feuer.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name feuer.egonetix.de;
+
+ access_log /var/log/nginx/feuer-access_log;
+ error_log /var/log/nginx/feuer-error_log;
+
+ # Firefly III on srvdocker02 (10.0.0.48)
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_feuer;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8094;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 100M;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+ # Firefly III specific headers for proper functionality
+ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+     expires 1y;
+     add_header Cache-Control "public, immutable";
+     proxy_pass http://$upstream:8094;
+     proxy_set_header Host $host;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}

sites-available/flow.conf

@@ -0,0 +1,52 @@
+add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/flow/ levels=1:2 keys_zone=my_cache_flow:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name flow.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+ add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; base-uri 'self';";
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/flow.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/flow.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name flow.egonetix.de;
+
+ access_log /var/log/nginx/flow-access_log;
+ error_log /var/log/nginx/flow-error_log;
+
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_flow;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8098;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-available/gitea.conf

@@ -1,7 +1,16 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/gitea/ levels=1:2 keys_zone=my_cache_gitea:10m max_size=10g         
+proxy_cache_path /var/cache/nginx/gitea levels=1:2 keys_zone=my_cache_gitea:10m max_size=2g         
                  inactive=60m use_temp_path=off;
+
+# Upstream with keepalive
+upstream gitea_backend {
+    server 10.0.0.48:4000;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
 server{
 	listen 80;
 	server_name gitea.egonetix.de;
@@ -25,8 +34,28 @@ server {
  access_log /var/log/nginx/gitea-access_log;
  error_log /var/log/nginx/gitea-error_log;
 
+ # Gzip compression for Gitea
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss image/svg+xml;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
 
+ # Static files with aggressive caching
+ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+     proxy_pass http://gitea_backend;
+     proxy_cache my_cache_gitea;
+     proxy_cache_valid 200 24h;
+     expires 24h;
+     add_header Cache-Control "public, immutable";
+     proxy_http_version 1.1;
+     proxy_set_header Connection "";
+ }
+
  location / {
 
  proxy_cache my_cache_gitea;
@@ -35,7 +64,7 @@ server {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass http://$upstream:4000;
+ proxy_pass http://gitea_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

sites-available/gitea.conf.backup-20251113-212344

@@ -0,0 +1,51 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/gitea/ levels=1:2 keys_zone=my_cache_gitea:10m max_size=10g         
+                 inactive=60m use_temp_path=off;
+server{
+	listen 80;
+	server_name gitea.egonetix.de;
+	return 301 https://$server_name/gitea$request_uri;
+}
+
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/gitea.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/gitea.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name gitea.egonetix.de;
+
+ access_log /var/log/nginx/gitea-access_log;
+ error_log /var/log/nginx/gitea-error_log;
+
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_gitea;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:4000;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-available/hoarder.conf

@@ -1,7 +1,16 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/hoarder/ levels=1:2 keys_zone=my_cache_hoarder:10m max_size=10g 
+proxy_cache_path /var/cache/nginx/hoarder levels=1:2 keys_zone=my_cache_hoarder:10m max_size=2g 
                  inactive=60m use_temp_path=off;
+
+# Upstream with keepalive
+upstream hoarder_backend {
+    server 10.0.0.48:8084;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
 server{
 listen 80;
 server_name hoarder.egonetix.de;
@@ -24,8 +33,27 @@ server {
  access_log /var/log/nginx/hoarder-access_log;
  error_log /var/log/nginx/hoarder-error_log;
 
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss image/svg+xml;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
 
+ # Static files with caching
+ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+     proxy_pass http://hoarder_backend;
+     proxy_cache my_cache_hoarder;
+     proxy_cache_valid 200 24h;
+     expires 24h;
+     add_header Cache-Control "public, immutable";
+     proxy_http_version 1.1;
+     proxy_set_header Connection "";
+ }
 
  location / {
 
@@ -35,7 +63,7 @@ server {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass http://$upstream:8084;
+ proxy_pass http://hoarder_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

sites-available/hoarder.conf.backup-20251113-212344

@@ -0,0 +1,52 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/hoarder/ levels=1:2 keys_zone=my_cache_hoarder:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name hoarder.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/hoarder.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/hoarder.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name hoarder.egonetix.de;
+
+ access_log /var/log/nginx/hoarder-access_log;
+ error_log /var/log/nginx/hoarder-error_log;
+
+ set $upstream 10.0.0.48;
+
+
+ location / {
+
+ proxy_cache my_cache_hoarder;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8084;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+}

sites-available/jitsi.conf

@@ -1,7 +1,19 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/jitsi/ levels=1:2 keys_zone=my_cache_jitsi:10m max_size=10g 
-                 inactive=60m use_temp_path=off;
+# Upstream with keepalive for Jitsi
+upstream jitsi_backend {
+    server 10.0.0.48:8000;
+    keepalive 32;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
+# WebSocket upgrade map
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
 server{
 listen 80;
 server_name jitsi.egonetix.de;
@@ -24,17 +36,43 @@ server {
  access_log /var/log/nginx/jitsi-access_log;
  error_log /var/log/nginx/jitsi-error_log;
 
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
 
+ # WebSocket support for Jitsi real-time communication
+ location /xmpp-websocket {
+     proxy_pass http://jitsi_backend;
+     proxy_http_version 1.1;
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Connection $connection_upgrade;
+     proxy_set_header Host $host;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_buffering off;
+     proxy_read_timeout 7200s;
+ }
+
+ # Static files with caching
+ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+     proxy_pass http://jitsi_backend;
+     expires 24h;
+     add_header Cache-Control "public, immutable";
+     proxy_http_version 1.1;
+     proxy_set_header Connection "";
+ }
+
  location / {
 
- proxy_cache my_cache_jitsi;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass http://$upstream:8000;
+ proxy_pass http://jitsi_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

sites-available/jitsi.conf.backup-20251113-212344

@@ -0,0 +1,51 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/jitsi/ levels=1:2 keys_zone=my_cache_jitsi:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name jitsi.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/jitsi.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/jitsi.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name jitsi.egonetix.de;
+
+ access_log /var/log/nginx/jitsi-access_log;
+ error_log /var/log/nginx/jitsi-error_log;
+
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_jitsi;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8000;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+}

sites-available/ki.conf

@@ -0,0 +1,51 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/ki/ levels=1:2 keys_zone=my_cache_ki:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+
+server{
+	listen 80;
+	server_name ki.egonetix.de;
+	return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/ki.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/ki.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name ki.egonetix.de;
+
+ access_log /var/log/nginx/ki-access_log;
+ error_log /var/log/nginx/ki-error_log;
+
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_ki;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:3000;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-available/matrix.conf

@@ -1,52 +1,97 @@
 add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
+# Upstream with keepalive for Matrix
+upstream matrix_backend {
+    server 10.0.0.48:8008;
+    keepalive 32;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
 
