Renamed server roles by osi they work on

roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2

@@ -0,0 +1,2 @@
+add_header Content-Security-Policy "{{ applications | build_csp_header(application_id, domains) }}" always;
+proxy_hide_header Content-Security-Policy; # Todo: Make this optional

roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2

@@ -0,0 +1,33 @@
+location {{location | default("/")}}
+{
+  {% if oauth2_proxy_enabled | default(false) | bool %}
+    {% include 'roles/web-app-oauth2-proxy/templates/following_directives.conf.j2'%}
+  {% endif %}
+
+  proxy_pass http://127.0.0.1:{{http_port}}{{location | default("/")}};
+
+  # headers
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Forwarded-Port 443;
+  proxy_set_header Accept-Encoding "";
+
+  {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
+
+  # WebSocket specific header
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "upgrade";
+
+  # deactivate buffering
+  proxy_buffering off;
+  proxy_request_buffering off;
+
+  # timeouts
+  proxy_connect_timeout       1s;
+  proxy_send_timeout          900s;
+  proxy_read_timeout          900s;
+  send_timeout                900s;
+}

roles/srv-proxy-7-4-core/templates/location/proxy_cache.conf.j2

@@ -0,0 +1,12 @@
+location ~* \.(jpg|jpeg|png|gif|webp|ico|svg)$ {
+    # Cache in browser
+    expires 30d;
+    add_header Cache-Control "public, max-age=2592000, immutable";
+
+    # Cache on reverse proxy side
+    proxy_pass http://127.0.0.1:{{http_port}};
+    proxy_cache imgcache;
+    proxy_cache_valid 200 302 60m;
+    proxy_cache_valid 404 1m;
+    add_header X-Proxy-Cache $upstream_cache_status;
+}

roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2

@@ -0,0 +1,61 @@
+server
+{
+  server_name {{domain}};
+
+  {% if applications | is_feature_enabled('oauth2',application_id) %}
+    {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
+  {% endif %}
+
+  {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
+  
+  {% if proxy_extra_configuration is defined %}
+    {# Additional Domain Specific Configuration #}
+    {{ proxy_extra_configuration }}
+  {% endif %}
+
+  {% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
+
+  {% if applications | is_feature_enabled('oauth2', application_id) %}
+    {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
+
+    {% if acl.blacklist is defined %}
+      {# 1. Expose everything by default, then protect blacklisted paths #}
+      {% set oauth2_proxy_enabled = false %}
+      {% set location = "/" %}
+      {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+
+      {% for loc in acl.blacklist %}
+        {% set oauth2_proxy_enabled = true %}
+        {% set location = loc %}
+        {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+      {% endfor %}
+
+    {% elif acl.whitelist is defined %}
+      {# 2. Protect everything by default, then expose whitelisted paths #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+
+      {% for loc in acl.whitelist %}
+        {% set oauth2_proxy_enabled = false %}
+        {% set location = loc %}
+        {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+      {% endfor %}
+
+    {% else %}
+      {# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+    {% endif %}
+
+  {% else %}
+    {# 4. OAuth2 completely disabled — expose all #}
+    {% set oauth2_proxy_enabled = false %}
+    {% set location = "/" %}
+    {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+  {% endif %}
+
+}
+
+

roles/srv-proxy-7-4-core/templates/vhost/ws_generic.conf.j2

@@ -0,0 +1,46 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  server_name {{ domain }};
+
+  {% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2' %}
+
+  client_max_body_size {{ client_max_body_size | default('100m') }};
+  keepalive_timeout    70;
+  sendfile             on;
+
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+  add_header Strict-Transport-Security "max-age=31536000";
+
+  {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+
+  {% if ws_path is defined %}
+    location {{ ws_path }} {
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+
+    proxy_pass           http://127.0.0.1:{{ ws_port }};
+    proxy_buffering      off;
+    proxy_http_version   1.1;
+    proxy_set_header     Upgrade        $http_upgrade;
+    proxy_set_header     Connection     $connection_upgrade;
+    tcp_nodelay          on;
+  }
+  {% endif %}
+
+  error_page 500 501 502 503 504 /500.html;
+}