fix: Gitea Traefik routing and connection pool optimization

- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de

scripts/ssl/generate_ssl_certificates.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Generiert selbstsignierte Zertifikate für die lokale Entwicklung
+
+mkdir -p ssl
+
+# Generiere Root-CA
+openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 \
+  -keyout ssl/rootCA.key -out ssl/rootCA.pem \
+  -subj "/C=DE/ST=Berlin/L=Berlin/O=Development/CN=Local Development CA"
+
+# Generiere localhost-Zertifikat
+openssl req -new -nodes -newkey rsa:2048 \
+  -keyout ssl/localhost+2-key.pem -out ssl/localhost.csr \
+  -subj "/C=DE/ST=Berlin/L=Berlin/O=Development/CN=localhost"
+
+# Konfigurationsdatei für Alternativen Namen
+cat > ssl/localhost.ext << EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+DNS.2 = *.localhost
+IP.1 = 127.0.0.1
+EOF
+
+# Signiere das Zertifikat
+openssl x509 -req -in ssl/localhost.csr \
+  -CA ssl/rootCA.pem -CAkey ssl/rootCA.key -CAcreateserial \
+  -out ssl/localhost+2.pem -days 500 \
+  -sha256 -extfile ssl/localhost.ext
+
+echo "SSL certificates generated:"
+ls -la ssl/

scripts/ssl/ssl-init.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+#
+# SSL Certificate Initialization Script
+# Obtains initial Let's Encrypt certificates for production deployment
+#
+# Usage: ./scripts/ssl-init.sh [domain] [email]
+#
+
+set -euo pipefail
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+# Default values from environment or command line
+DOMAIN="${1:-${DOMAIN_NAME:-michaelschiemer.de}}"
+EMAIL="${2:-${SSL_EMAIL:-mail@michaelschiemer.de}}"
+STAGING="${LETSENCRYPT_STAGING:-0}"
+
+echo -e "${BLUE}=== Let's Encrypt SSL Certificate Initialization ===${NC}"
+echo -e "${BLUE}Domain:${NC} $DOMAIN"
+echo -e "${BLUE}Email:${NC} $EMAIL"
+echo -e "${BLUE}Mode:${NC} $([ "$STAGING" = "1" ] && echo "Staging (Testing)" || echo "Production")"
+echo ""
+
+# Check if running with docker-compose
+if ! command -v docker-compose &> /dev/null; then
+    echo -e "${RED}Error: docker-compose not found${NC}"
+    exit 1
+fi
+
+# Check if .env.production exists
+if [ ! -f ".env.production" ]; then
+    echo -e "${YELLOW}Warning: .env.production not found${NC}"
+    echo -e "${YELLOW}Creating from .env.production.example...${NC}"
+    cp .env.production.example .env.production
+    echo -e "${YELLOW}Please edit .env.production and run this script again${NC}"
+    exit 1
+fi
+
+# Create required directories
+echo -e "${BLUE}Creating required directories...${NC}"
+mkdir -p ./docker/nginx/certbot-www/.well-known/acme-challenge
+mkdir -p ./docker/nginx/certbot-conf/live/${DOMAIN}
+
+# Check if certificates already exist