+# Redirect HTTP to HTTPS
 server {
     listen 10.0.0.29:80;
     server_name matrix.egonetix.de;
     return 301 https://$server_name$request_uri;
 }
 
+# HTTPS for client traffic (port 443)
 server {
- listen 10.0.0.29:443 http2 ssl;
- # SSL config
- ssl on;
+    listen 10.0.0.29:443 ssl http2;
+    server_name matrix.egonetix.de;
+
     ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem;
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
- # Make site accessible from http://localhost/
- server_name matrix.egonetix.de;
     access_log /var/log/nginx/matrix-access.log;
     error_log /var/log/nginx/matrix-error.log;
 
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 5;
+    gzip_types text/plain text/css text/xml text/javascript 
+               application/json application/javascript application/xml+rss;
+    gzip_min_length 1000;
+
     set $upstream 10.0.0.48;
 
- location /_matrix {
-
-        proxy_pass http://$upstream:8008;
+    location ~ ^(/_matrix|/_synapse/client) {
+        proxy_pass http://matrix_backend;
         proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+
+        # Better buffering for Matrix
+        proxy_buffering on;
+        proxy_buffer_size 8k;
+        proxy_buffers 32 8k;
+
+        client_max_body_size 50M;
     }
 }
 
+# HTTPS for federation traffic (port 8448)
 server {
- listen 10.0.0.29:8448 http2 ssl;
- # SSL config
- ssl on;
+    listen 10.0.0.29:8448 ssl http2;
+    server_name matrix.egonetix.de;
+
     ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem;
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
- # Make site accessible from http://localhost/
- server_name matrix.egonetix.de;
     access_log /var/log/nginx/matrix-access.log;
     error_log /var/log/nginx/matrix-error.log;
 
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 5;
+    gzip_types text/plain text/css text/xml text/javascript 
+               application/json application/javascript application/xml+rss;
+    gzip_min_length 1000;
+
     set $upstream 10.0.0.48;
 
- location /_matrix {
-
-        proxy_pass http://$upstream:8008;
+    location ~ ^(/_matrix|/_synapse/client) {
+        proxy_pass http://matrix_backend;
         proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+
+        # Better buffering for Matrix
+        proxy_buffering on;
+        proxy_buffer_size 8k;
+        proxy_buffers 32 8k;
+
+        client_max_body_size 50M;
     }
 }
+

sites-available/matrix.conf.backup-20251113-212344

@@ -0,0 +1,59 @@
+add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+# Redirect HTTP to HTTPS
+server {
+    listen 10.0.0.29:80;
+    server_name matrix.egonetix.de;
+    return 301 https://$server_name$request_uri;
+}
+
+# HTTPS for client traffic (port 443)
+server {
+    listen 10.0.0.29:443 ssl http2;
+    server_name matrix.egonetix.de;
+
+    ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+    access_log /var/log/nginx/matrix-access.log;
+    error_log /var/log/nginx/matrix-error.log;
+
+    set $upstream 10.0.0.48;
+
+    location ~ ^(/_matrix|/_synapse/client) {
+        proxy_pass http://$upstream:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        client_max_body_size 50M;
+        proxy_http_version 1.1;
+    }
+}
+
+# HTTPS for federation traffic (port 8448)
+server {
+    listen 10.0.0.29:8448 ssl http2;
+    server_name matrix.egonetix.de;
+
+    ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+    access_log /var/log/nginx/matrix-access.log;
+    error_log /var/log/nginx/matrix-error.log;
+
+    set $upstream 10.0.0.48;
+
+    location ~ ^(/_matrix|/_synapse/client) {
+        proxy_pass http://$upstream:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        client_max_body_size 50M;
+        proxy_http_version 1.1;
+    }
+}
+

sites-available/nextcloud.conf

@@ -1,8 +1,17 @@
 add_header  X-Robots-Tag "no-referrer, noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/nextcloud/ levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=10g         
+# Reduced cache size due to disk space constraints
+proxy_cache_path /var/cache/nginx/nextcloud levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=2g         
                  inactive=60m use_temp_path=off;
 
+# Upstream with keepalive
+upstream nextcloud_backend {
+    server 10.0.0.48:8089;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
 server{
         listen 80;
         server_name nextcloud.egonetix.de;
@@ -39,7 +48,7 @@ server {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass http://$upstream:8089;
+ proxy_pass http://nextcloud_backend;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Server $host;

sites-available/nextcloud.conf.backup-20251113-212344

@@ -0,0 +1,74 @@
+add_header  X-Robots-Tag "no-referrer, noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/nextcloud/ levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=10g         
+                 inactive=60m use_temp_path=off;
+
+server{
+        listen 80;
+        server_name nextcloud.egonetix.de;
+        return 301 https://$server_name/$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+ add_header Referrer-Policy "no-referrer" always;
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/nextcloud.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/nextcloud.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name nextcloud.egonetix.de;
+
+ access_log /var/log/nginx/nextcloud-access_log;
+ error_log /var/log/nginx/nextcloud-error_log;
+
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ set $upstream 10.0.0.48;
+
+#rewrite ^/$ /nextcloud;
+
+ location / {
+
+ proxy_cache my_cache_nextcloud;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8089;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# add_header Referrer-Policy no-referrer;
+# proxy_set_header X-Forwarded-Proto https;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 20G;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+ }
+
+location = /.well-known/carddav {
+return 301 $scheme://$host/remote.php/dav;
+}
+location = /.well-known/caldav {
+return 301 $scheme://$host/remote.php/dav;
+}
+}
+

sites-available/office.conf

@@ -1,8 +1,22 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/office/ levels=1:2 keys_zone=my_cache_office:10m max_size=10g         
+proxy_cache_path /var/cache/nginx/office levels=1:2 keys_zone=my_cache_office:10m max_size=2g         
                  inactive=60m use_temp_path=off;
 
+# Upstream with keepalive for Office
+upstream office_backend {
+    server 10.0.0.48:9980;
+    keepalive 32;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
+# WebSocket upgrade map
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
 server{
         listen 80;
         server_name office.egonetix.de;
@@ -30,12 +44,36 @@ server {
  access_log /var/log/nginx/office-access_log;
  error_log /var/log/nginx/office-error_log;
 
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss;
+ gzip_min_length 1000;
+
  proxy_set_header X-Forwarded-Proto $scheme;
 
  set $upstream 10.0.0.48;
 
