Refactored ws implementation to use it in mastodon and in new espocrm role

2025-08-29 23:08:06 +02:00 · 2025-04-25 14:44:33 +02:00
parent 4e04f882e5
commit 87262f7373
26 changed files with 173 additions and 91 deletions
--- a/roles/nginx-docker-reverse-proxy/README.md
+++ b/roles/nginx-docker-reverse-proxy/README.md
@@ -1,19 +1,31 @@
-# role nginx-docker-reverse-proxy
+# Nginx Docker Reverse Proxy 🚀

-Uses nginx as an [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) for local docker applications.
+## Description

-## debug
-```bash
-curl -I {{address}}
-```
- https://serverfault.com/questions/434915/nginx-proxy-caching-how-to-check-if-it-is-working
+This Ansible role deploys **Nginx** as a high-performance [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) in front of Docker-hosted services.  
+It provides automatic TLS integration, WebSocket support, and a flexible templating system for per-application configuration.

-## performance
- https://stackoverflow.com/questions/33703230/caching-images-on-all-folder-levels-of-nginx-reverse-proxy
- https://www.tweaked.io/guide/nginx-proxying/
- https://serverfault.com/questions/796735/nginx-reverse-proxy-is-slow/796740
- https://serverfault.com/questions/741610/what-is-the-difference-between-proxy-request-buffering-and-proxy-buffering-on-ng
- https://askubuntu.com/questions/1103626/should-i-enable-client-max-body-size-proxy-request-buffering-and-proxy-bufferin
- https://serverfault.com/questions/692577/whats-the-difference-between-proxy-buffer-and-proxy-cache-module-in-nginx-confi
- https://github.com/sissbruecker/linkding/issues/88
- https://www.bogotobogo.com/DevOps/Docker/docker/compose/Nginx-Reverse-Proxy-Multiple-Containers.php
+## Overview
+
+Optimised for Arch Linux, the role installs Nginx, prepares opinionated configuration snippets and exposes a simple interface for other roles to drop in new virtual-hosts.  
+It plays well with **Let’s Encrypt**, **OAuth2 Proxy**, and your existing Docker stack.
+
+## Purpose
+
+The goal of this role is to deliver a **hassle-free, production-ready reverse proxy** for self-hosted containers, suitable for homelabs and small-scale production workloads.
+
+## Features
+
+- **Automatic TLS & HSTS** — integrates with the *nginx-https* role for certificate management.  
+- **Flexible vHost templates** — *basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications.  
+- **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings.  
+- **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured.  
+- **OAuth2 gating** — drop-in support when *docker-oauth2-proxy* is present.  
+- **Modular includes** — headers, locations, and global snippets are factored for easy extension.
+
+## Credits 📝
+
+Developed and maintained by **Kevin Veen-Birkenbach**.  
+More at <https://www.veen.world>
+
+Part of the **CyMaIS Project** — licensed under the [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)
--- a/roles/nginx-docker-reverse-proxy/meta/main.yml
+++ b/roles/nginx-docker-reverse-proxy/meta/main.yml
@@ -1,3 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Nginx reverse proxy front-end for local Docker applications."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - docker
+    - reverse_proxy
+    - web
+    - automation
+    - archlinux
+  repository: https://s.veen.world/cymais
+  issue_tracker_url: https://s.veen.world/cymaisissues
+  documentation: https://s.veen.world/cymais
 dependencies:
- docker
- nginx-https
+  - role: docker
+  - role: nginx-https
--- a/roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2
--- a/roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2
@@ -14,7 +14,7 @@ location {{location | default("/")}}
  proxy_set_header X-Forwarded-Port 443;
  proxy_set_header Accept-Encoding "";

-  {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %}
+  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2' %}

  # WebSocket specific header
  proxy_http_version 1.1;
--- a/roles/nginx-docker-reverse-proxy/templates/vhost/basic.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/vhost/basic.conf.j2
@@ -18,18 +18,18 @@ server
  {% if applications | get_oauth2_enabled(application_id) %}
    {% if applications[application_id].oauth2_proxy.location is defined %}
      {# Exposed and Unprotected Location #}
-      {% include 'proxy_pass.conf.j2' %}
+      {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
      {% set oauth2_proxy_enabled = true %}
      {% set location = applications[application_id].oauth2_proxy.location %}
      {# Gated Location by OAuth2 Proxy #}
-      {% include 'proxy_pass.conf.j2' %}
+      {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
    {% else %}
      {% set oauth2_proxy_enabled = true %}
      {# Protected Domain by OAuth2 Proxy #}
-      {% include 'proxy_pass.conf.j2'%}
+      {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2'%}
    {% endif %}
  {% else %}
    {# Exposed Domain - Not protected by OAuth2 Proxy #}
-    {% include 'proxy_pass.conf.j2' %}
+    {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
  {% endif %}
 }
--- a/roles/nginx-docker-reverse-proxy/templates/vhost/ws_generic.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/vhost/ws_generic.conf.j2
@@ -0,0 +1,46 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  server_name {{ domain }};
+
+  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2' %}
+
+  client_max_body_size {{ client_max_body_size | default('100m') }};
+  keepalive_timeout    70;
+  sendfile             on;
+
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+  add_header Strict-Transport-Security "max-age=31536000";
+
+  {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
+
+  {% if ws_path is defined %}
+    location {{ ws_path }} {
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+
+    proxy_pass           http://127.0.0.1:{{ ws_port }};
+    proxy_buffering      off;
+    proxy_http_version   1.1;
+    proxy_set_header     Upgrade        $http_upgrade;
+    proxy_set_header     Connection     $connection_upgrade;
+    tcp_nodelay          on;
+  }
+  {% endif %}
+
+  error_page 500 501 502 503 504 /500.html;
+}