Improve workshop consistency and navigation

Align challenge numbering and cross-page links, and clarify Backend C/TLS guidance so participants always see valid routes and safer cert mounting defaults.

challenges/easyrsa-hints.md

@@ -39,15 +39,29 @@ cd certs/easyrsa
 ./easyrsa sign-req server localhost
 ```
 
-## 5) Dateien fuer Nginx bereitstellen
+## 5) Nur Runtime-Zertifikate bereitstellen (nicht komplette PKI mounten)
 
-Typische Dateien:
+Nutze fuer den Container nur die benoetigten Laufzeitdateien:
 
-- `pki/issued/localhost.crt`
-- `pki/private/localhost.key`
-- `pki/ca.crt`
+- `localhost.crt` (Server-Zertifikat)
+- `localhost.key` (Server-Private-Key)
 
-Danach in `proxy/nginx.conf` TLS aktivieren und in `docker-compose.yml` Port `443` mappen.
+Beispiel:
+
+```bash
+mkdir -p ../../live
+cp pki/issued/localhost.crt ../../live/
+cp pki/private/localhost.key ../../live/
+chmod 600 ../../live/localhost.key
+```
+
+Warum nicht die ganze PKI mounten?
+
+- In `pki/` liegen CA-relevante Dateien.
+- Runtime-Container sollen keine unnoetigen PKI/CA-Dateien sehen.
+- Prinzip: minimal noetige Secrets in Runtime.
+
+Danach in `proxy/nginx.conf` TLS aktivieren und in `docker-compose.yml` Port `443` + Cert-Volume mappen.
 
 ### Compose-Mindestbeispiel
 
@@ -60,24 +74,49 @@ services:
     volumes:
       - ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro,z
       - ./proxy/html:/usr/share/nginx/html:ro,z
-      - ./certs/easyrsa/pki:/etc/nginx/pki:ro,z
+      - ./certs/live:/etc/nginx/certs:ro,z
 ```
 
-### Nginx-Mindestbeispiel
+### Nginx-Mindestbeispiel (HTTP + HTTPS)
 
 ```nginx
+server {
+  listen 80;
+  server_name _;
+
+  location = /healthz {
+    default_type text/plain;
+    return 200 "ok\n";
+  }
+
+  location / {
+    return 301 https://$host:8443$request_uri;
+  }
+}
+
 server {
   listen 443 ssl;
   server_name localhost;
 
-  ssl_certificate /etc/nginx/pki/issued/localhost.crt;
-  ssl_certificate_key /etc/nginx/pki/private/localhost.key;
+  ssl_certificate /etc/nginx/certs/localhost.crt;
+  ssl_certificate_key /etc/nginx/certs/localhost.key;
   ssl_protocols TLSv1.2 TLSv1.3;
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-Frame-Options "DENY" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+  add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+  add_header Cross-Origin-Opener-Policy "same-origin" always;
+  add_header Cross-Origin-Resource-Policy "same-origin" always;
+
   location /service/a {
     proxy_pass http://backend_a/;
   }
+
+  location /service/b {
+    proxy_pass http://backend_b/;
+  }
 }
 ```
 
@@ -86,14 +125,14 @@ server {
 Fedora:
 
 ```bash
-sudo cp pki/ca.crt /etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
+sudo cp certs/easyrsa/pki/ca.crt /etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
 sudo update-ca-trust
 ```
 
 Ubuntu/Debian:
 
 ```bash
-sudo cp pki/ca.crt /usr/local/share/ca-certificates/htl-workshop-root-ca.crt
+sudo cp certs/easyrsa/pki/ca.crt /usr/local/share/ca-certificates/htl-workshop-root-ca.crt
 sudo update-ca-certificates
 ```
 
@@ -114,7 +153,7 @@ curl https://localhost:8443/service/a
 Falls CA nicht global importiert ist:
 
 ```bash
-curl --cacert pki/ca.crt https://localhost:8443/service/a
+curl --cacert certs/easyrsa/pki/ca.crt https://localhost:8443/service/a
 ```
 
 ## 8) Typische Fehlerbilder