kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-10-10 10:48:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
251f7b227d13137c9779c578a4528f114d316e7d
computer-playbook/roles/sys-svc-proxy
History
Kevin Veen-Birkenbach aa19a97ed6 CORS/CSP hardening & centralization 
- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
  (dynamic ACAO/credentials/methods/headers via role vars)
- Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning
- CSP: allow Simple Icons via connect-src when feature is enabled
- Front proxy: rename vars to lowercase + flush handlers after config deploy
- Desktop: gate & load Simple Icons role; inject brand logos when enabled
- Bluesky + Logout: replace inline CORS with centralized include
- Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers
- Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }}
- LibreTranslate: remove unused images/versions keys

Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity
Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
2025-09-29 12:23:58 +02:00
..
meta
Refactored server roles for better readability
2025-09-01 18:08:35 +02:00
templates
CORS/CSP hardening & centralization
2025-09-29 12:23:58 +02:00
README.md
refactor(webserver): rename roles and update references
2025-09-26 19:34:42 +02:00
TODO.md
refactor(webserver): rename roles and update references
2025-09-26 19:34:42 +02:00

README.md

Nginx Docker Reverse Proxy 🚀

Description

This Ansible role deploys Nginx as a high-performance reverse proxy in front of Docker-hosted services.
It provides automatic TLS integration, WebSocket support, and a flexible templating system for per-application configuration.

Overview

Optimised for Arch Linux, the role installs Nginx, prepares opinionated configuration snippets and exposes a simple interface for other roles to drop in new virtual-hosts.
It plays well with Lets Encrypt, OAuth2 Proxy, and your existing Docker stack.

Purpose

The goal of this role is to deliver a hassle-free, production-ready reverse proxy for self-hosted containers, suitable for homelabs and small-scale production workloads.

Features

  • Automatic TLS & HSTS — integrates with the sys-svc-webserver-https role for certificate management.
  • Flexible vHost templatesbasic and ws_generic flavours cover standard HTTP and WebSocket applications.
  • Security headers — sensible defaults plus optional X-Frame-Options / CSP based on application settings.
  • WebSocket & HTTP/2 aware — upgrades, keep-alive tuning, and gzip already configured.
  • OAuth2 gating — drop-in support when web-app-oauth2-proxy is present.
  • Modular includes — headers, locations, and global snippets are factored for easy extension.

Credits 📝

Developed and maintained by Kevin Veen-Birkenbach.
More at https://www.veen.world

Part of the Infinito.Nexus Project — licensed under the Infinito.Nexus NonCommercial License