 # location /
 
+# WebSocket support for collaborative editing
+location /lool/ws {
+    proxy_pass https://office_backend;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_buffering off;
+    proxy_read_timeout 7200s;
+    proxy_ssl_session_reuse off;
+}
+
 location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache)	 {
 
  proxy_cache my_cache_office;
@@ -44,7 +82,7 @@ location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache)	 {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass https://$upstream:9980;
+ proxy_pass https://office_backend;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Server $host;

sites-available/office.conf.backup-20251113-212344

@@ -0,0 +1,62 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/office/ levels=1:2 keys_zone=my_cache_office:10m max_size=10g         
+                 inactive=60m use_temp_path=off;
+
+server{
+        listen 80;
+        server_name office.egonetix.de;
+        return 301 https://$server_name/$request_uri; 
+
+	 access_log /var/log/nginx/office-access_log;
+	 error_log /var/log/nginx/office-error_log;
+
+
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+# SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/office.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/office.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name office.egonetix.de;
+
+ access_log /var/log/nginx/office-access_log;
+ error_log /var/log/nginx/office-error_log;
+
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ set $upstream 10.0.0.48;
+
+# location /
+
+location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache)	 {
+
+ proxy_cache my_cache_office;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream:9980;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Connection "";
+ proxy_http_version 1.1;
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}
+

sites-available/owa.conf

@@ -1,167 +1,161 @@
 add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g         
-                 inactive=60m use_temp_path=off;
+# Optimized cache paths
+proxy_cache_path /var/cache/nginx/kopano levels=1:2 keys_zone=kopano_static:10m 
+                 max_size=2g inactive=24h use_temp_path=off;
 
+# Upstream with connection pooling
+upstream kopano_backend {
+    server 10.0.0.21:443;
+    keepalive 32;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
+# WebSocket support map
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
 
 server {
     listen 80;
     server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
-       return 301 https://$server_name/webapp$request_uri;
-
+    return 301 https://$server_name$request_uri;
 }
 
 server {
     listen 10.0.0.29:443 ssl http2;
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     
     # SSL config
- ssl on;
     ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
     
- # Make site accessible from http://localhost/
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    
     server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
     
     access_log /var/log/nginx/owa-access_log;
     error_log /var/log/nginx/owa-error_log;
     
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 5;
+    gzip_types text/plain text/css text/xml text/javascript 
+               application/json application/javascript application/xml+rss 
+               application/x-javascript image/svg+xml;
+    gzip_min_length 1000;
     
- set $upstream 10.0.0.21;
+    # Default proxy settings
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header Connection "";
+    proxy_ssl_session_reuse on;
+    proxy_ssl_server_name on;
     
-rewrite ^/$ /webapp;
+    rewrite ^/$ /webapp redirect;
     
+    # Static files - aggressive caching
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        proxy_pass https://kopano_backend;
+        proxy_cache kopano_static;
+        proxy_cache_valid 200 24h;
+        proxy_cache_valid 404 1m;
+        expires 24h;
+        add_header Cache-Control "public, immutable";
+        
+        # Buffering for static files
+        proxy_buffering on;
+        proxy_buffer_size 8k;
+        proxy_buffers 32 8k;
+    }
+    
+    # WebApp - DISABLE buffering for AJAX responsiveness
     location /webapp {
+        proxy_pass https://kopano_backend;
         
- proxy_cache my_cache_owa;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
- proxy_pass_header Authorization;
- proxy_pass https://$upstream;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
+        # NO caching
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
+        
+        # DISABLE buffering for instant AJAX responses
         proxy_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
+        
+        proxy_read_timeout 300s;
+        client_max_body_size 100M;
         proxy_redirect off;
- proxy_ssl_session_reuse off;
     }
+    
+    # ActiveSync - disable buffering for real-time sync
     location /Microsoft-Server-ActiveSync {
- proxy_cache my_cache_owa;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
- proxy_pass_header Authorization;
- proxy_pass https://$upstream;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
- proxy_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
- proxy_redirect off;
- proxy_ssl_session_reuse off;
+        proxy_pass https://kopano_backend;
         
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
+        proxy_buffering off;
+        
+        proxy_read_timeout 3660s;
+        client_max_body_size 100M;
+        proxy_redirect off;
     }
     
+    # WebMeetings - WebSocket support
     location /webmeetings {
+        proxy_pass https://kopano_backend;
+        
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
         
- proxy_cache my_cache_owa;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
- proxy_pass_header Authorization;
- proxy_pass https://$upstream;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
         proxy_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
+        proxy_read_timeout 7200s;
+        client_max_body_size 500M;
         proxy_redirect off;
- proxy_ssl_session_reuse off;
     }
     
+    # Autodiscover
     location ~* /Autodiscover/Autodiscover.xml {
         access_log /var/log/nginx/z-push-autodiscover-access.log;
         error_log /var/log/nginx/z-push-autodiscover-error.log;
- fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php;
- fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
- fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
- fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
- include fastcgi_params;
- proxy_cache my_cache_owa;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
- proxy_pass_header Authorization;
- proxy_pass https://$upstream;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
+        
+        proxy_pass https://kopano_backend;
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
         proxy_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
+        proxy_read_timeout 60s;
+        client_max_body_size 10M;
         proxy_redirect off;
- proxy_ssl_session_reuse off; 
     }
     
+    # OWA compatibility
     location /owa {
- proxy_cache my_cache_owa;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
- proxy_pass_header Authorization;
- proxy_pass https://$upstream;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
- proxy_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
- proxy_redirect off;
- proxy_ssl_session_reuse off;
+        proxy_pass https://kopano_backend;
         
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
+        proxy_buffering off;
+        
+        proxy_read_timeout 300s;
+        client_max_body_size 100M;
+        proxy_redirect off;
     }
     
+    # CalDAV
     location /caldav {
- proxy_cache my_cache_owa;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
- proxy_pass_header Authorization;
- proxy_pass http://$upstream:8080;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
+        proxy_pass http://10.0.0.21:8080;
+        
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
         proxy_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
+        
+        proxy_read_timeout 300s;
+        client_max_body_size 50M;
         proxy_redirect off;
- proxy_ssl_session_reuse off;
-
     }
-
 }
-

sites-available/owa_backup.conf

@@ -0,0 +1,167 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g         
+                 inactive=60m use_temp_path=off;
+
+
+server{
+       listen 80;
+       server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
+       return 301 https://$server_name/webapp$request_uri;
+
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+ 
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de;
+
+ access_log /var/log/nginx/owa-access_log;
+ error_log /var/log/nginx/owa-error_log;
+
+
+ set $upstream 10.0.0.21;
+
+rewrite ^/$ /webapp;
+
+ location /webapp {
+ 
+ proxy_cache my_cache_owa;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+}
+ location /Microsoft-Server-ActiveSync {
+ proxy_cache my_cache_owa;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+ location /webmeetings {
+
+ proxy_cache my_cache_owa;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+}
+
+ location ~* /Autodiscover/Autodiscover.xml {
+ access_log  /var/log/nginx/z-push-autodiscover-access.log;
+ error_log   /var/log/nginx/z-push-autodiscover-error.log;		
+ fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php;
+ fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
+ fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
+ fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
+ include fastcgi_params;
+ proxy_cache my_cache_owa;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off; 
+}
+ 
+ location /owa {
+ proxy_cache my_cache_owa;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+ location /caldav {
+ proxy_cache my_cache_owa;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8080;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+}
+

sites-available/plex.conf

@@ -1,7 +1,13 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/plex/ levels=1:2 keys_zone=my_cache_plex:10m max_size=10g 
-                 inactive=60m use_temp_path=off;
+# Upstream with keepalive for Plex
+upstream plex_backend {
+    server 10.0.0.48:32400;
+    keepalive 32;
+    keepalive_requests 100;
+    keepalive_timeout 60s;
+}
+
 server{
 listen 80;
 server_name plex.egonetix.de;
@@ -24,25 +30,34 @@ server {
  access_log /var/log/nginx/plex-access_log;
  error_log /var/log/nginx/plex-error_log;
 
