m

.gitignore

@@ -5,6 +5,11 @@ volumes/html/*
 !volumes/html/dl.zinomedia.de
 !volumes/html/pkrstarsbot.zinomedia.de
 !volumes/logs/
+!volumes/html/registry.zinomedia.de
+!volumes/html/registryui.zinomedia.de
+!volumes/html/mtail.zinomedia.de
+!volumes/html/metrics.registry.zinomedia.de
+!volumes/html/etherpad.zinomedia.de
 
 # Ignore contents of these directories
 volumes/html/dl.zinomedia.de/*
@@ -12,4 +17,4 @@ volumes/html/pkrstarsbot.zinomedia.de/*
 volumes/logs/*
 
 # Do not ignore a special file name
-!.gitkeep
+!.gitkeep

docker-compose.yml

@@ -1,4 +1,3 @@
-version: "3.8"
 services:
   nginx:
     image: nginx:latest

volumes/conf.d/code.zinomedia.de.conf

@@ -1,11 +1,8 @@
-#log_format custom2 '[$time_iso8601] CODE | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount';
-
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name code.zinomedia.de;
 
-    #access_log /var/log/nginx/access.log custom2;
     access_log off;
     error_log /var/log/nginx/error.log debug;
 
@@ -15,8 +12,6 @@ server {
     include "snippets/ssl-optimizations.conf";
     include "snippets/enable-vouch.conf";
 
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;
-
     location / {
         resolver 127.0.0.11;
         set $upstream "http://code-server:8443";

volumes/conf.d/etherpad.zinomedia.de.conf

@@ -0,0 +1,66 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name etherpad.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/etherpad.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/etherpad.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    auth_basic "Protected";
+    auth_basic_user_file /usr/share/nginx/html/etherpad.zinomedia.de/.htpasswd;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://etherpad:9001";
+
+        rewrite ^/$ / break;
+        rewrite ^/locales/(.*) /locales/$1 break;
+        rewrite ^/locales.json /locales.json break;
+        rewrite ^/admin(.*) /admin$1 break;
+        rewrite ^/p/(.*) /p/$1 break;
+        rewrite ^/static/(.*) /static/$1 break;
+        rewrite ^/pluginfw/(.*) /pluginfw/$1 break;
+        rewrite ^/javascripts/(.*) /javascripts/$1 break;
+        rewrite ^/socket.io/(.*) /socket.io/$1 break;
+        rewrite ^/ep/(.*) /ep/$1 break;
+        rewrite ^/minified/(.*) /minified/$1 break;
+        rewrite ^/api/(.*) /api/$1 break;
+        rewrite ^/ro/(.*) /ro/$1 break;
+        rewrite ^/error/(.*) /error/$1 break;
+        rewrite ^/jserror(.*) /jserror$1 break;
+        rewrite ^/redirect(.*) /redirect$1 break;
+        rewrite ^/(.*\.js) /$1 break;
+        rewrite /favicon.ico /favicon.ico break;
+        rewrite /robots.txt /robots.txt break;
+        rewrite /(.*) /p/$1;
+
+        proxy_pass $upstream;
+
+        proxy_buffering off;
+        proxy_set_header Host $host;
+        proxy_pass_header Server;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name etherpad.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/ha.zinomedia.de.conf

@@ -17,6 +17,8 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Frame-Options SAMEORIGIN;
         proxy_set_header X-Content-Type-Options nosniff;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
         proxy_connect_timeout 15s;
         proxy_read_timeout 30s;
         proxy_send_timeout 30s;

volumes/conf.d/metrics.registry.zinomedia.de.conf

@@ -0,0 +1,37 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name metrics.registry.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/metrics.registry.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/metrics.registry.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Password protect
+    auth_basic "Protected Area";
+    auth_basic_user_file /usr/share/nginx/html/metrics.registry.zinomedia.de/.htpasswd;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://registry:5001";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name metrics.registry.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/mtail.zinomedia.de.conf

@@ -0,0 +1,38 @@
+server {
+    listen *:443 ssl;
+    listen [::]:443 ssl;
+    server_name mtail.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/mtail.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mtail.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "mtail:3903";
+
+        # Password protect
+        auth_basic "Protected";
+        auth_basic_user_file /usr/share/nginx/html/mtail.zinomedia.de/.htpasswd;
+
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_read_timeout 300s;
+
+        proxy_pass http://$upstream;
+    }
+
+}
+
+server {
+    server_name mtail.zinomedia.de;
+    listen 80;
+    listen [::]:80;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/registry.zinomedia.de.conf

