upstream main { server validate.vouch.armos.zinomedia.de; } server { listen 443 ssl; listen [::]:443 ssl; server_name code.zinomedia.de; access_log off; error_log /var/log/nginx/error.log debug; ssl_certificate /etc/letsencrypt/live/code.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/code.zinomedia.de/privkey.pem; # SSL Optimizations ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always; include "snippets/enable-vouch.conf"; # # send all requests to the `/validate` endpoint for authorization # auth_request /validate; # location = /validate { # proxy_pass https://validate.vouch.armos.zinomedia.de; # } # # if validate returns `401 not authorized` then forward the request to the error401block # error_page 401 = @error401; # location @error401 { # # redirect to Vouch Proxy for login # return 302 https://vouch.armos.zinomedia.de/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; # } location / { resolver 127.0.0.11; set $upstream "code-server:8443"; proxy_pass http://$upstream; proxy_http_version 1.1; #proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Accept-Encoding gzip; proxy_set_header Connection upgrade; proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; proxy_read_timeout 3600; proxy_set_header Host $http_host; # vouch: be sure to pass the original host header } } server { listen 80; listen [::]:80; server_name code.zinomedia.de; return 301 https://$host$request_uri; }