m

modified:   volumes/conf.d/zinomedia.de.conf

.gitignore

@@ -5,6 +5,11 @@ volumes/html/*
 !volumes/html/dl.zinomedia.de
 !volumes/html/pkrstarsbot.zinomedia.de
 !volumes/logs/
+!volumes/html/registry.zinomedia.de
+!volumes/html/registryui.zinomedia.de
+!volumes/html/mtail.zinomedia.de
+!volumes/html/metrics.registry.zinomedia.de
+!volumes/html/etherpad.zinomedia.de
 
 # Ignore contents of these directories
 volumes/html/dl.zinomedia.de/*

docker-compose.yml

@@ -1,4 +1,3 @@
-version: '3.8'
 services:
   nginx:
     image: nginx:latest
@@ -20,6 +19,13 @@ services:
       - /etc/letsencrypt:/etc/letsencrypt
       - ../docker-wordpress-4netplayers/volumes/wordpress:/usr/share/nginx/html/4netplayers.zinomedia.de
       - ../docker-wordpress-zinomedia/volumes/wordpress:/usr/share/nginx/html/zinomedia.de
+      - ../docker-wordpress-autocutbot/volumes/wordpress:/usr/share/nginx/html/autocutbot.zinomedia.de
+      - ../docker-wordpress-pokerstarsbot/volumes/wordpress:/usr/share/nginx/html/pokerstarsbot.zinomedia.de
+      - ../docker-wordpress-pokerstarsbotx/volumes/wordpress:/usr/share/nginx/html/pokerstarsbotx.zinomedia.de
+      - ../docker-wordpress-seatmapv2/volumes/wordpress:/usr/share/nginx/html/seatmapv2.zinomedia.de
+      - ../docker-wordpress-terminsnipe/volumes/wordpress:/usr/share/nginx/html/terminsnipe.zinomedia.de
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
 
 networks:
   web:

volumes/conf.d/autocutbot.zinomedia.de.conf

@@ -0,0 +1,46 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name autocutbot.zinomedia.de;
+
+    #access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/autocutbot.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/autocutbot.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/autocutbot.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "autocutbot-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name autocutbot.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/code.zinomedia.de.conf

@@ -1,11 +1,8 @@
-#log_format custom2 '[$time_iso8601] CODE | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount';
-
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name code.zinomedia.de;
 
-    #access_log /var/log/nginx/access.log custom2;
     access_log off;
     error_log /var/log/nginx/error.log debug;
 
@@ -15,8 +12,6 @@ server {
     include "snippets/ssl-optimizations.conf";
     include "snippets/enable-vouch.conf";
 
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;
-
     location / {
         resolver 127.0.0.11;
         set $upstream "http://code-server:8443";

volumes/conf.d/drawio.zinomedia.de.conf

@@ -0,0 +1,42 @@
+server {
+    listen *:443 ssl;
+    listen [::]:443 ssl;
+    server_name drawio.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/drawio.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/drawio.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/enable-vouch.conf";
+
+    add_header Content-Security-Policy "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: http://drawio.zinomedia.de; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src *;" always;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "drawio:8080";
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+        proxy_redirect off;
+        proxy_buffering on;
+        proxy_buffers 16 32k;
+        proxy_buffer_size 64k;
+    }
+
+}
+
+server {
+    server_name drawio.zinomedia.de;
+    listen 80;
+    listen [::]:80;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/etherpad.zinomedia.de.conf

@@ -0,0 +1,66 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name etherpad.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/etherpad.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/etherpad.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    auth_basic "Protected";
+    auth_basic_user_file /usr/share/nginx/html/etherpad.zinomedia.de/.htpasswd;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://etherpad:9001";
+
+        rewrite ^/$ / break;
+        rewrite ^/locales/(.*) /locales/$1 break;
+        rewrite ^/locales.json /locales.json break;
+        rewrite ^/admin(.*) /admin$1 break;
+        rewrite ^/p/(.*) /p/$1 break;
+        rewrite ^/static/(.*) /static/$1 break;
+        rewrite ^/pluginfw/(.*) /pluginfw/$1 break;
+        rewrite ^/javascripts/(.*) /javascripts/$1 break;
+        rewrite ^/socket.io/(.*) /socket.io/$1 break;
+        rewrite ^/ep/(.*) /ep/$1 break;
+        rewrite ^/minified/(.*) /minified/$1 break;
+        rewrite ^/api/(.*) /api/$1 break;
+        rewrite ^/ro/(.*) /ro/$1 break;
+        rewrite ^/error/(.*) /error/$1 break;
+        rewrite ^/jserror(.*) /jserror$1 break;
+        rewrite ^/redirect(.*) /redirect$1 break;
+        rewrite ^/(.*\.js) /$1 break;
+        rewrite /favicon.ico /favicon.ico break;
+        rewrite /robots.txt /robots.txt break;
+        rewrite /(.*) /p/$1;
+
+        proxy_pass $upstream;
+
+        proxy_buffering off;
+        proxy_set_header Host $host;
+        proxy_pass_header Server;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name etherpad.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/ha.zinomedia.de.conf