+ # Gzip for text content only (not media)
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
  #set $upstream 172.20.20.6;
 
+ # Don't cache media streams
  location / {
 
- proxy_cache my_cache_plex;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass https://$upstream:32400;
+ proxy_pass https://plex_backend;
  proxy_ssl_server_name on;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_http_version 1.1;
  proxy_set_header Connection "";
+ 
+ # Optimized for media streaming
  proxy_buffering off;
+ proxy_cache off;
+ 
  client_max_body_size 0;
  proxy_read_timeout 36000s;
  proxy_redirect off;

sites-available/plex.conf.backup-20251113-212344

@@ -0,0 +1,52 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/plex/ levels=1:2 keys_zone=my_cache_plex:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name plex.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/plex.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/plex.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name plex.egonetix.de;
+
+ access_log /var/log/nginx/plex-access_log;
+ error_log /var/log/nginx/plex-error_log;
+
+ set $upstream 10.0.0.48;
+ #set $upstream 172.20.20.6;
+
+ location / {
+
+ proxy_cache my_cache_plex;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream:32400;
+ proxy_ssl_server_name on;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-available/portal.conf

@@ -1,70 +1,65 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
-
 server {
         listen       80;
         server_name portal.egonetix.de;
 
-    # Redirect all HTTP traffic to HTTPS
+        # Redirect any HTTP request to HTTPS
         return 301 https://$server_name$request_uri;
+
 }
 
+
 server {
+# The IP that you forwarded in your router (nginx proxy)
   listen 10.0.0.29:443 ssl http2;
 
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;" always;
-
-    # Remove or update unsupported origin trial features.
-    # For example, comment out or remove these if not using them:
-    # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
-
-    # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
 
+ # SSL config
  ssl on;
  ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
+# Make site accessible from http://localhost/
  server_name portal.egonetix.de;
+
  access_log /var/log/nginx/portal-access_log;
  error_log /var/log/nginx/portal-error_log;
 
+ # Gzip compression for static content
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss image/svg+xml;
+ gzip_min_length 1000;
+
+# return         301 https://$server_name$request_uri;
+# The internal IP of the VM that hosts your Apache config
+# set $upstream 10.0.0.10;
+
 root /var/www/html;
-    index index.html index.php;  # Added index.php as potential index file
+    index index.html;
 
-    # PHP Processing Configuration - Updated for PHP 8.1
-    location ~ \.php$ {
-        include snippets/fastcgi-php.conf;
+#    location /.well-known {
+#            alias /var/www/sub.domain.com/.well-known;
+#    }
 
-        # Use PHP 8.1 socket (most common path on Ubuntu 22.04)
-        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
+# location / {
  
-        # Alternative options if the above doesn't work:
-        #fastcgi_pass unix:/run/php/php8.1-fpm.sock;
-        #fastcgi_pass 127.0.0.1:9000;
-        
-        # Increase timeout and buffer size for troubleshooting
-        fastcgi_connect_timeout 300;
-        fastcgi_read_timeout 300;
-        fastcgi_send_timeout 300;
-        fastcgi_buffer_size 32k;
-        fastcgi_buffers 16 16k;
-        
-        # Set the correct document root
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_intercept_errors on;
-    }
-
-    # Reverse proxy for API calls.
-    # If your backend expects the API without the "/api" prefix, use the proxy_pass below.
-    location /api/ {
-        proxy_pass http://127.0.0.1:3000;
-        # If your backend requires the /api prefix, change to:
-        # proxy_pass http://127.0.0.1:3000/api/;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
+# proxy_pass_header Authorization;
+# proxy_pass http://$upstream;
+# proxy_set_header Host $host;
+# proxy_set_header X-Real-IP $remote_addr;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_http_version 1.1;
+# proxy_set_header Connection "";
+# proxy_buffering off;
+# client_max_body_size 0;
+# proxy_read_timeout 36000s;
+# proxy_redirect off; 
+#}
 }
 

sites-available/portal.conf.backup

@@ -0,0 +1,87 @@
+add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+server {
+    listen 80;
+    server_name portal.egonetix.de;
+
+    # Redirect all HTTP traffic to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 10.0.0.29:443 ssl http2;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;
+
+    # Remove or update unsupported origin trial features.
+    # For example, comment out or remove these if not using them:
+    # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
+
+    # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
+
+    ssl on;
+    ssl_certificate     /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
+    ssl_dhparam         /etc/ssl/certs/dhparam.pem;
+
+    server_name portal.egonetix.de;
+    access_log /var/log/nginx/portal-access_log;
+    error_log  /var/log/nginx/portal-error_log;
+
+    root /var/www/html;
+    index index.html index.php;  # Added index.php as potential index file
+
+    # PHP Processing Configuration - Updated for PHP 8.1
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        
+        # Use PHP 8.1 socket (most common path on Ubuntu 22.04)
+        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
+        
+        # Alternative options if the above doesn't work:
+        #fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+        #fastcgi_pass 127.0.0.1:9000;
+        
+        # Increase timeout and buffer size for troubleshooting
+        fastcgi_connect_timeout 300;
+        fastcgi_read_timeout 300;
+        fastcgi_send_timeout 300;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 16 16k;
+        
+        # Set the correct document root
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_intercept_errors on;
+    }
+
+    # Reverse proxy for KidsAI Explorer API calls
+    location /api/ {
+        proxy_pass http://127.0.0.1:3002/api/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # Add CORS headers for API requests
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
+        add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always;
+        add_header Access-Control-Allow-Credentials true always;
+        
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin $http_origin;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE";
+            add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With";
+            add_header Access-Control-Allow-Credentials true;
+            add_header Access-Control-Max-Age 1728000;
+            add_header Content-Type 'text/plain charset=UTF-8';
+            add_header Content-Length 0;
+            return 204;
+        }
+    }
+}
+

