Refactored server roles for better readability

2025-10-31 10:19:09 +00:00 · 2025-09-01 18:08:35 +02:00
parent b7065837df
commit b02d88adc0
77 changed files with 103 additions and 116 deletions
--- a/roles/sys-svc-proxy/templates/vhost/README.md
+++ b/roles/sys-svc-proxy/templates/vhost/README.md
@@ -0,0 +1,78 @@
+# Nginx vHost Templates: Basic vs. WebSocket (ws_generic)
+
+This directory provides two Nginx server templates for reverse proxying Dockerized applications behind Nginx:  
+- `basic.conf.j2`
+- `ws_generic.conf.j2`
+
+---
+
+## When to Use Which Template?
+
+### 1. `basic.conf.j2`
+**Use this template for standard HTTP/S applications.**  
+It is optimized for typical web applications (e.g., static sites, PHP, Node.js, Django, etc.) that do **not** require persistent, bidirectional WebSocket connections.
+
+- **Features:**
+  - HTTP/2 support, TLS/SSL integration
+  - Reverse proxy with buffering enabled (`proxy_buffering on`)
+  - Allows advanced content filtering (e.g., via Lua body/headers)
+  - Suitable for most REST APIs, web frontends, and admin panels
+
+- **Pros:**
+  - Enables HTML/body manipulation (for injecting snippets, analytics, CSP, etc.)
+  - Optimized for efficient caching and GZIP compression
+  - Good default for "normal" web traffic
+
+- **Cons:**
+  - **Not** suitable for WebSocket endpoints (buffering can break WS)
+  - Slightly more latency for streaming data due to buffering
+
+---
+
+### 2. `ws_generic.conf.j2`
+**Use this template for applications requiring WebSocket support.**  
+Designed for services (e.g., chat servers, real-time dashboards) needing fast, persistent connections using the WebSocket protocol.
+
+- **Features:**
+  - WebSocket-aware: `proxy_buffering off`, special upgrade headers
+  - Supports standard HTTP/S traffic alongside WebSockets
+  - Proper handling of connection upgrades and protocol switching
+
+- **Pros:**
+  - Required for all WebSocket endpoints
+  - Allows instant, low-latency bidirectional traffic
+  - Prevents data loss or connection drops due to proxy buffering
+
+- **Cons:**
+  - Disables body/content filtering and response manipulation
+  - No buffering means less effective for caching/optimization
+  - Not suitable for scenarios requiring Lua/JS content injection
+
+---
+
+## Summary Table
+
+| Use Case                 | Template            | Buffering | WebSocket? | Can Filter Content? |
+|--------------------------|---------------------|-----------|------------|--------------------|
+| Static/Classic Website   | `basic.conf.j2`     | On        | No         | Yes                |
+| REST API                 | `basic.conf.j2`     | On        | No         | Yes                |
+| Real-Time Chat/App       | `ws_generic.conf.j2`| Off       | Yes        | No                 |
+| Dashboard w/Live Data    | `ws_generic.conf.j2`| Off       | Yes        | No                 |
+| Needs HTML Injection     | `basic.conf.j2`     | On        | No         | Yes                |
+
+---
+
+## Good to Know
+
+- **Never enable buffering for true WebSocket connections!**  
+  Use `proxy_buffering off;` (as in `ws_generic.conf.j2`) or connections may fail.
+- For most classic web applications, use the **basic template**.
+- For apps where you want to inject or modify HTML (e.g., analytics scripts), **only the basic template** supports this.
+
+---
+
+## Author & Project
+
+By [Kevin Veen-Birkenbach](https://www.veen.world)  
+Part of the [Infinito.Nexus Project](https://s.infinito.nexus/code)  
+Licensed under the [Infinito.Nexus NonCommercial License](https://s.infinito.nexus/license)
--- a/roles/sys-svc-proxy/templates/vhost/basic.conf.j2
+++ b/roles/sys-svc-proxy/templates/vhost/basic.conf.j2
@@ -0,0 +1,62 @@
+server
+{
+  server_name {{ domain }};
+  {% include 'roles/sys-svc-proxy/templates/headers/buffers.conf.j2' %}
+  
+  {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
+    {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
+  {% endif %}
+
+  {% include 'roles/sys-front-inj-all/templates/server.conf.j2'%}
+  
+  {% if proxy_extra_configuration is defined %}
+    {# Additional Domain Specific Configuration #}
+    {{ proxy_extra_configuration }}
+  {% endif %}
+
+  {% include 'roles/sys-svc-letsencrypt/templates/ssl_header.j2' %}
+
+  {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
+    {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %}
+
+    {% if acl.blacklist is defined %}
+      {# 1. Expose everything by default, then protect blacklisted paths #}
+      {% set oauth2_proxy_enabled = false %}
+      {% set location = "/" %}
+      {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+
+      {% for loc in acl.blacklist %}
+        {% set oauth2_proxy_enabled = true %}
+        {% set location = loc %}
+        {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+      {% endfor %}
+
+    {% elif acl.whitelist is defined %}
+      {# 2. Protect everything by default, then expose whitelisted paths #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+
+      {% for loc in acl.whitelist %}
+        {% set oauth2_proxy_enabled = false %}
+        {% set location = loc %}
+        {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+      {% endfor %}
+
+    {% else %}
+      {# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+    {% endif %}
+
+  {% else %}
+    {# 4. OAuth2 completely disabled — expose all #}
+    {% set oauth2_proxy_enabled = false %}
+    {% set location = "/" %}
+    {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+  {% endif %}
+
+}
+
+
--- a/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2
+++ b/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2
@@ -0,0 +1,35 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  server_name {{ domain }};
+
+  {% include 'roles/sys-svc-letsencrypt/templates/ssl_header.j2' %}
+
+  {% include 'roles/sys-front-inj-all/templates/server.conf.j2' %}
+
+  client_max_body_size {{ client_max_body_size | default('100m') }};
+  keepalive_timeout    70;
+  sendfile             on;
+
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+  add_header Strict-Transport-Security "max-age=31536000";
+
+  {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+
+  {% if location_ws is defined %}
+    {% include 'roles/sys-svc-proxy/templates/location/ws.conf.j2' %}
+  {% endif %}
+
+  error_page 500 501 502 503 504 /500.html;
+}