@@ -0,0 +1,34 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name ha.zinomedia.de;
+
+    ssl_certificate /etc/letsencrypt/live/ha.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ha.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        proxy_pass http://host.docker.internal:8123;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_set_header X-Content-Type-Options nosniff;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_connect_timeout 15s;
+        proxy_read_timeout 30s;
+        proxy_send_timeout 30s;
+        send_timeout 30s;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ha.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/mail.zinomedia.de.conf

@@ -0,0 +1,54 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name mail.zinomedia.de autodiscover.* autoconfig.*;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/mail.zinomedia.de/cert.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mail.zinomedia.de/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
+    ssl_prefer_server_ciphers off;
+
+    # resolver 127.0.0.11;
+
+    location /Microsoft-Server-ActiveSync {
+        proxy_pass http://host.docker.internal:8080/Microsoft-Server-ActiveSync;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_connect_timeout 75;
+        proxy_send_timeout 3650;
+        proxy_read_timeout 3650;
+        proxy_buffers 64 512k;
+        client_body_buffer_size 512k;
+        client_max_body_size 0;
+    }
+
+    location / {
+        proxy_pass http://host.docker.internal:8080/;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        client_max_body_size 0;
+        proxy_buffer_size 128k;
+        proxy_buffers 64 512k;
+        proxy_busy_buffers_size 512k;
+    }
+}
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name mail.zinomedia.de autodiscover.* autoconfig.*;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/metrics.registry.zinomedia.de.conf

@@ -0,0 +1,37 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name metrics.registry.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/metrics.registry.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/metrics.registry.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Password protect
+    auth_basic "Protected Area";
+    auth_basic_user_file /usr/share/nginx/html/metrics.registry.zinomedia.de/.htpasswd;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://registry:5001";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name metrics.registry.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/mtail.zinomedia.de.conf

@@ -0,0 +1,38 @@
+server {
+    listen *:443 ssl;
+    listen [::]:443 ssl;
+    server_name mtail.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/mtail.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mtail.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "mtail:3903";
+
+        # Password protect
+        auth_basic "Protected";
+        auth_basic_user_file /usr/share/nginx/html/mtail.zinomedia.de/.htpasswd;
+
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_read_timeout 300s;
+
+        proxy_pass http://$upstream;
+    }
+
+}
+
+server {
+    server_name mtail.zinomedia.de;
+    listen 80;
+    listen [::]:80;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/pkrstarsbot.zinomedia.de.conf

@@ -14,6 +14,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/pkrstarsbot.zinomedia.de/privkey.pem;
 
     include "snippets/ssl-optimizations.conf";
+    include "snippets/enable-php-fpm.conf";
     
     add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self' data:;" always;
 
@@ -22,19 +23,8 @@ server {
     }
 
     # Password protect
-    #auth_basic "Protected Area";
+    auth_basic "Protected Area";
-    #auth_basic_user_file /usr/share/nginx/html/pkrstarsbot.zinomedia.de/www/htdocs/.htpasswd;
+    auth_basic_user_file /usr/share/nginx/html/pkrstarsbot.zinomedia.de/www/htdocs/.htpasswd;
-
-    # PHP Processing
-    location ~ \.php$ {
-        resolver 127.0.0.11;
-        set $upstream "php-fpm:9000";
-
-        include fastcgi_params;
-        fastcgi_pass $upstream;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_index index.php;
-    }
 
