ansible-infra/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf

# This config is based on the standard `nginx.conf` shipping with the stable
# nginx package from the NGINX mirrors as of 2023-01.

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
# upstreams.
stream {
    resolver 212.12.50.158 192.76.134.90;

    map $ssl_preread_server_name $address {
        ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
        www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
        cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
        pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
        id.hamburg.ccc.de 172.31.17.144:8443;
        invite.hamburg.ccc.de 172.31.17.144:8443;
        keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
        grafana.hamburg.ccc.de 172.31.17.145:8443;
        wiki.ccchh.net 172.31.17.146:8443;
        wiki.hamburg.ccc.de 172.31.17.146:8443;
        onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
        hackertours.hamburg.ccc.de 172.31.17.151:8443;
        staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
        netbox.hamburg.ccc.de 172.31.17.149:8443;
        matrix.hamburg.ccc.de 172.31.17.150:8443;
        element.hamburg.ccc.de 172.31.17.151:8443;
        branding-resources.hamburg.ccc.de 172.31.17.151:8443;
        www.hamburg.ccc.de 172.31.17.151:8443;
        hamburg.ccc.de 172.31.17.151:8443;
        staging.hamburg.ccc.de 172.31.17.151:8443;
        spaceapi.hamburg.ccc.de 172.31.17.151:8443;
        tickets.hamburg.ccc.de 172.31.17.148:8443;
        zammad.hamburg.ccc.de 172.31.17.152:8443;
        c3cat.de 172.31.17.151:8443;
        www.c3cat.de 172.31.17.151:8443;
        staging.c3cat.de 172.31.17.151:8443;
        git.hamburg.ccc.de 172.31.17.154:8443;
        eh03.easterhegg.eu 172.31.17.151:8443;
        eh05.easterhegg.eu 172.31.17.151:8443;
        eh07.easterhegg.eu 172.31.17.151:8443;
        eh09.easterhegg.eu 172.31.17.151:8443;
        eh11.easterhegg.eu 172.31.17.151:8443;
        eh20.easterhegg.eu 172.31.17.151:8443;
        www.eh20.easterhegg.eu 172.31.17.151:8443;
        eh22.easterhegg.eu 172.31.17.159:8443;
        easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
        eh2003.hamburg.ccc.de 172.31.17.151:8443;
        www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
        easterhegg2003.hamburg.ccc.de 172.31.17.151:8443;
        www.easterhegg2003.hamburg.ccc.de 172.31.17.151:8443;
        eh2005.hamburg.ccc.de 172.31.17.151:8443;
        www.eh2005.hamburg.ccc.de 172.31.17.151:8443;
        easterhegg2005.hamburg.ccc.de 172.31.17.151:8443;
        www.easterhegg2005.hamburg.ccc.de 172.31.17.151:8443;
        eh2007.hamburg.ccc.de 172.31.17.151:8443;
        www.eh2007.hamburg.ccc.de 172.31.17.151:8443;
        eh07.hamburg.ccc.de 172.31.17.151:8443;
        www.eh07.hamburg.ccc.de 172.31.17.151:8443;
        easterhegg2007.hamburg.ccc.de 172.31.17.151:8443;
        www.easterhegg2007.hamburg.ccc.de 172.31.17.151:8443;
        eh2009.hamburg.ccc.de 172.31.17.151:8443;
        www.eh2009.hamburg.ccc.de 172.31.17.151:8443;
        eh09.hamburg.ccc.de 172.31.17.151:8443;
        www.eh09.hamburg.ccc.de 172.31.17.151:8443;
        easterhegg2009.hamburg.ccc.de 172.31.17.151:8443;
        www.easterhegg2009.hamburg.ccc.de 172.31.17.151:8443;
        eh2011.hamburg.ccc.de 172.31.17.151:8443;
        www.eh2011.hamburg.ccc.de 172.31.17.151:8443;
        eh11.hamburg.ccc.de 172.31.17.151:8443;
        www.eh11.hamburg.ccc.de 172.31.17.151:8443;
        easterhegg2011.hamburg.ccc.de 172.31.17.151:8443;
        www.easterhegg2011.hamburg.ccc.de 172.31.17.151:8443;
        eh20.hamburg.ccc.de 172.31.17.151:8443;
        hacker.tours 172.31.17.151:8443;
        staging.hacker.tours 172.31.17.151:8443;
        woodpecker.hamburg.ccc.de 172.31.17.160:8443;
        design.hamburg.ccc.de 172.31.17.162:8443;
        hydra.hamburg.ccc.de 172.31.17.163:8443;
    }

    server {
        listen 0.0.0.0:443;
        listen [::]:443;
        proxy_pass $address;
        ssl_preread on;
        proxy_protocol on;
    }

    server {
        listen 0.0.0.0:8448;
        listen [::]:8448;
        proxy_pass 172.31.17.150:8448;
        ssl_preread on;
        proxy_protocol on;
    }
}

# Still have the default http block, so the `acme_challenge.conf` works.
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}