+if [ -f "./docker/nginx/certbot-conf/live/${DOMAIN}/fullchain.pem" ]; then
+    echo -e "${YELLOW}Certificates already exist for ${DOMAIN}${NC}"
+    read -p "Do you want to renew them? (y/N) " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        echo -e "${BLUE}Skipping certificate generation${NC}"
+        exit 0
+    fi
+fi
+
+# Start only web and php services (not full stack)
+echo -e "${BLUE}Starting nginx and php services...${NC}"
+docker-compose -f docker-compose.yml up -d web php
+
+# Wait for nginx to be ready
+echo -e "${BLUE}Waiting for nginx to be ready...${NC}"
+sleep 5
+
+# Test if port 80 is accessible
+if ! curl -sf http://localhost/.well-known/acme-challenge/test > /dev/null 2>&1; then
+    echo -e "${YELLOW}Port 80 test endpoint not accessible, continuing anyway...${NC}"
+fi
+
+# Obtain certificate
+echo -e "${BLUE}Obtaining SSL certificate from Let's Encrypt...${NC}"
+
+CERTBOT_CMD="certbot certonly --webroot -w /var/www/certbot \
+    --email ${EMAIL} \
+    --agree-tos \
+    --no-eff-email"
+
+# Add staging flag if needed
+if [ "$STAGING" = "1" ]; then
+    CERTBOT_CMD="$CERTBOT_CMD --staging"
+fi
+
+# Add domain
+CERTBOT_CMD="$CERTBOT_CMD -d ${DOMAIN}"
+
+# Run certbot in docker
+docker run --rm \
+    -v "$(pwd)/docker/nginx/certbot-conf:/etc/letsencrypt" \
+    -v "$(pwd)/docker/nginx/certbot-www:/var/www/certbot" \
+    certbot/certbot:latest \
+    $CERTBOT_CMD
+
+# Check if certificates were created
+if [ -f "./docker/nginx/certbot-conf/live/${DOMAIN}/fullchain.pem" ]; then
+    echo -e "${GREEN}✓ SSL certificates obtained successfully!${NC}"
+    echo -e "${GREEN}✓ Location: ./docker/nginx/certbot-conf/live/${DOMAIN}/${NC}"
+
+    # Update nginx to use Let's Encrypt certificates
+    echo -e "${BLUE}Updating nginx configuration...${NC}"
+
+    # Reload nginx
+    echo -e "${BLUE}Reloading nginx...${NC}"
+    docker-compose -f docker-compose.yml -f docker-compose.production.yml restart web
+
+    echo -e "${GREEN}✓ Nginx reloaded with new certificates${NC}"
+    echo ""
+    echo -e "${GREEN}=== SSL Setup Complete ===${NC}"
+    echo -e "${GREEN}Your site should now be accessible at: https://${DOMAIN}${NC}"
+    echo ""
+    echo -e "${BLUE}Next steps:${NC}"
+    echo -e "  1. Test HTTPS: curl -I https://${DOMAIN}"
+    echo -e "  2. Start certbot renewal service: docker-compose -f docker-compose.yml -f docker-compose.production.yml up -d certbot"
+    echo -e "  3. Check SSL grade: https://www.ssllabs.com/ssltest/analyze.html?d=${DOMAIN}"
+
+else
+    echo -e "${RED}✗ Failed to obtain SSL certificates${NC}"
+    echo -e "${RED}Check the logs above for errors${NC}"
+    exit 1
+fi

