nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##
        limit_req_zone  $binary_remote_addr  zone=etherpad_req:10m  rate=10r/s;
        limit_conn_zone $binary_remote_addr  zone=etherpad_conn:10m;

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	server_tokens off; # Recommended practice is to turn this off

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3 (POODLE), TLS 1.0, 1.1
	ssl_prefer_server_ciphers off; # Don't force server cipher order.

	##
	# Logging Settings
	##
        log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
	access_log /var/log/nginx/vhost.access.log vhost;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/mime.types:
types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xslt+xml                             xsl xslt;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/ogg                                        ogv;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-matroska                                 mkv;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/connection-upgrade-map.conf:
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}


# configuration file /etc/nginx/sites-enabled/bin.labunix.xyz-9443.conf:
server {
    listen 443 ssl;
    http2 on;
    server_name bin.labunix.xyz;

    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;

    client_max_body_size 50m;

    location / {
        proxy_pass http://127.0.0.1:8081;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}


# configuration file /etc/nginx/sites-enabled/cloud-wg.conf:
server {
    listen 443 ssl;
    http2 on;
    server_name cloud.labunix.xyz;
    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;
    client_max_body_size 2G;

    location / {
        proxy_pass http://127.0.0.1:9091; # adjust if your upstream differs
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}


# configuration file /etc/nginx/sites-enabled/etherpad:
server {
    listen 443 ssl;
    http2 on;
    server_name ether.labunix.xyz;

    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;

    limit_req zone=etherpad_req burst=60 nodelay;
    limit_conn etherpad_conn 20;
    client_max_body_size 1m;
# Admin only (protect both /admin and /admin/)
    location = /admin {
        auth_basic "Etherpad Admin";
        auth_basic_user_file /etc/nginx/htpasswd-etherpad-admin;

        proxy_pass http://127.0.0.1:9001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 120s;
        proxy_send_timeout 120s;
        proxy_buffering off;
    }

    location ^~ /admin/ {
        auth_basic "Etherpad Admin";
        auth_basic_user_file /etc/nginx/htpasswd-etherpad-admin;

        proxy_pass http://127.0.0.1:9001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 120s;
        proxy_send_timeout 120s;
        proxy_buffering off;
    }
    location / {
        proxy_pass http://127.0.0.1:9001;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 120s;
        proxy_send_timeout 120s;
        proxy_buffering off;
    }
}

# configuration file /etc/nginx/sites-enabled/labunix-i2p.conf:
server {
    listen 127.0.0.1:8089;
    listen [::1]:8089;
    server_name _;

    root /srv/www/labunix/public;
    index index.html;

    access_log /var/log/nginx/labunix-i2p.access.log;
    error_log  /var/log/nginx/labunix-i2p.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

# configuration file /etc/nginx/sites-enabled/labunix-onion.conf:
server {
    listen 127.0.0.1:8088;
    server_name _;

    root /srv/www/labunix/public;
    index index.html;

    access_log /var/log/nginx/labunix-onion.access.log;
    error_log  /var/log/nginx/labunix-onion.error.log;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~* \.(css|js|png|jpg|jpeg|gif|svg|webp|ico|woff2?)$ {
        expires 30d;
        add_header Cache-Control "public, max-age=2592000, immutable";
        try_files $uri =404;
    }
}

# configuration file /etc/nginx/sites-enabled/labunix.conf:
# HTTP on :9080 (optional: redirect to HTTPS :9443)
server {
    listen 9080;
    server_name labunix.xyz www.labunix.xyz 10.50.0.1;

    # If you want redirect to HTTPS on :9443:
    return 301 https://$host:443$request_uri;

    # If you prefer serving plain HTTP instead, comment the return above
    # and uncomment this:
    # root /srv/www/labunix/public;
    # index index.html;
    # location / { try_files $uri $uri/ =404; }
}

# HTTPS on :9443
server {
    listen 443 ssl;
    http2 on;
    server_name labunix.xyz www.labunix.xyz 10.50.0.1;

    root /srv/www/labunix/public;
    index index.html;

