kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-01 08:08:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized injection layer on lua base, as replace for nginx replace. Also optimized cloudflare cache deletion(no everytime for cleanup). Still CDN is required for logout mechanism via JS and Nextcloud deploy is buggy after changing from nginx to openresty. Propably some variable overwritte topic. Should be solved tomorrow.

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-07-24 19:13:13 +02:00
parent f62355e490
commit 27973c2773
36 changed files with 483 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
roles/srv-proxy-7-4-core/templates/location/README.md Normal file
View File

@@ -0,0 +1,58 @@
# Nginx Location Templates
This directory contains Jinja2 templates for different Nginx `location` blocks, each designed to proxy and optimize different types of web traffic. These templates are used by the `srv-proxy-7-4-core` role to modularize and standardize reverse proxy configuration across a wide variety of applications.
---
## Overview of Files
### `html.conf.j2`
- **Purpose:**
Handles "normal" web traffic such as HTML pages, API endpoints, and general HTTP(S) requests.
- **Features:**
- Proxies requests to the backend service.
- Optionally integrates with OAuth2 proxy for authentication.
- Sets all necessary proxy headers.
- Applies a Content Security Policy header.
- Activates buffering for advanced features such as Lua-based string replacements.
- Supports WebSocket upgrades for hybrid APIs.
---
### `ws.conf.j2`
- **Purpose:**
Handles WebSocket connections, enabling real-time features such as live updates or chats.
- **Features:**
- Sets all headers required for WebSocket upgrades.
- Disables proxy buffering (required for WebSockets).
- Uses `tcp_nodelay` for low latency.
- Proxies traffic to the backend WebSocket server.
---
### `media.conf.j2`
- **Purpose:**
Proxies and caches static media files (images, icons, etc.).
- **Features:**
- Matches image file extensions (jpg, png, gif, webp, ico, svg, etc.).
- Enables browser-side and proxy-side caching for efficient delivery.
- Adds cache control headers and exposes the upstream cache status.
---
## Usage
These templates are intended for inclusion in larger Nginx configuration files via Jinja2.
They modularize your configuration by separating HTML, WebSocket, and media proxying, allowing for clear, reusable, and maintainable reverse proxy logic.
- Use `html.conf.j2` for standard application HTTP/S endpoints.
- Use `ws.conf.j2` for dedicated WebSocket endpoints.
- Use `media.conf.j2` for efficient handling of static media content.
---
## Best Practices
- Only enable WebSocket proxying (`ws.conf.j2`) for routes that actually require it, to avoid breaking buffering for standard HTTP.
- Activate media proxying (`media.conf.j2`) if your application benefits from image caching at the proxy layer.
- Keep templates modular for maintainability and scalability as your application grows.

2
roles/srv-proxy-7-4-core/templates/location/Todo.md Normal file
View File

@@ -0,0 +1,2 @@
# TODOS
- ATM it seems like the media proxy isn't used. Propably it could make sense to activate it. -> Research it.

9
roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2 → roles/srv-proxy-7-4-core/templates/location/html.conf.j2
View File

@@ -21,13 +21,16 @@ location {{location | default("/")}}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# deactivate buffering
proxy_buffering off;
proxy_request_buffering off;
# Activate buffering
# Needs to be enabled, so that lua can do str replaces
proxy_buffering on;
proxy_request_buffering on;
# timeouts
proxy_connect_timeout 1s;
proxy_send_timeout 900s;
proxy_read_timeout 900s;
send_timeout 900s;
{% include 'roles/srv-web-7-7-inj-compose/templates/location.lua.j2'%}
}

0
roles/srv-proxy-7-4-core/templates/location/proxy_cache.conf.j2 → roles/srv-proxy-7-4-core/templates/location/media.conf.j2
View File

14
roles/srv-proxy-7-4-core/templates/location/ws.conf.j2 Normal file
View File

@@ -0,0 +1,14 @@
location {{ location_ws }} {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:{{ ws_port }};
# Proxy buffering needs to be disabled for websockets.
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}

