fix(ops/nginx): sync configs aus /etc/nginx/sites-available/ vom rebreak-server

Mein vorheriger Push hatte ältere ops/nginx/-Versionen aus dem rebreak-monorepo.
Server hatte ACME-Challenge, security-Headers (HSTS, X-Frame-Options, X-XSS),
separate /webhook Location, X-Robots-Tag — alles war im Repo nicht drin.

Geänderte/neue files:
- staging.rebreak.org.conf — full version mit ACME + security
- db-staging.rebreak.org.conf — minimal diff
- default.conf — NEU
- rebreak-staging-new.conf — NEU

Live nginx selbst war nicht betroffen (nginx -t ok), Repo-Sources jetzt
auf Live-Stand synchronisiert.

ops/nginx/db-staging.rebreak.org.conf

@@ -1,7 +1,14 @@
 server {
     listen 80;
     server_name db-staging.rebreak.org;
-    return 301 https://db-staging.rebreak.org$request_uri;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -10,14 +17,14 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/db-staging.rebreak.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/db-staging.rebreak.org/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location = / {
         default_type application/json;
         return 200 '{"status":"ok","env":"staging"}';
     }
 
-    # Direct WebSocket proxy to Supabase Realtime Rebreak-Staging (bypasses Kong)
-    # Port 54353 is mapped from the realtime-rebreak-staging container in docker-compose.rebreak-staging.yml
     location /realtime/v1/ {
         rewrite ^/realtime/v1/(.*)$ /socket/$1 break;
         proxy_pass http://127.0.0.1:54353;

ops/nginx/default.conf

@@ -0,0 +1,91 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

ops/nginx/rebreak-staging-new.conf

@@ -0,0 +1,58 @@
+server {
+    server_name staging-new.rebreak.org 49.13.55.22 _;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    location /webhook {
+        proxy_pass http://127.0.0.1:9000/webhook;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        client_max_body_size 10M;
+    }
+
+    location ~* ^/api/sse {
+        proxy_pass http://127.0.0.1:3016;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header Connection "";
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_read_timeout 3600s;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3016;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 300s;
+        client_max_body_size 50M;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/staging-new.rebreak.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/staging-new.rebreak.org/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = staging-new.rebreak.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80 default_server;
+    server_name staging-new.rebreak.org 49.13.55.22 _;
+    return 404; # managed by Certbot
+
+
+}

ops/nginx/staging.rebreak.org.conf

@@ -1,7 +1,14 @@
 server {
     listen 80;
     server_name staging.rebreak.org;
-    return 301 https://staging.rebreak.org$request_uri;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -13,29 +20,49 @@ server {
     include /etc/letsencrypt/options-ssl-nginx.conf;
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
-    add_header X-Robots-Tag "noindex, nofollow" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 
-    # Mailpit – Mail-Catcher Web UI + REST API (nur für Staging/Cypress)
+    location /webhook {
-    location /mailpit/ {
+        proxy_pass http://127.0.0.1:9000/webhook;
-        proxy_pass http://127.0.0.1:54360/;
         proxy_http_version 1.1;
-        proxy_set_header Upgrade       $http_upgrade;
-        proxy_set_header Connection    "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        client_max_body_size 10M;
+        proxy_read_timeout 60s;
+    }
+
+    location ~* ^/api/sse {
+        proxy_pass http://127.0.0.1:3016;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Connection '';
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+        chunked_transfer_encoding on;
     }
 
     location / {
-        client_max_body_size 10m;
         proxy_pass http://127.0.0.1:3016;
         proxy_http_version 1.1;
-        proxy_set_header Upgrade       $http_upgrade;
-        proxy_set_header Connection    "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_cache_bypass $http_upgrade;
+        proxy_read_timeout 300s;
+        proxy_connect_timeout 60s;
+        client_max_body_size 50M;
     }
 }