sites-available/portal.conf.backup-20251113-212344

@@ -0,0 +1,56 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+server {
+        listen       80;
+        server_name portal.egonetix.de;
+
+        # Redirect any HTTP request to HTTPS
+        return 301 https://$server_name$request_uri;
+
+}
+
+
+server {
+# The IP that you forwarded in your router (nginx proxy)
+  listen 10.0.0.29:443 ssl http2;
+
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+# Make site accessible from http://localhost/
+ server_name portal.egonetix.de;
+
+ access_log /var/log/nginx/portal-access_log;
+ error_log /var/log/nginx/portal-error_log;
+
+# return         301 https://$server_name$request_uri;
+# The internal IP of the VM that hosts your Apache config
+# set $upstream 10.0.0.10;
+
+root /var/www/html;
+    index index.html;
+
+#    location /.well-known {
+#            alias /var/www/sub.domain.com/.well-known;
+#    }
+
+# location / {
+ 
+# proxy_pass_header Authorization;
+# proxy_pass http://$upstream;
+# proxy_set_header Host $host;
+# proxy_set_header X-Real-IP $remote_addr;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_http_version 1.1;
+# proxy_set_header Connection "";
+# proxy_buffering off;
+# client_max_body_size 0;
+# proxy_read_timeout 36000s;
+# proxy_redirect off; 
+#}
+}
+

sites-available/stream.conf

@@ -1,7 +1,19 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/stream/ levels=1:2 keys_zone=my_cache_stream:10m max_size=10g 
-                 inactive=60m use_temp_path=off;
+# Upstream with keepalive for streaming
+upstream stream_backend {
+    server 10.0.0.48:8096;
+    keepalive 32;
+    keepalive_requests 100;
+    keepalive_timeout 60s;
+}
+
+# WebSocket upgrade map
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
 server{
 listen 80;
 server_name stream.egonetix.de;
@@ -24,46 +36,43 @@ server {
  access_log /var/log/nginx/stream-access.log;
  error_log /var/log/nginx/stream-error.log;
 
+ # Gzip for text content only
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
 
+ # WebSocket for real-time updates
+ location /socket {
+     proxy_pass http://stream_backend;
+     proxy_http_version 1.1;
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Connection $connection_upgrade;
+     proxy_set_header Host $host;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_buffering off;
+     proxy_read_timeout 7200s;
+ }
 
  location / {
 
- proxy_cache my_cache_stream;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass http://$upstream:8096;
+ proxy_pass http://stream_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_http_version 1.1;
  proxy_set_header Connection "";
+ 
+ # No caching for media streams
  proxy_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
- proxy_redirect off;
- proxy_ssl_session_reuse off;
  
- }
-
- location /socket {
-
- proxy_cache my_cache_stream;
- proxy_cache_revalidate on;
- proxy_cache_min_uses 3;
- proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_lock on;
- proxy_pass_header Authorization;
- proxy_pass http://$upstream:8096;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
- proxy_buffering off;
  client_max_body_size 0;
  proxy_read_timeout 36000s;
  proxy_redirect off;

sites-available/stream.conf.backup-20251113-212344

@@ -0,0 +1,74 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/stream/ levels=1:2 keys_zone=my_cache_stream:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name stream.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/stream.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/stream.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name stream.egonetix.de;
+
+ access_log /var/log/nginx/stream-access.log;
+ error_log /var/log/nginx/stream-error.log;
+
+ set $upstream 10.0.0.48;
+
+
+ location / {
+
+ proxy_cache my_cache_stream;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8096;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+ location /socket {
+
+ proxy_cache my_cache_stream;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8096;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+}

sites-available/sync.conf

@@ -1,7 +1,16 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/sync/ levels=1:2 keys_zone=my_cache_sync:10m max_size=10g 
+proxy_cache_path /var/cache/nginx/sync levels=1:2 keys_zone=my_cache_sync:10m max_size=2g 
                  inactive=60m use_temp_path=off;
+
+# Upstream with keepalive
+upstream sync_backend {
+    server 10.0.0.48:18089;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
 server{
 listen 80;
 server_name sync.egonetix.de;
@@ -24,6 +33,15 @@ server {
  access_log /var/log/nginx/sync-access_log;
  error_log /var/log/nginx/sync-error_log;
 
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
 
  location / {
@@ -34,7 +52,7 @@ server {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass http://$upstream:18089;
+ proxy_pass http://sync_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

sites-available/sync.conf.backup-20251113-212344

@@ -0,0 +1,50 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/sync/ levels=1:2 keys_zone=my_cache_sync:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name sync.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/sync.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/sync.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name sync.egonetix.de;
+
+ access_log /var/log/nginx/sync-access_log;
+ error_log /var/log/nginx/sync-error_log;
+
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_sync;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:18089;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-available/unifi.conf

@@ -1,7 +1,22 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/unifi/ levels=1:2 keys_zone=my_cache_unifi:10m max_size=10g 
+proxy_cache_path /var/cache/nginx/unifi levels=1:2 keys_zone=my_cache_unifi:10m max_size=2g 
                  inactive=60m use_temp_path=off;
+
+# Upstream with keepalive
+upstream unifi_backend {
+    server 10.0.0.48:8443;
+    keepalive 32;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
+# WebSocket upgrade map
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
 server{
 listen 80;
 server_name unifi.egonetix.de;
@@ -25,8 +40,31 @@ server {
  access_log /var/log/nginx/unifi-access_log;
  error_log /var/log/nginx/unifi-error_log;
 
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
 
+ # WebSocket support for UniFi real-time updates
+ location /wss/ {
+     proxy_pass https://unifi_backend;
+     proxy_http_version 1.1;
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Connection $connection_upgrade;
+     proxy_set_header Host $host;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_buffering off;
+     proxy_read_timeout 7200s;
+     proxy_ssl_session_reuse off;
+ }
+
  location / {
 
  proxy_cache my_cache_unifi;
@@ -35,7 +73,7 @@ server {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass https://$upstream:8443;
+ proxy_pass https://unifi_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

sites-available/unifi.conf.backup-20251113-212344

@@ -0,0 +1,52 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/unifi/ levels=1:2 keys_zone=my_cache_unifi:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name unifi.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/unifi.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/unifi.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name unifi.egonetix.de;
+
+ access_log /var/log/nginx/unifi-access_log;
+ error_log /var/log/nginx/unifi-error_log;
+
+ set $upstream 10.0.0.48;
+
+ location / {
+
+ proxy_cache my_cache_unifi;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream:8443;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}
+

