Refactored server roles for better readability

roles/sys-svc-proxy/templates/location/README.md

@@ -0,0 +1,58 @@
+# Nginx Location Templates
+
+This directory contains Jinja2 templates for different Nginx `location` blocks, each designed to proxy and optimize different types of web traffic. These templates are used by the `sys-svc-proxy` role to modularize and standardize reverse proxy configuration across a wide variety of applications.
+
+---
+
+## Overview of Files
+
+### `html.conf.j2`
+- **Purpose:**  
+  Handles "normal" web traffic such as HTML pages, API endpoints, and general HTTP(S) requests.
+- **Features:**  
+  - Proxies requests to the backend service.
+  - Optionally integrates with OAuth2 proxy for authentication.
+  - Sets all necessary proxy headers.
+  - Applies a Content Security Policy header.
+  - Activates buffering for advanced features such as Lua-based string replacements.
+  - Supports WebSocket upgrades for hybrid APIs.
+
+---
+
+### `ws.conf.j2`
+- **Purpose:**  
+  Handles WebSocket connections, enabling real-time features such as live updates or chats.
+- **Features:**  
+  - Sets all headers required for WebSocket upgrades.
+  - Disables proxy buffering (required for WebSockets).
+  - Uses `tcp_nodelay` for low latency.
+  - Proxies traffic to the backend WebSocket server.
+
+---
+
+### `media.conf.j2`
+- **Purpose:**  
+  Proxies and caches static media files (images, icons, etc.).
+- **Features:**  
+  - Matches image file extensions (jpg, png, gif, webp, ico, svg, etc.).
+  - Enables browser-side and proxy-side caching for efficient delivery.
+  - Adds cache control headers and exposes the upstream cache status.
+
+---
+
+## Usage
+
+These templates are intended for inclusion in larger Nginx configuration files via Jinja2.  
+They modularize your configuration by separating HTML, WebSocket, and media proxying, allowing for clear, reusable, and maintainable reverse proxy logic.
+
+- Use `html.conf.j2` for standard application HTTP/S endpoints.
+- Use `ws.conf.j2` for dedicated WebSocket endpoints.
+- Use `media.conf.j2` for efficient handling of static media content.
+
+---
+
+## Best Practices
+
+- Only enable WebSocket proxying (`ws.conf.j2`) for routes that actually require it, to avoid breaking buffering for standard HTTP.
+- Activate media proxying (`media.conf.j2`) if your application benefits from image caching at the proxy layer.
+- Keep templates modular for maintainability and scalability as your application grows.

roles/sys-svc-proxy/templates/location/TODO.md

@@ -0,0 +1,2 @@
+# TODOS
+- ATM it seems like the media proxy isn't used. Propably it could make sense to activate it. -> Research it.

roles/sys-svc-proxy/templates/location/html.conf.j2

@@ -0,0 +1,40 @@
+{% set location = location | default("/")%}
+location {{location}}
+{
+  {% if oauth2_proxy_enabled | default(false) | bool %}
+    {% include 'roles/web-app-oauth2-proxy/templates/following_directives.conf.j2'%}
+  {% endif %}
+
+  {% set _loc = location|trim %}
+  proxy_pass http://127.0.0.1:{{ http_port }}{{ (_loc|regex_replace('^(?:=|\\^~)\\s*','')) if not (_loc is match('^(@|~)')) else '' }};
+
+  # headers
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Forwarded-Port {{ WEB_PORT }};
+
+  {% include 'roles/sys-svc-proxy/templates/headers/content_security_policy.conf.j2' %}
+
+  # WebSocket specific header
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "upgrade";
+
+  # timeouts
+  proxy_connect_timeout     5s;
+  proxy_send_timeout        900s;
+  proxy_read_timeout        900s;
+  send_timeout              900s;
+  
+  {% set proxy_lua_enabled = proxy_lua_enabled | default(true) | bool %}
+  # Buffering needs to be activ, so that lua can do str replaces
+  proxy_buffering           {{ 'on' if proxy_lua_enabled else 'off' }}; 
+  proxy_request_buffering   {{ 'on' if proxy_lua_enabled else 'off' }};
+
+  {% if proxy_lua_enabled %}
+  proxy_set_header Accept-Encoding "";
+  {% include 'roles/sys-front-inj-all/templates/location.lua.j2'%}
+  {% endif %}
+}

roles/sys-svc-proxy/templates/location/media.conf.j2

@@ -0,0 +1,12 @@
+location ~* \.(jpg|jpeg|png|gif|webp|ico|svg)$ {
+    # Cache in browser
+    expires 30d;
+    add_header Cache-Control "public, max-age=2592000, immutable";
+
+    # Cache on reverse proxy side
+    proxy_pass http://127.0.0.1:{{ http_port }};
+    proxy_cache imgcache;
+    proxy_cache_valid 200 302 60m;
+    proxy_cache_valid 404 1m;
+    add_header X-Proxy-Cache $upstream_cache_status;
+}

roles/sys-svc-proxy/templates/location/upload.conf.j2

@@ -0,0 +1,13 @@
+location {{ location_upload }} {
+    proxy_pass              http://127.0.0.1:{{ http_port }};
+    proxy_set_header        Host              $host;
+    proxy_set_header        X-Real-IP         $remote_addr;
+    proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    client_max_body_size    {{ client_max_body_size }};
+    proxy_buffering         off;
+    proxy_request_buffering off;
+    proxy_read_timeout      120s;
+    proxy_connect_timeout   120s;
+    proxy_send_timeout      120s;
+}

roles/sys-svc-proxy/templates/location/ws.conf.j2

@@ -0,0 +1,14 @@
+location {{ location_ws }} {
+  proxy_set_header Host              $host;
+  proxy_set_header X-Real-IP         $remote_addr;
+  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_pass                         http://127.0.0.1:{{ ws_port }};
+  
+  # Proxy buffering needs to be disabled for websockets. 
+  proxy_buffering      off;
+  proxy_http_version   1.1;
+  proxy_set_header     Upgrade        $http_upgrade;
+  proxy_set_header     Connection     $connection_upgrade;
+  tcp_nodelay          on;
+}