     # Static File Caching (Optional)
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {

volumes/conf.d/pokerstarsbot.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name pokerstarsbot.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/pokerstarsbot.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/pokerstarsbot.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/pokerstarsbot.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "pokerstarsbot-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name pokerstarsbot.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/pokerstarsbotx.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name pokerstarsbotx.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/pokerstarsbotx.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/pokerstarsbotx.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/pokerstarsbotx.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "pokerstarsbotx-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name pokerstarsbotx.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/portainer.armos.zinomedia.de.conf

@@ -20,6 +20,10 @@ server {
         proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 300s;
         proxy_pass http://$upstream;
     }
 

volumes/conf.d/registry.zinomedia.de.conf

@@ -0,0 +1,95 @@
+## Set a variable to help us decide if we need to add the
+## 'Docker-Distribution-Api-Version' header.
+## The registry always sets this header.
+## In the case of nginx performing auth, the header is unset
+## since nginx is auth-ing before proxying.
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+}
+
+## Record actual registry push/pull traffic
+include "snippets/registry-transfer-logging.conf";
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name registry.zinomedia.de;
+
+    access_log /var/log/nginx/registry.zinomedia.de.access.log;
+    error_log /var/log/nginx/error.log;
+
+    # Record actual registry push/pull traffic
+    access_log /var/log/nginx/registry.zinomedia.de.access.json.log registry_json if=$is_transfer_loggable;
+
+    ssl_certificate /etc/letsencrypt/live/registry.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/registry.zinomedia.de/privkey.pem;
+
+    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_prefer_server_ciphers on;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+
+    location / {
+        return 403;
+    }
+
+    location /v2/ {
+        # disable any limits to avoid HTTP 413 for large image uploads
+        client_max_body_size 0;
+
+        # Password protect
+        auth_basic "Protected Registry";
+        auth_basic_user_file /usr/share/nginx/html/registry.zinomedia.de/.htpasswd;
+
+        if ($request_method = OPTIONS) {
+            add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de';
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control';
+            add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE';
+            add_header 'Content-Length' '0';
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            return 204;
+        }
+
+        if ($request_method = DELETE) {
+            add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de' always;
+            add_header 'Access-Control-Allow-Credentials' 'true' always;
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control' always;
+            add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE' always;
+        }
+
+        add_header Access-Control-Allow-Origin "https://registryui.zinomedia.de";
+        add_header Access-Control-Allow-Credentials "true";
+        add_header Access-Control-Allow-Headers "Authorization, Accept, Cache-Control";
+        add_header Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE";
+
+        # Do not allow connections from docker 1.5 and earlier
+        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+            return 404;
+        }
+
+        ## If $docker_distribution_api_version is empty, the header is not added.
+        ## See the map directive above where this variable is defined.
+        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+        resolver 127.0.0.11;
+        set $upstream "http://registry:5000";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name registry.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/registryui.zinomedia.de.conf

@@ -0,0 +1,42 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name registryui.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    root /usr/share/nginx/html/registryui.zinomedia.de/www/htdocs;
+    index index.php index.html;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/registryui.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/registryui.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Password protect
+    auth_basic "Protected Area";
+    auth_basic_user_file /usr/share/nginx/html/registryui.zinomedia.de/.htpasswd;
+
+    location / {
+        add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src * 'unsafe-inline'; font-src * data:;" always;
+
+        resolver 127.0.0.11;
+        set $upstream "http://registryui:80";
+        proxy_pass $upstream;
+
+        client_max_body_size 0;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $server_name;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name registryui.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/seatmapv2.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name seatmapv2.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/seatmapv2.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/seatmapv2.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/seatmapv2.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "seatmapv2-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name seatmapv2.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/simhub.zinomedia.de.conf

@@ -0,0 +1,33 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name simhub.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/simhub.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/simhub.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://simracing-telemetry-hub-workspace:8000";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name simhub.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/terminsnipe.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name terminsnipe.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/terminsnipe.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/terminsnipe.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/terminsnipe.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "terminsnipe-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name terminsnipe.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/zinomedia.de.conf

@@ -1,12 +1,21 @@
+# Dynamically set CORS headers based on the request origin.
+# Needed for legacy wordoress migrations
+map $http_origin $allow_origin {
+    ~^https://(.*\.)?zinomedia\.de$ $http_origin;
+    default "";
+}
+
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name zinomedia.de;
 