sites-available/vscode.conf

@@ -0,0 +1,55 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+# Upstream with keepalive
+upstream vscode_backend {
+    server 10.0.0.48:8099;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
+server{
+    listen 80;
+    server_name vscode.egonetix.de;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 10.0.0.29:443 ssl http2;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # SSL config
+    ssl on;
+    ssl_certificate /etc/letsencrypt/live/vscode.egonetix.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vscode.egonetix.de/privkey.pem;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+    server_name vscode.egonetix.de;
+
+    access_log /var/log/nginx/vscode-access_log;
+    error_log /var/log/nginx/vscode-error_log;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 5;
+    gzip_types text/plain text/css text/xml text/javascript 
+               application/json application/javascript application/xml+rss image/svg+xml;
+    gzip_min_length 1000;
+
+    location / {
+        proxy_pass http://vscode_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_buffering off;
+        client_max_body_size 0;
+        proxy_read_timeout 36000s;
+        proxy_redirect off;
+    }
+}

sites-available/wallabag.conf

@@ -1,7 +1,16 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/wallabag/ levels=1:2 keys_zone=my_cache_wallabag:10m max_size=10g 
+proxy_cache_path /var/cache/nginx/wallabag levels=1:2 keys_zone=my_cache_wallabag:10m max_size=2g 
                  inactive=60m use_temp_path=off;
+
+# Upstream with keepalive
+upstream wallabag_backend {
+    server 10.0.0.48:8087;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
 server{
 listen 80;
 server_name wallabag.egonetix.de;
@@ -24,8 +33,27 @@ server {
  access_log /var/log/nginx/wallabag-access_log;
  error_log /var/log/nginx/wallabag-error_log;
 
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss image/svg+xml;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.48;
 
+ # Static files with caching
+ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+     proxy_pass http://wallabag_backend;
+     proxy_cache my_cache_wallabag;
+     proxy_cache_valid 200 24h;
+     expires 24h;
+     add_header Cache-Control "public, immutable";
+     proxy_http_version 1.1;
+     proxy_set_header Connection "";
+ }
 
  location / {
 
@@ -35,7 +63,7 @@ server {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass http://$upstream:8087;
+ proxy_pass http://wallabag_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

sites-available/wallabag.conf.backup-20251113-212344

@@ -0,0 +1,52 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/wallabag/ levels=1:2 keys_zone=my_cache_wallabag:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+server{
+listen 80;
+server_name wallabag.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/wallabag.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/wallabag.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name wallabag.egonetix.de;
+
+ access_log /var/log/nginx/wallabag-access_log;
+ error_log /var/log/nginx/wallabag-error_log;
+
+ set $upstream 10.0.0.48;
+
+
+ location / {
+
+ proxy_cache my_cache_wallabag;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8087;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+
+}

sites-available/wiki.conf

@@ -1,7 +1,16 @@
 add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 
-proxy_cache_path /tmp/wiki/ levels=1:2 keys_zone=my_cache_wiki:10m max_size=10g         
+proxy_cache_path /var/cache/nginx/wiki levels=1:2 keys_zone=my_cache_wiki:10m max_size=2g         
                  inactive=60m use_temp_path=off;
+
+# Upstream with keepalive
+upstream wiki_backend {
+    server 10.0.0.10:443;
+    keepalive 16;
+    keepalive_requests 1000;
+    keepalive_timeout 60s;
+}
+
 server{
 	listen 80;
 	server_name wiki.egonetix.de;
@@ -25,8 +34,29 @@ server {
  access_log /var/log/nginx/wiki-access_log;
  error_log /var/log/nginx/wiki-error_log;
 
+ # Gzip compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 5;
+ gzip_types text/plain text/css text/xml text/javascript 
+            application/json application/javascript application/xml+rss image/svg+xml;
+ gzip_min_length 1000;
+
  set $upstream 10.0.0.10;
 
+ # Static files with aggressive caching
+ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+     proxy_pass https://wiki_backend;
+     proxy_cache my_cache_wiki;
+     proxy_cache_valid 200 24h;
+     expires 24h;
+     add_header Cache-Control "public, immutable";
+     proxy_http_version 1.1;
+     proxy_set_header Connection "";
+     proxy_ssl_session_reuse off;
+ }
+
  location /wiki {
 
  proxy_cache my_cache_wiki;
@@ -35,7 +65,7 @@ server {
  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  proxy_cache_lock on;
  proxy_pass_header Authorization;
- proxy_pass https://$upstream;
+ proxy_pass https://wiki_backend;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

sites-available/wiki.conf.backup-20251113-212344

@@ -0,0 +1,51 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/wiki/ levels=1:2 keys_zone=my_cache_wiki:10m max_size=10g         
+                 inactive=60m use_temp_path=off;
+server{
+	listen 80;
+	server_name wiki.egonetix.de;
+	return 301 https://$server_name/wiki$request_uri;
+}
+
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/wiki.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/wiki.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name wiki.egonetix.de;
+
+ access_log /var/log/nginx/wiki-access_log;
+ error_log /var/log/nginx/wiki-error_log;
+
+ set $upstream 10.0.0.10;
+
+ location /wiki {
+
+ proxy_cache my_cache_wiki;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass https://$upstream;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+
+ }
+}

sites-enabled/blog.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/blog.conf

sites-enabled/dudle.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/dudle.conf

sites-enabled/element.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/element.conf

sites-enabled/email.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/email.conf

sites-enabled/feuer.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/feuer.conf

sites-enabled/flow.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/flow.conf

sites-enabled/gitea.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/gitea.conf

sites-enabled/helferlein.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/helferlein.conf

sites-enabled/hoarder.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/hoarder.conf

sites-enabled/jitsi.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/jitsi.conf

sites-enabled/ki.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/ki.conf

sites-enabled/kontakt_luftglanz.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/kontakt_luftglanz.conf

sites-enabled/mailgw.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/mailgw.conf

sites-enabled/mailgw03.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/mailgw03.conf

sites-enabled/matrix.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/matrix.conf

sites-enabled/nextcloud.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/nextcloud.conf

sites-enabled/office.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/office.conf

sites-enabled/owa.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/owa.conf

sites-enabled/plex.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/plex.conf

