# Breakpilot HTTPS Reverse Proxy (Hybrid Mode) # HTTPS for Studio-v2 and all services it depends on # Admin Website (port 3000) accessible via HTTP directly # Docker internal DNS resolver (ipv6=off to avoid unreachable IPv6 addresses) resolver 127.0.0.11 valid=10s ipv6=off; # HTTP -> HTTPS redirect (only for root domain) server { listen 80; server_name macmini localhost; return 301 https://$host$request_uri; } # HTTPS - Admin Website on port 3000 server { listen 3000 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; location / { set $upstream_website website:3000; proxy_pass http://$upstream_website; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # HTTPS - Studio v2 (Lehrer-Frontend) on port 443 # Access: https://macmini/ server { listen 443 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # Jitsi Meet - Videokonferenzen unter /jitsi/ # Jitsi lädt Assets mit absoluten Pfaden, daher müssen wir diese auch routen # WebSocket für XMPP (Jitsi nutzt /xmpp-websocket) location /xmpp-websocket { set $upstream_jitsi jitsi-web:80; proxy_pass http://$upstream_jitsi; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 86400; proxy_send_timeout 86400; } # Colibri WebSocket für JVB location /colibri-ws { set $upstream_jvb jitsi-jvb:9090; proxy_pass http://$upstream_jvb; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 86400; proxy_send_timeout 86400; } # BOSH HTTP Binding location /http-bind { set $upstream_jitsi jitsi-web:80; proxy_pass http://$upstream_jitsi; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } # Jitsi statische Assets (CSS, JS, Images, Fonts, etc.) location ~ ^/(css|images|fonts|sounds|static|libs|lang|connection_optimization)/ { set $upstream_jitsi jitsi-web:80; proxy_pass http://$upstream_jitsi; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } # Jitsi config und andere Root-Dateien location ~ ^/(config\.js|interface_config\.js|logging_config\.js|external_api\.js|external_api\.min\.js|favicon\.ico|robots\.txt|manifest\.json|pwa-worker\.js) { set $upstream_jitsi jitsi-web:80; proxy_pass http://$upstream_jitsi; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } # Jitsi Meet Räume (Meeting URLs) location /jitsi/ { set $upstream_jitsi jitsi-web:80; rewrite ^/jitsi(/.*)$ $1 break; proxy_pass http://$upstream_jitsi; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } # Klausur Service API Proxy (same origin = no CORS/certificate issues) location /klausur-api/ { set $upstream_klausur klausur-service:8086; rewrite ^/klausur-api(/.*)$ $1 break; proxy_pass http://$upstream_klausur; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; client_max_body_size 50M; proxy_read_timeout 300s; } # Studio v2 (alle anderen Pfade) location / { set $upstream_studio studio-v2:3001; proxy_pass http://$upstream_studio; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # HTTPS - Voice Service on port 8091 (WebSocket support) server { listen 8091 ssl; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # WebSocket endpoint location /ws/ { set $upstream_voice voice-service:8091; proxy_pass http://$upstream_voice; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 86400; proxy_send_timeout 86400; } # REST API location / { set $upstream_voice voice-service:8091; proxy_pass http://$upstream_voice; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # HTTPS - Backend API on port 8000 server { listen 8000 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; location / { set $upstream_backend backend:8000; proxy_pass http://$upstream_backend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # HTTPS - Klausur Service on port 8086 server { listen 8086 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; client_max_body_size 50M; location / { set $upstream_klausur klausur-service:8086; proxy_pass http://$upstream_klausur; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # HTTPS - Admin v2 on port 3002 server { listen 3002 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # Proxy Klausur Service API requests (same origin = no CORS issues) location /klausur-api/ { set $upstream_klausur klausur-service:8086; rewrite ^/klausur-api(/.*)$ $1 break; proxy_pass http://$upstream_klausur; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; client_max_body_size 50M; proxy_read_timeout 300s; } # Proxy SDK API requests to AI Compliance SDK (same origin = no CORS issues) # Only /sdk/v1/ is forwarded to the SDK backend, /sdk/einwilligungen/* etc are frontend pages location /sdk/v1/ { set $upstream_sdk ai-compliance-sdk:8090; proxy_pass http://$upstream_sdk; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # Longer timeout for LLM requests proxy_read_timeout 300s; proxy_connect_timeout 60s; proxy_send_timeout 300s; } # Proxy Documentation (MkDocs) - same origin = no mixed content issues location /docs/ { set $upstream_docs docs:80; rewrite ^/docs(/.*)$ $1 break; proxy_pass http://$upstream_docs; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } location / { set $upstream_admin_v2 admin-v2:3000; proxy_pass http://$upstream_admin_v2; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # HTTPS - AI Compliance SDK on port 8093 # Multi-Tenant RBAC, LLM Gateway, Audit Trail server { listen 8093 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # SDK endpoints - allow larger payloads for LLM requests client_max_body_size 10M; location / { set $upstream_sdk ai-compliance-sdk:8090; proxy_pass http://$upstream_sdk; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # Longer timeout for LLM requests proxy_read_timeout 300s; proxy_connect_timeout 60s; proxy_send_timeout 300s; } } # HTTPS - Edu-Search Service on port 8089 # Proxies to edu-search container running on port 8088 server { listen 8089 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; location / { # Use Docker DNS to resolve container name set $upstream_edu_search breakpilot-edu-search:8088; proxy_pass http://$upstream_edu_search; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # HTTPS - Jitsi Meet on port 8443 # Videokonferenzen für BreakPilot Meet server { listen 8443 ssl; http2 on; server_name macmini localhost; ssl_certificate /etc/nginx/certs/macmini.crt; ssl_certificate_key /etc/nginx/certs/macmini.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # WebSocket support for Jitsi XMPP location /xmpp-websocket { set $upstream_jitsi jitsi-web:80; proxy_pass http://$upstream_jitsi; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 86400; proxy_send_timeout 86400; } # Colibri WebSocket for JVB location /colibri-ws { set $upstream_jvb jitsi-jvb:9090; proxy_pass http://$upstream_jvb; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 86400; proxy_send_timeout 86400; } # All other Jitsi traffic location / { set $upstream_jitsi jitsi-web:80; proxy_pass http://$upstream_jitsi; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } }