Benjamin_Boenisch/breakpilot-pwa
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-02-15. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
70f2b0ae64a31a8f883685ae19e12b934e98da18
breakpilot-pwa/nginx/conf.d/default.conf
Benjamin Admin 70f2b0ae64 refactor: Consolidate standalone services into admin-v2, add new SDK modules 
Remove standalone services (ai-compliance-sdk root, developer-portal,
dsms-gateway, dsms-node, night-scheduler) and legacy compliance/dsgvo pages.
Add new SDK pipeline modules (academy, document-crawler, dsb-portal,
incidents, whistleblower, reporting, sso, multi-tenant, industry-templates).
Add drafting engine, legal corpus files (AT/CH/DE), pitch-deck,
blog and Förderantrag pages.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-15 09:05:18 +01:00

387 lines
13 KiB
Plaintext
Raw Blame History

# Breakpilot HTTPS Reverse Proxy (Hybrid Mode)
# HTTPS for Studio-v2 and all services it depends on
# Admin Website (port 3000) accessible via HTTP directly
# Docker internal DNS resolver (ipv6=off to avoid unreachable IPv6 addresses)
resolver 127.0.0.11 valid=10s ipv6=off;
# HTTP -> HTTPS redirect (only for root domain)
server {
listen 80;
server_name macmini localhost;
return 301 https://$host$request_uri;
}
# HTTPS - Admin Website on port 3000
server {
listen 3000 ssl;
http2 on;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
location / {
set $upstream_website website:3000;
proxy_pass http://$upstream_website;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# HTTPS - Studio v2 (Lehrer-Frontend) on port 443
# Access: https://macmini/
server {
listen 443 ssl;
http2 on;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# Jitsi Meet - Videokonferenzen unter /jitsi/
# Jitsi lädt Assets mit absoluten Pfaden, daher müssen wir diese auch routen
# WebSocket für XMPP (Jitsi nutzt /xmpp-websocket)
location /xmpp-websocket {
set $upstream_jitsi jitsi-web:80;
proxy_pass http://$upstream_jitsi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
# Colibri WebSocket für JVB
location /colibri-ws {
set $upstream_jvb jitsi-jvb:9090;
proxy_pass http://$upstream_jvb;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
# BOSH HTTP Binding
location /http-bind {
set $upstream_jitsi jitsi-web:80;
proxy_pass http://$upstream_jitsi;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# Jitsi statische Assets (CSS, JS, Images, Fonts, etc.)
location ~ ^/(css|images|fonts|sounds|static|libs|lang|connection_optimization)/ {
set $upstream_jitsi jitsi-web:80;
proxy_pass http://$upstream_jitsi;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# Jitsi config und andere Root-Dateien
location ~ ^/(config\.js|interface_config\.js|logging_config\.js|external_api\.js|external_api\.min\.js|favicon\.ico|robots\.txt|manifest\.json|pwa-worker\.js) {
set $upstream_jitsi jitsi-web:80;
proxy_pass http://$upstream_jitsi;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# Jitsi Meet Räume (Meeting URLs)
location /jitsi/ {
set $upstream_jitsi jitsi-web:80;
rewrite ^/jitsi(/.*)$ $1 break;
proxy_pass http://$upstream_jitsi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# Klausur Service API Proxy (same origin = no CORS/certificate issues)
location /klausur-api/ {
set $upstream_klausur klausur-service:8086;
rewrite ^/klausur-api(/.*)$ $1 break;
proxy_pass http://$upstream_klausur;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 50M;
proxy_read_timeout 300s;
}
# Studio v2 (alle anderen Pfade)
location / {
set $upstream_studio studio-v2:3001;
proxy_pass http://$upstream_studio;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# HTTPS - Voice Service on port 8091 (WebSocket support)
server {
listen 8091 ssl;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# WebSocket endpoint
location /ws/ {
set $upstream_voice voice-service:8091;
proxy_pass http://$upstream_voice;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
# REST API
location / {
set $upstream_voice voice-service:8091;
proxy_pass http://$upstream_voice;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# HTTPS - Backend API on port 8000
server {
listen 8000 ssl;
http2 on;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
location / {
set $upstream_backend backend:8000;
proxy_pass http://$upstream_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# HTTPS - Klausur Service on port 8086
server {
listen 8086 ssl;
http2 on;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
client_max_body_size 50M;
location / {
set $upstream_klausur klausur-service:8086;
proxy_pass http://$upstream_klausur;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# HTTPS - Admin v2 on port 3002
server {
listen 3002 ssl;
http2 on;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# Proxy Klausur Service API requests (same origin = no CORS issues)
location /klausur-api/ {
set $upstream_klausur klausur-service:8086;
rewrite ^/klausur-api(/.*)$ $1 break;
proxy_pass http://$upstream_klausur;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 50M;
proxy_read_timeout 300s;
}
# Proxy Documentation (MkDocs) - same origin = no mixed content issues
location /docs/ {
set $upstream_docs docs:80;
rewrite ^/docs(/.*)$ $1 break;
proxy_pass http://$upstream_docs;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location / {
set $upstream_admin_v2 admin-v2:3000;
proxy_pass http://$upstream_admin_v2;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# HTTPS - Edu-Search Service on port 8089
# Proxies to edu-search container running on port 8088
server {
listen 8089 ssl;
http2 on;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
location / {
# Use Docker DNS to resolve container name
set $upstream_edu_search breakpilot-edu-search:8088;
proxy_pass http://$upstream_edu_search;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# HTTPS - Jitsi Meet on port 8443
# Videokonferenzen für BreakPilot Meet
server {
listen 8443 ssl;
http2 on;
server_name macmini localhost;
ssl_certificate /etc/nginx/certs/macmini.crt;
ssl_certificate_key /etc/nginx/certs/macmini.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# WebSocket support for Jitsi XMPP
location /xmpp-websocket {
set $upstream_jitsi jitsi-web:80;
proxy_pass http://$upstream_jitsi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
# Colibri WebSocket for JVB
location /colibri-ws {
set $upstream_jvb jitsi-jvb:9090;
proxy_pass http://$upstream_jvb;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
# All other Jitsi traffic
location / {
set $upstream_jitsi jitsi-web:80;
proxy_pass http://$upstream_jitsi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
Reference in New Issue View Git Blame Copy Permalink