From 5dfbe886a4e9331ba34275a95f0b2d8a3a67f975 Mon Sep 17 00:00:00 2001 From: chahinebrini Date: Wed, 6 May 2026 14:12:31 +0200 Subject: [PATCH] fix(ops/nginx): sync configs aus /etc/nginx/sites-available/ vom rebreak-server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mein vorheriger Push hatte ältere ops/nginx/-Versionen aus dem rebreak-monorepo. Server hatte ACME-Challenge, security-Headers (HSTS, X-Frame-Options, X-XSS), separate /webhook Location, X-Robots-Tag — alles war im Repo nicht drin. Geänderte/neue files: - staging.rebreak.org.conf — full version mit ACME + security - db-staging.rebreak.org.conf — minimal diff - default.conf — NEU - rebreak-staging-new.conf — NEU Live nginx selbst war nicht betroffen (nginx -t ok), Repo-Sources jetzt auf Live-Stand synchronisiert. --- ops/nginx/db-staging.rebreak.org.conf | 15 +++-- ops/nginx/default.conf | 91 +++++++++++++++++++++++++++ ops/nginx/rebreak-staging-new.conf | 58 +++++++++++++++++ ops/nginx/staging.rebreak.org.conf | 61 +++++++++++++----- 4 files changed, 204 insertions(+), 21 deletions(-) create mode 100644 ops/nginx/default.conf create mode 100644 ops/nginx/rebreak-staging-new.conf diff --git a/ops/nginx/db-staging.rebreak.org.conf b/ops/nginx/db-staging.rebreak.org.conf index 4fb4ae3..b7cb32e 100644 --- a/ops/nginx/db-staging.rebreak.org.conf +++ b/ops/nginx/db-staging.rebreak.org.conf @@ -1,23 +1,30 @@ server { listen 80; server_name db-staging.rebreak.org; - return 301 https://db-staging.rebreak.org$request_uri; + + location /.well-known/acme-challenge/ { + root /var/www/html; + } + + location / { + return 301 https://$host$request_uri; + } } server { listen 443 ssl; server_name db-staging.rebreak.org; - ssl_certificate /etc/letsencrypt/live/db-staging.rebreak.org/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/db-staging.rebreak.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/db-staging.rebreak.org/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location = / { default_type application/json; return 200 '{"status":"ok","env":"staging"}'; } - # Direct WebSocket proxy to Supabase Realtime Rebreak-Staging (bypasses Kong) - # Port 54353 is mapped from the realtime-rebreak-staging container in docker-compose.rebreak-staging.yml location /realtime/v1/ { rewrite ^/realtime/v1/(.*)$ /socket/$1 break; proxy_pass http://127.0.0.1:54353; diff --git a/ops/nginx/default.conf b/ops/nginx/default.conf new file mode 100644 index 0000000..c5af914 --- /dev/null +++ b/ops/nginx/default.conf @@ -0,0 +1,91 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/ops/nginx/rebreak-staging-new.conf b/ops/nginx/rebreak-staging-new.conf new file mode 100644 index 0000000..ce436d3 --- /dev/null +++ b/ops/nginx/rebreak-staging-new.conf @@ -0,0 +1,58 @@ +server { + server_name staging-new.rebreak.org 49.13.55.22 _; + + location /.well-known/acme-challenge/ { + root /var/www/html; + } + + location /webhook { + proxy_pass http://127.0.0.1:9000/webhook; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + client_max_body_size 10M; + } + + location ~* ^/api/sse { + proxy_pass http://127.0.0.1:3016; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header Connection ""; + proxy_buffering off; + proxy_cache off; + proxy_read_timeout 3600s; + } + + location / { + proxy_pass http://127.0.0.1:3016; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300s; + client_max_body_size 50M; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/staging-new.rebreak.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/staging-new.rebreak.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = staging-new.rebreak.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80 default_server; + server_name staging-new.rebreak.org 49.13.55.22 _; + return 404; # managed by Certbot + + +} \ No newline at end of file diff --git a/ops/nginx/staging.rebreak.org.conf b/ops/nginx/staging.rebreak.org.conf index 3d7507a..0a5a3a5 100644 --- a/ops/nginx/staging.rebreak.org.conf +++ b/ops/nginx/staging.rebreak.org.conf @@ -1,41 +1,68 @@ server { listen 80; server_name staging.rebreak.org; - return 301 https://staging.rebreak.org$request_uri; + + location /.well-known/acme-challenge/ { + root /var/www/html; + } + + location / { + return 301 https://$host$request_uri; + } } server { listen 443 ssl; server_name staging.rebreak.org; - ssl_certificate /etc/letsencrypt/live/staging.rebreak.org/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/staging.rebreak.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/staging.rebreak.org/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - # Mailpit – Mail-Catcher Web UI + REST API (nur für Staging/Cypress) - location /mailpit/ { - proxy_pass http://127.0.0.1:54360/; + location /webhook { + proxy_pass http://127.0.0.1:9000/webhook; proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size 10M; + proxy_read_timeout 60s; + } + + location ~* ^/api/sse { + proxy_pass http://127.0.0.1:3016; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ''; + proxy_buffering off; + proxy_cache off; + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + chunked_transfer_encoding on; } location / { - client_max_body_size 10m; proxy_pass http://127.0.0.1:3016; proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_cache_bypass $http_upgrade; + proxy_read_timeout 300s; + proxy_connect_timeout 60s; + client_max_body_size 50M; } }