78
roles/srv-proxy-7-4-core/templates/vhost/README.md Normal file
View File

@@ -0,0 +1,78 @@
# Nginx vHost Templates: Basic vs. WebSocket (ws_generic)
This directory provides two Nginx server templates for reverse proxying Dockerized applications behind Nginx:
- `basic.conf.j2`
- `ws_generic.conf.j2`
---
## When to Use Which Template?
### 1. `basic.conf.j2`
**Use this template for standard HTTP/S applications.**
It is optimized for typical web applications (e.g., static sites, PHP, Node.js, Django, etc.) that do **not** require persistent, bidirectional WebSocket connections.
- **Features:**
- HTTP/2 support, TLS/SSL integration
- Reverse proxy with buffering enabled (`proxy_buffering on`)
- Allows advanced content filtering (e.g., via Lua body/headers)
- Suitable for most REST APIs, web frontends, and admin panels
- **Pros:**
- Enables HTML/body manipulation (for injecting snippets, analytics, CSP, etc.)
- Optimized for efficient caching and GZIP compression
- Good default for "normal" web traffic
- **Cons:**
- **Not** suitable for WebSocket endpoints (buffering can break WS)
- Slightly more latency for streaming data due to buffering
---
### 2. `ws_generic.conf.j2`
**Use this template for applications requiring WebSocket support.**
Designed for services (e.g., chat servers, real-time dashboards) needing fast, persistent connections using the WebSocket protocol.
- **Features:**
- WebSocket-aware: `proxy_buffering off`, special upgrade headers
- Supports standard HTTP/S traffic alongside WebSockets
- Proper handling of connection upgrades and protocol switching
- **Pros:**
- Required for all WebSocket endpoints
- Allows instant, low-latency bidirectional traffic
- Prevents data loss or connection drops due to proxy buffering
- **Cons:**
- Disables body/content filtering and response manipulation
- No buffering means less effective for caching/optimization
- Not suitable for scenarios requiring Lua/JS content injection
---
## Summary Table
| Use Case | Template | Buffering | WebSocket? | Can Filter Content? |
|--------------------------|---------------------|-----------|------------|--------------------|
| Static/Classic Website | `basic.conf.j2` | On | No | Yes |
| REST API | `basic.conf.j2` | On | No | Yes |
| Real-Time Chat/App | `ws_generic.conf.j2`| Off | Yes | No |
| Dashboard w/Live Data | `ws_generic.conf.j2`| Off | Yes | No |
| Needs HTML Injection | `basic.conf.j2` | On | No | Yes |
---
## Good to Know
- **Never enable buffering for true WebSocket connections!**
Use `proxy_buffering off;` (as in `ws_generic.conf.j2`) or connections may fail.
- For most classic web applications, use the **basic template**.
- For apps where you want to inject or modify HTML (e.g., analytics scripts), **only the basic template** supports this.
---
## Author & Project
By [Kevin Veen-Birkenbach](https://www.veen.world)
Part of the [CyMaIS Project](https://s.veen.world/cymais)
Licensed under the [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)

17
roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
View File

@@ -6,7 +6,7 @@ server
{% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
{% endif %}
{% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.lua.j2'%}
{% include 'roles/srv-web-7-7-inj-compose/templates/server.conf.j2'%}
{% if proxy_extra_configuration is defined %}
{# Additional Domain Specific Configuration #}
@@ -15,9 +15,6 @@ server
{% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
{% if applications | get_app_conf(application_id, 'features.logout', False) or domain == primary_domain %}
{% include 'roles/web-svc-logout/templates/logout-proxy.conf.j2' %}
{% endif %}
{% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
{% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %}
@@ -25,38 +22,38 @@ server
{# 1. Expose everything by default, then protect blacklisted paths #}
{% set oauth2_proxy_enabled = false %}
{% set location = "/" %}
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
{% for loc in acl.blacklist %}
{% set oauth2_proxy_enabled = true %}
{% set location = loc %}
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
{% endfor %}
{% elif acl.whitelist is defined %}
{# 2. Protect everything by default, then expose whitelisted paths #}
{% set oauth2_proxy_enabled = true %}
{% set location = "/" %}
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
{% for loc in acl.whitelist %}
{% set oauth2_proxy_enabled = false %}
{% set location = loc %}
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
{% endfor %}
{% else %}
{# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
{% set oauth2_proxy_enabled = true %}
{% set location = "/" %}
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
{% endif %}
{% else %}
{# 4. OAuth2 completely disabled — expose all #}
{% set oauth2_proxy_enabled = false %}
{% set location = "/" %}
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
{% endif %}
}

25
roles/srv-proxy-7-4-core/templates/vhost/ws_generic.conf.j2
View File

@@ -7,7 +7,8 @@ server {
server_name {{ domain }};
{% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.lua.j2' %}
{% include 'roles/srv-web-7-7-inj-compose/templates/server.conf.j2' %}
client_max_body_size {{ client_max_body_size | default('100m') }};
keepalive_timeout 70;
@@ -24,26 +25,10 @@ server {
add_header Strict-Transport-Security "max-age=31536000";
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
{% if applications | get_app_conf(application_id, 'features.logout', False) or domain == primary_domain %}
{% include 'roles/web-svc-logout/templates/logout-proxy.conf.j2' %}
{% endif %}
{% if ws_path is defined %}
location {{ ws_path }} {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:{{ ws_port }};
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
{% if location_ws is defined %}
{% include 'roles/srv-proxy-7-4-core/templates/location/ws.conf.j2' %}
{% endif %}
error_page 500 501 502 503 504 /500.html;