feat: implement Remote WinBox worker, API, frontend integration, OpenBao persistence, and supporting docs

2026-03-14 09:05:14 -05:00
parent 7af08276ea
commit 970501e453
86 changed files with 3440 additions and 3764 deletions
--- a/infrastructure/reverse-proxy-examples/haproxy/haproxy.cfg.example
+++ b/infrastructure/reverse-proxy-examples/haproxy/haproxy.cfg.example
@@ -0,0 +1,77 @@
+# The Other Dude — HAProxy reverse proxy example
+#
+# This config assumes:
+#   - TOD frontend runs on FRONTEND_HOST:3000
+#   - TOD API runs on API_HOST:8001
+#   - WinBox worker Xpra ports are on WORKER_HOST:10100-10119
+#   - TLS is terminated by HAProxy
+#
+# Replace tod.example.com and upstream addresses with your values.
+#
+# IMPORTANT: Do NOT enable compression on the xpra backend —
+# compressing WebSocket binary frames corrupts Xpra mouse/keyboard data.
+
+global
+    log stdout format raw local0
+    maxconn 4096
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    timeout connect 10s
+    timeout client  300s
+    timeout server  300s
+    timeout tunnel  3600s
+
+# ── Frontend ─────────────────────────────────────────────────────────
+
+frontend https
+    bind *:443 ssl crt /etc/ssl/certs/tod.example.com.pem
+    bind *:80
+    redirect scheme https code 301 if !{ ssl_fc }
+
+    # Security headers
+    http-response set-header X-Frame-Options "SAMEORIGIN"
+    http-response set-header X-Content-Type-Options "nosniff"
+    http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
+
+    # Routing rules (order matters — first match wins)
+    acl is_xpra path_beg /xpra/
+    acl is_api  path_beg /api/
+
+    use_backend xpra if is_xpra
+    use_backend api  if is_api
+    default_backend frontend
+
+# ── Backends ─────────────────────────────────────────────────────────
+
+backend api
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    server api1 YOUR_TOD_HOST:8001 check
+
+backend frontend
+    option forwardfor
+    server fe1 YOUR_TOD_HOST:3000 check
+
+# Xpra backend — uses a Lua or map-based approach to extract the port
+# from the URL path. This example covers port 10100; add servers for
+# 10101-10119 as needed, or use HAProxy's Lua scripting for dynamic routing.
+#
+# WARNING: Do NOT add "compression" directives to this backend.
+backend xpra
+    option forwardfor
+
+    # Strip /xpra/{port} prefix
+    http-request set-path %[path,regsub(^/xpra/[0-9]+/,/)]
+
+    # Route to the correct port based on URL
+    # For dynamic port routing, use a map file or Lua script.
+    # Static example for port 10100:
+    acl xpra_10100 path_beg /xpra/10100/
+    use-server xpra10100 if xpra_10100
+
+    server xpra10100 YOUR_TOD_HOST:10100 check
+    # server xpra10101 YOUR_TOD_HOST:10101 check
+    # ... add through 10119 as needed