    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;

    add_header Onion-Location "http://l6xtdi33ubszm2gswstchrb6o4d6aw3ewj2irexlsbzk6pvesky7p2ad.onion$request_uri" always;

    location / {
        try_files $uri $uri/ =404;
    }
    location /stats/ {
    alias /srv/stats/;
    index goaccess.html;
    allow 127.0.0.1;
    allow 10.50.0.0/24;
    allow 192.168.33.0/24;
    deny all;
    }

    location ~* \.(css|js|png|jpg|jpeg|gif|svg|webp|ico|woff2?)$ {
        expires 30d;
        add_header Cache-Control "public, max-age=2592000, immutable";
        try_files $uri =404;
    }
}

# configuration file /etc/nginx/sites-enabled/lufi.conf:
server {
    listen 443 ssl;
    http2 on;
    server_name lufi.labunix.xyz;

    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;

    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/lufi.htpasswd;

    access_log /var/log/nginx/vhost.access.log vhost;
    error_log  /var/log/nginx/lufi.error.log;

    location / {
        proxy_pass http://127.0.0.1:8090;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
	add_header X-Frame-Options SAMEORIGIN always;
        add_header X-Content-Type-Options nosniff always;
        client_max_body_size 2G;
        proxy_read_timeout 3600s;
    }
}


# configuration file /etc/nginx/sites-enabled/pad.labunix.xyz-9443.conf:
# pad.labunix.xyz (main) → HTTP:3101, WS:3103
server {
    listen 443 ssl;
    http2 on;
    server_name pad.labunix.xyz;
    access_log /var/log/nginx/vhost.access.log vhost;
    ssl_certificate     /etc/letsencrypt/live/pad.labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pad.labunix.xyz/privkey.pem;
    client_max_body_size 100m;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd-cryptpad;

    location /cryptpad_websocket {
        proxy_pass http://127.0.0.1:3103;
        proxy_http_version 1.1;
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Forwarded-Host  $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    }

    location / {
        proxy_pass http://127.0.0.1:3101;
        proxy_http_version 1.1;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Forwarded-Host  $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    }
}

# pad-sandbox.labunix.xyz (sandbox) → HTTP:3101, WS:3103
server {
    listen 443 ssl;
    http2 on;
    server_name pad-sandbox.labunix.xyz;
    access_log /var/log/nginx/vhost.access.log vhost;
    ssl_certificate     /etc/letsencrypt/live/pad.labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pad.labunix.xyz/privkey.pem;
    client_max_body_size 100m;

    location /cryptpad_websocket {
        proxy_pass http://127.0.0.1:3103;
        proxy_http_version 1.1;
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Forwarded-Host  $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    }

    location / {
        proxy_pass http://127.0.0.1:3101;
        proxy_http_version 1.1;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Forwarded-Host  $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    }
}

# configuration file /etc/nginx/sites-enabled/pdf.labunix.xyz.conf:
server {
    listen 443 ssl;
    server_name pdf.labunix.xyz;
    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 100m;
    auth_basic "Stirling PDF";
    auth_basic_user_file /etc/nginx/.htpasswd;
    location / {
        proxy_pass http://127.0.0.1:9092;
    }
}

# configuration file /etc/nginx/sites-enabled/search.labunix.xyz.conf:
limit_req_zone $binary_remote_addr zone=searxng:10m rate=30r/m;

server {
    listen 443 ssl;
    http2 on;
    server_name search.labunix.xyz;
    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;

    location / {
        limit_req zone=searxng burst=50 nodelay;
        limit_req_status 429;

        proxy_pass http://10.50.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}

# configuration file /etc/nginx/sites-enabled/upload.labunix.xyz-9443.conf:
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name upload.labunix.xyz;

    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;

    client_max_body_size 21m;

    location / {
        proxy_pass http://127.0.0.1:5280;

        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_request_buffering off;
        proxy_buffering off;
    }
}


# configuration file /etc/nginx/sites-enabled/vault.labunix.xyz-9443.conf:
server {
    listen 443 ssl;
    server_name vault.labunix.xyz;

    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;

    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    client_max_body_size 100m;

    location / {
        proxy_pass http://127.0.0.1:9081;
    }

    # keep only if you publish 127.0.0.1:3012:3012
    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://127.0.0.1:9081;
    }
}


# configuration file /etc/nginx/sites-enabled/wiki.labunix.xyz.conf:
server {
    listen 443 ssl;
    server_name wiki.labunix.xyz;
    ssl_certificate     /etc/letsencrypt/live/labunix.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/labunix.xyz/privkey.pem;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 100m;
    location / {
        proxy_pass http://127.0.0.1:9093;
    }
}