sites-enabled/portal.conf

@@ -0,0 +1,87 @@
+add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+server {
+    listen 80;
+    server_name portal.egonetix.de;
+
+    # Redirect all HTTP traffic to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 10.0.0.29:443 ssl http2;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;
+
+    # Remove or update unsupported origin trial features.
+    # For example, comment out or remove these if not using them:
+    # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
+
+    # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
+
+    ssl on;
+    ssl_certificate     /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
+    ssl_dhparam         /etc/ssl/certs/dhparam.pem;
+
+    server_name portal.egonetix.de;
+    access_log /var/log/nginx/portal-access_log;
+    error_log  /var/log/nginx/portal-error_log;
+
+    root /var/www/html;
+    index index.html index.php;  # Added index.php as potential index file
+
+    # PHP Processing Configuration - Updated for PHP 8.1
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        
+        # Use PHP 8.1 socket (most common path on Ubuntu 22.04)
+        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
+        
+        # Alternative options if the above doesn't work:
+        #fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+        #fastcgi_pass 127.0.0.1:9000;
+        
+        # Increase timeout and buffer size for troubleshooting
+        fastcgi_connect_timeout 300;
+        fastcgi_read_timeout 300;
+        fastcgi_send_timeout 300;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 16 16k;
+        
+        # Set the correct document root
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_intercept_errors on;
+    }
+
+    # Reverse proxy for KidsAI Explorer API calls
+    location /api/ {
+        proxy_pass http://127.0.0.1:3001/api/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # Add CORS headers for API requests
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
+        add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always;
+        add_header Access-Control-Allow-Credentials true always;
+        
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin $http_origin;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE";
+            add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With";
+            add_header Access-Control-Allow-Credentials true;
+            add_header Access-Control-Max-Age 1728000;
+            add_header Content-Type 'text/plain charset=UTF-8';
+            add_header Content-Length 0;
+            return 204;
+        }
+    }
+}
+

sites-enabled/portal.conf.backup.working.20250929

@@ -0,0 +1,87 @@
+add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+server {
+    listen 80;
+    server_name portal.egonetix.de;
+
+    # Redirect all HTTP traffic to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 10.0.0.29:443 ssl http2;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;
+
+    # Remove or update unsupported origin trial features.
+    # For example, comment out or remove these if not using them:
+    # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";
+
+    # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.
+
+    ssl on;
+    ssl_certificate     /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
+    ssl_dhparam         /etc/ssl/certs/dhparam.pem;
+
+    server_name portal.egonetix.de;
+    access_log /var/log/nginx/portal-access_log;
+    error_log  /var/log/nginx/portal-error_log;
+
+    root /var/www/html;
+    index index.html index.php;  # Added index.php as potential index file
+
+    # PHP Processing Configuration - Updated for PHP 8.1
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        
+        # Use PHP 8.1 socket (most common path on Ubuntu 22.04)
+        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
+        
+        # Alternative options if the above doesn't work:
+        #fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+        #fastcgi_pass 127.0.0.1:9000;
+        
+        # Increase timeout and buffer size for troubleshooting
+        fastcgi_connect_timeout 300;
+        fastcgi_read_timeout 300;
+        fastcgi_send_timeout 300;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 16 16k;
+        
+        # Set the correct document root
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_intercept_errors on;
+    }
+
+    # Reverse proxy for KidsAI Explorer API calls
+    location /api/ {
+        proxy_pass http://127.0.0.1:3001/api/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # Add CORS headers for API requests
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
+        add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always;
+        add_header Access-Control-Allow-Credentials true always;
+        
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin $http_origin;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE";
+            add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With";
+            add_header Access-Control-Allow-Credentials true;
+            add_header Access-Control-Max-Age 1728000;
+            add_header Content-Type 'text/plain charset=UTF-8';
+            add_header Content-Length 0;
+            return 204;
+        }
+    }
+}
+

sites-enabled/pwm.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/pwm.conf

sites-enabled/remote.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/remote.conf

sites-enabled/rezepte.conf

@@ -0,0 +1,62 @@
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
+
+proxy_cache_path /tmp/rezepte/ levels=1:2 keys_zone=my_cache_rezepte:10m max_size=10g 
+                 inactive=60m use_temp_path=off;
+
+upstream swarm_nodes {
+server 10.0.0.48:8090;
+}
+
+
+resolver 10.0.0.21;
+
+server{
+listen 80;
+server_name rezepte.egonetix.de;
+return 301 https://$server_name$request_uri;
+}
+
+server {
+ listen 10.0.0.29:443 ssl http2;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ # SSL config
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/rezepte.egonetix.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/rezepte.egonetix.de/privkey.pem;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ # Make site accessible from http://localhost/
+ server_name rezepte.egonetix.de;
+
+ access_log /var/log/nginx/rezepte-access_log;
+ error_log /var/log/nginx/rezepte-error_log;
+
+ set $upstream 10.0.0.48;
+ #set $upstream swarm_nodes;
+ #set $upstream 10.0.0.46;
+
+
+ location / {
+
+ proxy_cache my_cache_rezepte;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 3;
+ proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+ proxy_cache_lock on;
+ proxy_pass_header Authorization;
+ proxy_pass http://$upstream:8090;
+# proxy_pass http://swarm_nodes;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_buffering off;
+ client_max_body_size 0;
+ proxy_read_timeout 36000s;
+ proxy_redirect off;
+ proxy_ssl_session_reuse off;
+ }
+
+}

sites-enabled/srvhost03.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/srvhost03.conf

sites-enabled/stream.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/stream.conf

sites-enabled/subsonic.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/subsonic.conf

sites-enabled/sync.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/sync.conf

sites-enabled/unifi.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/unifi.conf

sites-enabled/wallabag.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/wallabag.conf

sites-enabled/wiki.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/wiki.conf

sites-enabled/zabbix.conf

@@ -0,0 +1 @@
+/etc/nginx/sites-available/zabbix.conf

snippets/fastcgi-php.conf

@@ -0,0 +1,13 @@
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+# Check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+fastcgi_index index.php;
+include fastcgi.conf;

snippets/snakeoil.conf

@@ -0,0 +1,5 @@
+# Self signed certificates generated by the ssl-cert package
+# Don't use them in a production server!
+
+ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