-    access_log off;
+    #access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log error;
+    access_log off;
 
     root /usr/share/nginx/html/zinomedia.de;
+
     index index.php;
 
     ssl_certificate /etc/letsencrypt/live/zinomedia.de/fullchain.pem;
@@ -15,21 +24,26 @@ server {
     include "snippets/ssl-optimizations.conf";
     include "snippets/wordpress-optimizations.conf";
 
-    add_header Content-Security-Policy "default-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; img-src 'self' data: *; style-src 'self' 'unsafe-inline'; font-src 'self' data: *;" always;
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
 
     client_max_body_size 0;
 
+    # Dynamically set CORS headers based on the request origin.
+    add_header 'Access-Control-Allow-Origin' $allow_origin;
+
     location / {
         resolver 127.0.0.11;
         set $upstream "zinomedia-wordpress:80";
 
         try_files $uri $uri/ /index.php?$args;
 
-        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
         proxy_pass http://$upstream;
     }
 }

volumes/html/etherpad.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/metrics.registry.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/mtail.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/registry.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/registryui.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/snippets/enable-php-fpm.conf

@@ -0,0 +1,9 @@
+location ~ \.php$ {
+    resolver 127.0.0.11;
+    set $upstream "php-fpm:9000";
+
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_index index.php;
+    fastcgi_pass $upstream;
+}

volumes/snippets/registry-transfer-logging.conf

@@ -0,0 +1,78 @@
+log_format registry_json escape=json
+'{'
+'"timestamp":"$time_iso8601",'
+'"msec":"$msec",'
+'"remote_address":"$remote_addr",'
+'"remote_user":"$remote_user",'
+'"request_id":"$request_id",'
+'"method":"$request_method",'
+'"path":"$uri",'
+'"query_string":"$args",'
+'"http_version":"$server_protocol",'
+'"status":$status,'
+'"bytes_sent":$bytes_sent,'
+'"body_bytes_sent":$body_bytes_sent,'
+'"request_length":$request_length,'
+'"request_time":$request_time,'
+'"upstream_status":"$upstream_status",'
+'"upstream_time":"$upstream_response_time",'
+'"upstream_addr":"$upstream_addr",'
+'"referer":"$http_referer",'
+'"user_agent":"$http_user_agent",'
+'"x_forwarded_for":"$http_x_forwarded_for",'
+'"range":"$http_range",'
+'"content_range":"$sent_http_content_range",'
+'"content_length":"$sent_http_content_length",'
+'"etag":"$sent_http_etag",'
+'"docker_content_digest":"$sent_http_docker_content_digest",'
+'"arg_digest":"$arg_digest",'
+'"upstream_range":"$upstream_http_range",'
+'"docker_upload_uuid":"$upstream_http_docker_upload_uuid",'
+'"docker_distribution_api_version":"$docker_distribution_api_version",'
+'"transfer_direction":"$transfer_direction"'
+'}';
+
+map $body_bytes_sent $has_body_bytes_sent {
+    default 0;
+    ~^[1-9][0-9]*$ 1;
+}
+
+map "$request_method$uri" $is_blob_get {
+    default 0;
+    ~^GET/v2/.+/blobs/sha256:[a-f0-9]+$ 1;
+}
+
+map "$is_blob_get$has_body_bytes_sent" $is_pull_transfer {
+    default 0;
+    ~^11$ 1;
+}
+
+map $upstream_http_range $has_upstream_range {
+    default 0;
+    ~^[0-9]+-[0-9]+$ 1;
+}
+
+map "$request_method$uri" $is_upload_patch {
+    default 0;
+    ~^PATCH/v2/.+/blobs/uploads/[a-f0-9-]+$ 1;
+}
+
+map "$is_upload_patch$has_upstream_range" $is_push_transfer {
+    default 0;
+    ~^11$ 1;
+}
+
+map "$is_pull_transfer$is_push_transfer" $is_transfer_loggable {
+    default 0;
+    ~1 1;
+}
+
+map "$is_pull_transfer$is_push_transfer" $transfer_direction {
+    default "-";
+    "10" "pull";
+    "01" "push";
+}
+
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+}

volumes/snippets/ssl-optimizations.conf

@@ -1,5 +1,5 @@
 
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_session_cache shared:SSL:10m;
+ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 10m;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;