replace portmap.js with static templates

create-a-container/server.js

@@ -141,6 +141,16 @@ app.get('/containers', requireAuth, async (req, res) => {
   return res.render('containers', { rows });
 });
 
+// Generate nginx configuration for a container
+app.get('/nginx.conf', async (req, res) => {
+  const services = await Service.findAll({
+    where: { type: 'http' },
+    include: [{ model: Container }]
+  });
+  res.contentType('text/plain');
+  return res.render('nginx-conf', { services });
+});
+
 // Create container
 app.post('/containers', async (req, res) => {
   const isInit = req.body.init === 'true' || req.body.init === true;

create-a-container/views/nginx-conf.ejs

@@ -0,0 +1,72 @@
+server_names_hash_bucket_size 128;
+
+<% services.forEach((service, index) => { %>
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+
+  server_name <%= service.externalHostname %>.opensource.mieweb.org;
+
+  # SSL certificates
+  ssl_certificate /root/.acme.sh/opensource.mieweb.org/fullchain.cer;
+  ssl_certificate_key /root/.acme.sh/opensource.mieweb.org/opensource.mieweb.org.key;
+
+  # Modern TLS configuration
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+  ssl_prefer_server_ciphers off;
+
+  # SSL session optimization
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+  ssl_session_tickets off;
+
+  # OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_trusted_certificate /root/.acme.sh/opensource.mieweb.org/fullchain.cer;
+  resolver 1.1.1.1 8.8.8.8 valid=300s;
+  resolver_timeout 5s;
+
+  # Security headers
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+  # Proxy settings
+  location / {
+    proxy_pass http://<%= service.Container.ipv4Address %>:<%= service.internalPort %>;
+    proxy_http_version 1.1;
+
+    # Proxy headers
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Port $server_port;
+
+    # WebSocket support
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    # Timeouts
+    proxy_connect_timeout 60s;
+    proxy_send_timeout 60s;
+    proxy_read_timeout 60s;
+
+    # Buffering (disable for SSE/streaming)
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    # Allow large uploads
+    client_max_body_size 100M;
+  }
+}
+<% }) %>

nginx-reverse-proxy/pull-config.cron

@@ -0,0 +1,3 @@
+SHELL=/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+* * * * * root /opt/opensource-server/nginx-reverse-proxy/pull-config.sh

nginx-reverse-proxy/pull-config.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+CONF_FILE=/etc/nginx/conf.d/reverse-proxy.conf
+CONF_URL=https://create-a-container.opensource.mieweb.org/nginx.conf
+
+mv "${CONF_FILE}" "${CONF_FILE}.bak"
+curl -fsSL -o "${CONF_FILE}" "${CONF_URL}"
+
+if ! nginx -t; then
+  mv "${CONF_FILE}.bak" "${CONF_FILE}"
+  exit 1
+fi
+
+rm -f "${CONF_FILE}.bak"
+nginx -s reload