kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-11-06 05:08:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0c16f9c43c00b083dc9d68766f923cb3c9c87518
computer-playbook/roles/sys-svc-proxy
History
Kevin Veen-Birkenbach 57d5269b07 CSP (Safari-safe): merge -elem/-attr into base; respect explicit disables; no mirror-back; header only for documents/workers 
- Add CSP3 support for style/script: include -elem and -attr directives
- Base (style-src, script-src) now unions elem/attr (CSP2/Safari fallback)
- Respect explicit base disables (e.g. style-src.unsafe-inline: false)
- Hashes only when 'unsafe-inline' absent in the final base tokens
- Nginx: set CSP only for HTML/worker via header_filter_by_lua_block; drop for subresources
- Remove per-location header_filter; keep body_filter only
- Update app role flags to *-attr where appropriate; extend desktop CSS sources
- Add comprehensive unit tests for union/explicit-disable/no-mirror-back

Ref: https://chatgpt.com/share/68f87a0a-cebc-800f-bb3e-8c8ab4dee8ee
2025-10-22 13:53:06 +02:00
..
meta
templates
CSP (Safari-safe): merge -elem/-attr into base; respect explicit disables; no mirror-back; header only for documents/workers
2025-10-22 13:53:06 +02:00
README.md
refactor(webserver): rename roles and update references
2025-09-26 19:34:42 +02:00
TODO.md
refactor(webserver): rename roles and update references
2025-09-26 19:34:42 +02:00

README.md

Nginx Docker Reverse Proxy 🚀

Description

This Ansible role deploys Nginx as a high-performance reverse proxy in front of Docker-hosted services.
It provides automatic TLS integration, WebSocket support, and a flexible templating system for per-application configuration.

Overview

Optimised for Arch Linux, the role installs Nginx, prepares opinionated configuration snippets and exposes a simple interface for other roles to drop in new virtual-hosts.
It plays well with Lets Encrypt, OAuth2 Proxy, and your existing Docker stack.

Purpose

The goal of this role is to deliver a hassle-free, production-ready reverse proxy for self-hosted containers, suitable for homelabs and small-scale production workloads.

Features

  • Automatic TLS & HSTS — integrates with the sys-svc-webserver-https role for certificate management.
  • Flexible vHost templatesbasic and ws_generic flavours cover standard HTTP and WebSocket applications.
  • Security headers — sensible defaults plus optional X-Frame-Options / CSP based on application settings.
  • WebSocket & HTTP/2 aware — upgrades, keep-alive tuning, and gzip already configured.
  • OAuth2 gating — drop-in support when web-app-oauth2-proxy is present.
  • Modular includes — headers, locations, and global snippets are factored for easy extension.

Credits 📝

Developed and maintained by Kevin Veen-Birkenbach.
More at https://www.veen.world

Part of the Infinito.Nexus Project — licensed under the Infinito.Nexus NonCommercial License