scripts/ssl/ssl-test.sh

@@ -0,0 +1,132 @@
+#!/bin/bash
+#
+# SSL Certificate Testing & Validation Script
+# Tests SSL configuration and certificate validity
+#
+# Usage: ./scripts/ssl-test.sh [domain]
+#
+
+set -euo pipefail
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+DOMAIN="${1:-${DOMAIN_NAME:-michaelschiemer.de}}"
+
+echo -e "${BLUE}=== SSL Certificate Testing ===${NC}"
+echo -e "${BLUE}Domain:${NC} $DOMAIN"
+echo ""
+
+# Test 1: Check if port 443 is accessible
+echo -e "${BLUE}[1/7] Testing HTTPS port accessibility...${NC}"
+if curl -sf --connect-timeout 5 https://${DOMAIN} > /dev/null 2>&1; then
+    echo -e "${GREEN}✓ Port 443 accessible${NC}"
+else
+    echo -e "${RED}✗ Port 443 not accessible${NC}"
+    echo -e "${YELLOW}Make sure firewall allows port 443${NC}"
+fi
+
+# Test 2: Check certificate validity
+echo -e "${BLUE}[2/7] Checking certificate validity...${NC}"
+CERT_INFO=$(echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -dates 2>/dev/null || true)
+
+if [ -n "$CERT_INFO" ]; then
+    echo -e "${GREEN}✓ Certificate found${NC}"
+    echo "$CERT_INFO" | sed 's/^/  /'
+
+    # Extract and check expiry date
+    EXPIRY=$(echo "$CERT_INFO" | grep "notAfter" | cut -d= -f2)
+    EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$EXPIRY" +%s 2>/dev/null)
+    NOW_EPOCH=$(date +%s)
+    DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))
+
+    if [ $DAYS_LEFT -gt 30 ]; then
+        echo -e "${GREEN}✓ Certificate valid for $DAYS_LEFT days${NC}"
+    elif [ $DAYS_LEFT -gt 7 ]; then
+        echo -e "${YELLOW}⚠ Certificate expires in $DAYS_LEFT days${NC}"
+    else
+        echo -e "${RED}✗ Certificate expires in $DAYS_LEFT days - RENEW SOON!${NC}"
+    fi
+else
+    echo -e "${RED}✗ No certificate found${NC}"
+fi
+
+# Test 3: Check certificate issuer
+echo -e "${BLUE}[3/7] Checking certificate issuer...${NC}"
+ISSUER=$(echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || true)
+
+if echo "$ISSUER" | grep -q "Let's Encrypt"; then
+    echo -e "${GREEN}✓ Issued by Let's Encrypt${NC}"
+    echo "  $ISSUER"
+elif [ -n "$ISSUER" ]; then
+    echo -e "${YELLOW}⚠ Issued by: $ISSUER${NC}"
+else
+    echo -e "${RED}✗ Could not determine issuer${NC}"
+fi
+
+# Test 4: Check TLS versions
+echo -e "${BLUE}[4/7] Checking TLS version support...${NC}"
+if echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 -tls1_3 2>/dev/null | grep -q "Protocol  : TLSv1.3"; then
+    echo -e "${GREEN}✓ TLS 1.3 supported${NC}"
+else
+    echo -e "${YELLOW}⚠ TLS 1.3 not supported${NC}"
+fi
+
+if echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 -tls1_2 2>/dev/null | grep -q "Protocol  : TLSv1.2"; then
+    echo -e "${GREEN}✓ TLS 1.2 supported${NC}"
+else
+    echo -e "${RED}✗ TLS 1.2 not supported${NC}"
+fi
+
+# Test 5: Check HTTP to HTTPS redirect
+echo -e "${BLUE}[5/7] Testing HTTP to HTTPS redirect...${NC}"
+HTTP_REDIRECT=$(curl -sI -w "%{http_code}" -o /dev/null http://${DOMAIN} || true)
+
+if [ "$HTTP_REDIRECT" = "301" ] || [ "$HTTP_REDIRECT" = "302" ]; then
+    echo -e "${GREEN}✓ HTTP redirects to HTTPS (${HTTP_REDIRECT})${NC}"
+else
+    echo -e "${YELLOW}⚠ HTTP response code: ${HTTP_REDIRECT}${NC}"
+fi
+
+# Test 6: Check HSTS header
+echo -e "${BLUE}[6/7] Checking HSTS header...${NC}"
+HSTS=$(curl -sI https://${DOMAIN} | grep -i "strict-transport-security" || true)
+
+if [ -n "$HSTS" ]; then
+    echo -e "${GREEN}✓ HSTS header present${NC}"
+    echo "  $HSTS"
+else
+    echo -e "${YELLOW}⚠ HSTS header not found${NC}"
+fi
+
+# Test 7: Check security headers
+echo -e "${BLUE}[7/7] Checking security headers...${NC}"
+HEADERS=$(curl -sI https://${DOMAIN})
+
+check_header() {
+    local header=$1
+    local name=$2
+    if echo "$HEADERS" | grep -qi "$header"; then
+        echo -e "${GREEN}✓ ${name}${NC}"
+    else
+        echo -e "${YELLOW}⚠ ${name} missing${NC}"
+    fi
+}
+
+check_header "X-Content-Type-Options" "X-Content-Type-Options"
+check_header "X-Frame-Options" "X-Frame-Options"
+check_header "X-XSS-Protection" "X-XSS-Protection"
+check_header "Content-Security-Policy" "Content-Security-Policy"
+
+echo ""
+echo -e "${BLUE}=== SSL Test Summary ===${NC}"
+echo -e "${GREEN}Testing complete!${NC}"
+echo ""
+echo -e "${BLUE}Additional checks:${NC}"
+echo -e "  • SSL Labs Test: ${YELLOW}https://www.ssllabs.com/ssltest/analyze.html?d=${DOMAIN}${NC}"
+echo -e "  • Mozilla Observatory: ${YELLOW}https://observatory.mozilla.org/analyze/${DOMAIN}${NC}"
+echo -e "  • Security Headers: ${YELLOW}https://securityheaders.com/?q=${DOMAIN}${NC}"