@@ -0,0 +1,95 @@
+## Set a variable to help us decide if we need to add the
+## 'Docker-Distribution-Api-Version' header.
+## The registry always sets this header.
+## In the case of nginx performing auth, the header is unset
+## since nginx is auth-ing before proxying.
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+}
+
+## Record actual registry push/pull traffic
+include "snippets/registry-transfer-logging.conf";
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name registry.zinomedia.de;
+
+    access_log /var/log/nginx/registry.zinomedia.de.access.log;
+    error_log /var/log/nginx/error.log;
+
+    # Record actual registry push/pull traffic
+    access_log /var/log/nginx/registry.zinomedia.de.access.json.log registry_json if=$is_transfer_loggable;
+
+    ssl_certificate /etc/letsencrypt/live/registry.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/registry.zinomedia.de/privkey.pem;
+
+    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_prefer_server_ciphers on;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+
+    location / {
+        return 403;
+    }
+
+    location /v2/ {
+        # disable any limits to avoid HTTP 413 for large image uploads
+        client_max_body_size 0;
+
+        # Password protect
+        auth_basic "Protected Registry";
+        auth_basic_user_file /usr/share/nginx/html/registry.zinomedia.de/.htpasswd;
+
+        if ($request_method = OPTIONS) {
+            add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de';
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control';
+            add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE';
+            add_header 'Content-Length' '0';
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            return 204;
+        }
+
+        if ($request_method = DELETE) {
+            add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de' always;
+            add_header 'Access-Control-Allow-Credentials' 'true' always;
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control' always;
+            add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE' always;
+        }
+
+        add_header Access-Control-Allow-Origin "https://registryui.zinomedia.de";
+        add_header Access-Control-Allow-Credentials "true";
+        add_header Access-Control-Allow-Headers "Authorization, Accept, Cache-Control";
+        add_header Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE";
+
+        # Do not allow connections from docker 1.5 and earlier
+        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+            return 404;
+        }
+
+        ## If $docker_distribution_api_version is empty, the header is not added.
+        ## See the map directive above where this variable is defined.
+        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+        resolver 127.0.0.11;
+        set $upstream "http://registry:5000";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name registry.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/registryui.zinomedia.de.conf

@@ -0,0 +1,42 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name registryui.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    root /usr/share/nginx/html/registryui.zinomedia.de/www/htdocs;
+    index index.php index.html;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/registryui.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/registryui.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Password protect
+    auth_basic "Protected Area";
+    auth_basic_user_file /usr/share/nginx/html/registryui.zinomedia.de/.htpasswd;
+
+    location / {
+        add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src * 'unsafe-inline'; font-src * data:;" always;
+
+        resolver 127.0.0.11;
+        set $upstream "http://registryui:80";
+        proxy_pass $upstream;
+
+        client_max_body_size 0;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $server_name;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name registryui.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/simhub.zinomedia.de.conf

@@ -0,0 +1,33 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name simhub.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/simhub.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/simhub.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://simracing-telemetry-hub-workspace:8000";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name simhub.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/html/etherpad.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/metrics.registry.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/mtail.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/registry.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/registryui.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/snippets/registry-transfer-logging.conf

@@ -0,0 +1,78 @@
+log_format registry_json escape=json
+'{'
+'"timestamp":"$time_iso8601",'
+'"msec":"$msec",'
+'"remote_address":"$remote_addr",'
+'"remote_user":"$remote_user",'
+'"request_id":"$request_id",'
+'"method":"$request_method",'
+'"path":"$uri",'
+'"query_string":"$args",'
+'"http_version":"$server_protocol",'
+'"status":$status,'
+'"bytes_sent":$bytes_sent,'
+'"body_bytes_sent":$body_bytes_sent,'
+'"request_length":$request_length,'
+'"request_time":$request_time,'
+'"upstream_status":"$upstream_status",'
+'"upstream_time":"$upstream_response_time",'
+'"upstream_addr":"$upstream_addr",'
+'"referer":"$http_referer",'
+'"user_agent":"$http_user_agent",'
+'"x_forwarded_for":"$http_x_forwarded_for",'
+'"range":"$http_range",'
+'"content_range":"$sent_http_content_range",'
+'"content_length":"$sent_http_content_length",'
+'"etag":"$sent_http_etag",'
+'"docker_content_digest":"$sent_http_docker_content_digest",'
+'"arg_digest":"$arg_digest",'
+'"upstream_range":"$upstream_http_range",'
+'"docker_upload_uuid":"$upstream_http_docker_upload_uuid",'
+'"docker_distribution_api_version":"$docker_distribution_api_version",'
+'"transfer_direction":"$transfer_direction"'
+'}';
+
+map $body_bytes_sent $has_body_bytes_sent {
+    default 0;
+    ~^[1-9][0-9]*$ 1;
+}
+
+map "$request_method$uri" $is_blob_get {
+    default 0;
+    ~^GET/v2/.+/blobs/sha256:[a-f0-9]+$ 1;
+}
+
+map "$is_blob_get$has_body_bytes_sent" $is_pull_transfer {
+    default 0;
+    ~^11$ 1;
+}
+
+map $upstream_http_range $has_upstream_range {
+    default 0;
+    ~^[0-9]+-[0-9]+$ 1;
+}
+
+map "$request_method$uri" $is_upload_patch {
+    default 0;
+    ~^PATCH/v2/.+/blobs/uploads/[a-f0-9-]+$ 1;
+}
+
+map "$is_upload_patch$has_upstream_range" $is_push_transfer {
+    default 0;
+    ~^11$ 1;
+}
+
+map "$is_pull_transfer$is_push_transfer" $is_transfer_loggable {
+    default 0;
+    ~1 1;
+}
+
+map "$is_pull_transfer$is_push_transfer" $transfer_direction {
+    default "-";
+    "10" "pull";
+    "01" "push";
+}
+
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+}