# =================================================================== # Nginx Host-Level Konfiguration für Proxmox-Server # Meldestelle Project - Reverse Proxy Setup # =================================================================== # Installation auf Proxmox: # sudo cp meldestelle.conf /etc/nginx/sites-available/ # sudo ln -s /etc/nginx/sites-available/meldestelle.conf /etc/nginx/sites-enabled/ # sudo nginx -t && sudo systemctl reload nginx # =================================================================== # Upstream-Definitionen für Container-Services upstream meldestelle-web-app { server localhost:4000; } upstream meldestelle-desktop-vnc { server localhost:6080; } upstream meldestelle-api-gateway { server localhost:8081; } # =================================================================== # Web-App (Hauptanwendung) # =================================================================== server { listen 80; server_name meldestelle.yourdomain.com; # Security Headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Logging access_log /var/log/nginx/meldestelle-web.access.log; error_log /var/log/nginx/meldestelle-web.error.log; # Reverse Proxy zur Web-App location / { proxy_pass http://meldestelle-web-app; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # Buffering proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } # Health-Check Endpoint location /health { proxy_pass http://meldestelle-web-app/health; access_log off; } } # =================================================================== # Desktop-VNC (noVNC Web-Interface) # =================================================================== server { listen 80; server_name vnc.meldestelle.yourdomain.com; # Logging access_log /var/log/nginx/meldestelle-vnc.access.log; error_log /var/log/nginx/meldestelle-vnc.error.log; # Reverse Proxy zum VNC-Container location / { proxy_pass http://meldestelle-desktop-vnc; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket Support für noVNC proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Origin ""; # VNC-spezifische Timeouts proxy_connect_timeout 60s; proxy_send_timeout 3600s; proxy_read_timeout 3600s; # Buffering deaktivieren für Real-time proxy_buffering off; } } # =================================================================== # API-Gateway (Direkter Zugriff) # =================================================================== server { listen 80; server_name api.meldestelle.yourdomain.com; # Logging access_log /var/log/nginx/meldestelle-api.access.log; error_log /var/log/nginx/meldestelle-api.error.log; # CORS Headers für API-Zugriff add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always; # Reverse Proxy zum API-Gateway location / { # Handle preflight requests if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"; add_header Access-Control-Max-Age 86400; add_header Content-Length 0; add_header Content-Type text/plain; return 204; } proxy_pass http://meldestelle-api-gateway; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # API-spezifische Timeouts proxy_connect_timeout 30s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # Health-Check Endpoint location /actuator/health { proxy_pass http://meldestelle-api-gateway/actuator/health; access_log off; } } # =================================================================== # SSL/HTTPS Konfiguration (Optional - für Cloudflare) # =================================================================== # Uncomment für HTTPS mit Let's Encrypt oder Cloudflare: # # server { # listen 443 ssl http2; # server_name meldestelle.yourdomain.com; # # ssl_certificate /etc/ssl/certs/meldestelle.crt; # ssl_certificate_key /etc/ssl/private/meldestelle.key; # # # SSL Configuration # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512; # ssl_prefer_server_ciphers off; # ssl_session_cache shared:SSL:10m; # # # Rest der Web-App Konfiguration hier... # } # =================================================================== # HTTP -> HTTPS Redirect (Optional) # =================================================================== # Uncomment für automatische HTTPS-Weiterleitung: # # server { # listen 80; # server_name meldestelle.yourdomain.com vnc.meldestelle.yourdomain.com api.meldestelle.yourdomain.com; # return 301 https://$server_name$request_uri; # }