ssl/owa/fullchain11.pem

@@ -0,0 +1,63 @@
+-----BEGIN CERTIFICATE-----
+MIIGOTCCBSGgAwIBAgISBKClKnI+dZnfqsbuq4ZjRms+MA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MTIxNzIxNDFaFw0x
+ODA4MTAxNzIxNDFaMB8xHTAbBgNVBAMTFG93bmNsb3VkLmVnb25ldGl4LmRlMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7SgLzNyVN27WR0ETCBSotbgm
+k4ns/Z+GtaHYB1T21A+mRBzBwpEqWmekr1gLHLnwhqYtxKwm9DZo1zDsZcVdm7ZB
+9Y+Lna6Y5VWwXQ9AFqhfRxk0t8DfBWyZpRovJFEZeZYBPdVlGoRE2Qh6jkr9fdgx
+0FyFzCmQiXrRRPcDN26X9pFdHpBfc0xculbuBUEU8zI71sr9oCrxQo6VPy+YCyIN
+u0JB1tOMtYPMfGqUZZqj3LCR3D1NKeDXT8WJQWbpualaNq0V6olC5fwnwDtITQbE
+/gvQJVovxICB+YVbkq3Kdz9PrY4FSn2nrxLGChDwgNmcRfcw3RHuwAyEFthVvwID
+AQABo4IDQjCCAz4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSg38iz4G+wBaGcAEYE
+fUy4GLholDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
+BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
+cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
+cnlwdC5vcmcvMEQGA1UdEQQ9MDuCEmphYmJlci5lZ29uZXRpeC5kZYIPb3dhLmVn
+b25ldGl4LmRlghRvd25jbG91ZC5lZ29uZXRpeC5kZTCB/gYDVR0gBIH2MIHzMAgG
+BmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
+cHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlm
+aWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVz
+IGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9s
+aWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkv
+MIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAVYHUwhaQNgFK6gubVzxT8MDkOHhw
+JQgXL6OqHQcT0wwAAAFjVZZGdAAABAMASDBGAiEAqHGwFg/DstseSNc+xeJEikp9
+F5l6l8p6Js9fZmXAJw0CIQC6J5KFA9/iqGFDaWOIk36wdH27rV24FVKRwnpCsl0o
+lQB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABY1WWRmAAAAQD
+AEcwRQIgThqD3DwSogvl9eL9s909W+SVCRsshezZVg2y+km8zJICIQDHCGsQCPDx
+yE/GQR4+ka474AUBQEL69ISJdE+ni6II2zANBgkqhkiG9w0BAQsFAAOCAQEAcdr2
+gJKinngvIXIrJxf/k75FgI5UgM/oxfsFgPiOR+ajJynUehXxNo0nn3ydKPzh2tEm
+9YMzyOIqw2jkrmQrYb+PLpV3oam2v11aPlVHP1kxte/ZHxeG3nprjjYT1zBG6GS9
+nPnexyOGMsWTRHhWQpRMzfrull80rxAHE5PV6JVbH5QaJN6CsSQGFRLNrKIuAf09
+tcpZuPu/ZUEDXXXicPRoAqBc7XM6sABKbG0THr3LjxmfsDvyXOCXqSapbVtG0Rlu
+kGWXaoVYS0cxGYKSIPsFMioWbxGr7iWzidTLihtC6qIU5gEGAZO0EsV/4uACiR0v
+8Q9eqYOQox4WZ19j0g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

ssl/owa/privkey11.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDtKAvM3JU3btZH
+QRMIFKi1uCaTiez9n4a1odgHVPbUD6ZEHMHCkSpaZ6SvWAscufCGpi3ErCb0NmjX
+MOxlxV2btkH1j4udrpjlVbBdD0AWqF9HGTS3wN8FbJmlGi8kURl5lgE91WUahETZ
+CHqOSv192DHQXIXMKZCJetFE9wM3bpf2kV0ekF9zTFy6Vu4FQRTzMjvWyv2gKvFC
+jpU/L5gLIg27QkHW04y1g8x8apRlmqPcsJHcPU0p4NdPxYlBZum5qVo2rRXqiULl
+/CfAO0hNBsT+C9AlWi/EgIH5hVuSrcp3P0+tjgVKfaevEsYKEPCA2ZxF9zDdEe7A
+DIQW2FW/AgMBAAECggEBAI+541zmmjAcJhTM5WHSU2S+E/L6dfxHP/a3/RqEbYqb
+aWKCIxNtssNTaMUzkJh6P8D62WYGBx2eE+/GoJ4U/OQvks3ljvGjLNpgEiBz651P
+sV5/cimi5AZ/iKY8tjFGTTAYruvwdfOaEbeOoee2nuYzrgze5d+TmRsYqdcn9HUU
+kJOsCj/2EYxcc+lNJd/z1BVBDn/PPRQbmBuORGq9+MNsKtG6Y7uU7yQdJhFC318r
+h+QMPMLyACt6pL/eo5mZhO4smX7MuTzdf9DpvKnEe1saGI1jvbC9YQnhvDU7pVtK
+k45yOiXUWRgzZBqx++AqhRQxmLe98nCGqsllGUW3l0ECgYEA/SlkRoHTPpdijC+7
+aCf7zDUUyf7llAxC4+P+TmuPvSdsWWC9QtPzv0wblIcTD1PWSo+NUTs4uRyWztCC
+7T7Pd3wCCoKM1nDs2OhMALqNlMCyqlf1dSedG8ou2vfQHenmHJnETbCFS7Agsyiq
+7Ecw7V2Le8aREnQFVVyRzdSqqZECgYEA79C3lqT8pRdGnUNaUDFITOY/99NY6/+/
+SjT5pZtXILx2xQj6FmU9gGUWN/FdjHSiXJQMs3qmU27rYwoSuSRYeIvkLyhzrW/Z
+DF/usFbLH7529pinNAtylUPlJjUoCxHG0ql65puaAx27Hv/6n11Uvnn6pxHfqm2U
+ZWmDVOa84k8CgYBcQNsjvmeGZZAp2bMHT5q4XZeHzHVIr/coKIshdJzapyUapOAT
+HD20tj1OsLJHYZuzbABpW5VeD4b9MoqjfcIIno332n8MHfaRTIV1toWlcVsqLAds
+e9UKrXDJpoiWfge24GnijbLlU/d2khlHJOI1fWM45bEz8keHRcZ0JU1ToQKBgQCY
+Fct4E+XNZPd5YG90D+0EJ7lFl5j7AdP0Yag46EzXC+5egpTngwj/1hvDGqTzIDyf
+bZyobg3xN5S72HWLSIt612y8o3DI+vexK12aI1DqLsYPGTxgeyoNk2NNWcStUHbA
+vo6clO2VMFOtEzWDv5KwwXa+YU1xLdFAhyusui/rbQKBgQDiicQLNhZDniZTVA3/
+CfX4kG2A6tO4K3J+f6ZPICkdev+W6GAj8R/Bm5+deg+dUiFdwmu/qWbnehAEiqwq
+8AfK5Ij7pyGhN+Np+CZ2BC1ChmkWswyyk/y3EzxUF5iJMOidbu2PYW+9CUXbRWoF
+kt64PL2yDzUEPZRwCx5VWVc0Xw==
+-----END PRIVATE KEY-----

uwsgi_params

@@ -0,0 +1,17 @@
+
+uwsgi_param  QUERY_STRING       $query_string;
+uwsgi_param  REQUEST_METHOD     $request_method;
+uwsgi_param  CONTENT_TYPE       $content_type;
+uwsgi_param  CONTENT_LENGTH     $content_length;
+
+uwsgi_param  REQUEST_URI        $request_uri;
+uwsgi_param  PATH_INFO          $document_uri;
+uwsgi_param  DOCUMENT_ROOT      $document_root;
+uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+uwsgi_param  REQUEST_SCHEME     $scheme;
+uwsgi_param  HTTPS              $https if_not_empty;
+
+uwsgi_param  REMOTE_ADDR        $remote_addr;
+uwsgi_param  REMOTE_PORT        $remote_port;
+uwsgi_param  SERVER_PORT        $server_port;
+uwsgi_param  SERVER_NAME        $server_name;