# ----------------------------- # Proxmox (nur via VPN) # ----------------------------- server { listen 443 ssl http2; server_name proxmox.cutemeli.com; ssl_certificate /etc/ssl/certs/proxmox.pem; ssl_certificate_key /etc/ssl/private/proxmox.key; allow 127.0.0.1; allow 10.10.0.0/24; allow 172.17.0.0/16; allow 172.18.0.0/16; allow 172.19.0.0/16; deny all; location / { proxy_pass https://127.0.0.1:8006; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # ----------------------------- # Git # ----------------------------- server { listen 443 ssl http2; server_name git.cutemeli.com; ssl_certificate /etc/ssl/certs/git.pem; ssl_certificate_key /etc/ssl/private/git.key; #allow 10.10.0.0/24; #allow 127.0.0.1; #deny all; client_max_body_size 5g; location / { proxy_pass http://127.0.0.1:3001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 3600; proxy_redirect off; } } # ----------------------------- # Nextcloud # ----------------------------- server { listen 443 ssl http2; server_name share.cutemeli.com; ssl_certificate /etc/ssl/certs/share.pem; ssl_certificate_key /etc/ssl/private/share.key; client_max_body_size 2G; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 3600; proxy_redirect off; } # Pflicht für DAV / Kalender / Kontakte location = /.well-known/carddav { return 301 /remote.php/dav; } location = /.well-known/caldav { return 301 /remote.php/dav; } # Optional für Federation, Talk, etc. location ^~ /.well-known { proxy_pass http://127.0.0.1:8080; } } # ----------------------------- # Monitoring (nur via VPN) # ----------------------------- server { listen 443 ssl http2; server_name monitor.cutemeli.com; ssl_certificate /etc/ssl/certs/monitor.pem; ssl_certificate_key /etc/ssl/private/monitor.key; allow 10.10.0.0/24; allow 127.0.0.1; deny all; location / { proxy_pass http://127.0.0.1:8082; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } # ----------------------------- # Vaultwarden # ----------------------------- server { listen 443 ssl http2; server_name vault.cutemeli.com; ssl_certificate /etc/ssl/certs/vault.pem; ssl_certificate_key /etc/ssl/private/vault.key; location / { proxy_pass http://127.0.0.1:8081; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } # Für WebSocket Sync mit Browser Extensions location /notifications/hub { proxy_pass http://127.0.0.1:8081; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { proxy_pass http://127.0.0.1:8081; } } # ----------------------------- # Redirect HTTP -> HTTPS # ----------------------------- server { listen 80; listen [::]:80; server_name git.cutemeli.com proxmox.cutemeli.com share.cutemeli.com monitor.cutemeli.com vault.cutemeli.com; return 301 https://$host$request_uri; }