Initial release

proxy/Caddyfile

@@ -0,0 +1,56 @@
+# Caddyfile — Cathode + WeeChat relay reverse proxy
+#
+# This config does two things:
+#   1. Serves the Cathode static files at the root
+#   2. Proxies /api/* to WeeChat's relay (API protocol) with WebSocket support
+#
+# Caddy handles TLS automatically (Let's Encrypt) when you use a real domain.
+# Replace cathode.example.com with your actual domain.
+
+cathode.example.com {
+
+    # Serve Cathode static files
+    root * /var/www/cathode
+    file_server
+
+    # Proxy WeeChat relay API (REST + WebSocket)
+    # WeeChat listens on localhost:9000 — adjust if needed
+    handle /api* {
+        reverse_proxy localhost:9000 {
+            # Pass the real client IP to WeeChat
+            header_up X-Real-IP {remote_host}
+
+            # Required for WebSocket upgrade
+            transport http {
+                # If WeeChat relay uses a self-signed cert on localhost,
+                # disable verification for the backend connection
+                # tls_insecure_skip_verify
+            }
+        }
+    }
+
+    # Security headers
+    header {
+        X-Content-Type-Options    nosniff
+        X-Frame-Options           DENY
+        Referrer-Policy           strict-origin-when-cross-origin
+    }
+
+    # Optional: enable compression for static assets
+    encode gzip
+}
+
+
+# ── Local / LAN setup (no domain, plain HTTP) ────────────────────────────────
+# If you're running on a LAN and don't have a domain, use this instead.
+# Note: browsers will require ws:// (not wss://) and you must uncheck TLS
+# in Cathode's connect screen.
+#
+# :8080 {
+#     root * /var/www/cathode
+#     file_server
+#
+#     handle /api* {
+#         reverse_proxy localhost:9000
+#     }
+# }

proxy/apache.conf

@@ -0,0 +1,89 @@
+# Apache VirtualHost config for Cathode
+# Drop in /etc/apache2/sites-available/cathode.conf
+# Enable with: sudo a2ensite cathode
+#
+# Required modules:
+#   sudo a2enmod ssl proxy proxy_http proxy_wstunnel rewrite headers
+#
+# For TLS certs use certbot:
+#   sudo certbot --apache -d cathode.example.com
+
+# HTTP → HTTPS redirect
+<VirtualHost *:80>
+    ServerName cathode.example.com
+    Redirect permanent / https://cathode.example.com/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName cathode.example.com
+
+    # TLS (certbot will fill these in, or provide your own)
+    SSLEngine on
+    SSLCertificateFile    /etc/letsencrypt/live/cathode.example.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/cathode.example.com/privkey.pem
+
+    # Modern TLS
+    SSLProtocol           -all +TLSv1.2 +TLSv1.3
+    SSLHonorCipherOrder   off
+
+    # Serve Cathode static files
+    DocumentRoot /var/www/cathode
+    <Directory /var/www/cathode>
+        Options -Indexes +FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    # Proxy WeeChat relay API — REST and WebSocket
+    # WeeChat listens on localhost:9000 — adjust if needed
+
+    # Enable proxy for this vhost
+    ProxyRequests off
+
+    # WebSocket proxy: must come before the plain HTTP proxy rule
+    # Apache uses mod_proxy_wstunnel for WebSocket upgrades
+    RewriteEngine on
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule ^/api(.*)       ws://localhost:9000/api$1 [P,L]
+
+    # Plain HTTP proxy for REST requests to /api
+    ProxyPass        /api http://localhost:9000/api
+    ProxyPassReverse /api http://localhost:9000/api
+
+    # Pass real client IP
+    ProxyPreserveHost on
+    RequestHeader set X-Real-IP "%{REMOTE_ADDR}s"
+
+    # Timeouts for long-lived WebSocket connections
+    ProxyTimeout 3600
+
+    # Security headers
+    Header always set X-Content-Type-Options  "nosniff"
+    Header always set X-Frame-Options         "DENY"
+    Header always set Referrer-Policy         "strict-origin-when-cross-origin"
+
+    # Logging
+    ErrorLog  ${APACHE_LOG_DIR}/cathode_error.log
+    CustomLog ${APACHE_LOG_DIR}/cathode_access.log combined
+</VirtualHost>
+
+
+# ── Local / LAN setup (no domain, plain HTTP) ────────────────────────────────
+# If you're on a LAN without a domain, use this simpler block.
+# Cathode connect screen: uncheck TLS, use ws:// (port 8080 here).
+#
+# <VirtualHost *:8080>
+#     DocumentRoot /var/www/cathode
+#     <Directory /var/www/cathode>
+#         Options -Indexes
+#         Require all granted
+#     </Directory>
+#
+#     ProxyRequests off
+#     RewriteEngine on
+#     RewriteCond %{HTTP:Upgrade} =websocket [NC]
+#     RewriteRule ^/api(.*)  ws://localhost:9000/api$1 [P,L]
+#     ProxyPass        /api http://localhost:9000/api
+#     ProxyPassReverse /api http://localhost:9000/api
+#     ProxyTimeout 3600
+# </VirtualHost>

proxy/nginx.conf

@@ -0,0 +1,100 @@
+# nginx.conf (or drop in /etc/nginx/sites-available/cathode)
+#
+# This config:
+#   1. Serves the Cathode static files at the root
+#   2. Proxies /api/* to WeeChat's relay with WebSocket support
+#   3. Handles TLS termination (you must provide your own certs, or use
+#      certbot: sudo certbot --nginx -d cathode.example.com)
+#
+# Replace cathode.example.com and cert paths as needed.
+
+server {
+    listen 80;
+    server_name cathode.example.com;
+
+    # Redirect all HTTP → HTTPS
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name cathode.example.com;
+
+    # TLS certificates (use certbot or provide your own)
+    ssl_certificate     /etc/letsencrypt/live/cathode.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cathode.example.com/privkey.pem;
+
+    # Modern TLS settings
+    ssl_protocols             TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache         shared:SSL:10m;
+    ssl_session_timeout       1d;
+
+    # Serve Cathode static files
+    root  /var/www/cathode;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Proxy WeeChat relay API — REST and WebSocket
+    # WeeChat listens on localhost:9000 — adjust if needed
+    location /api {
+
+        proxy_pass http://localhost:9000;
+
+        # Required for WebSocket upgrade
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Standard proxy headers
+        proxy_set_header Host            $host;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # WebSocket connections can be long-lived — raise the timeouts
+        proxy_read_timeout  3600s;
+        proxy_send_timeout  3600s;
+        proxy_connect_timeout 10s;
+
+        # Disable buffering for real-time streaming
+        proxy_buffering off;
+    }
+
+    # Security headers
+    add_header X-Content-Type-Options  nosniff          always;
+    add_header X-Frame-Options         DENY             always;
+    add_header Referrer-Policy         strict-origin-when-cross-origin always;
+
+    # Compression
+    gzip            on;
+    gzip_types      text/css application/javascript text/plain;
+    gzip_min_length 1024;
+}
+
+
+# ── Local / LAN setup (no domain, plain HTTP) ────────────────────────────────
+# If you're on a LAN without a domain, use this simpler block.
+# Cathode connect screen: uncheck TLS, use ws:// (port 8080 here).
+#
+# server {
+#     listen 8080;
+#
+#     root  /var/www/cathode;
+#     index index.html;
+#
+#     location / {
+#         try_files $uri $uri/ =404;
+#     }
+#
+#     location /api {
+#         proxy_pass http://localhost:9000;
+#         proxy_http_version 1.1;
+#         proxy_set_header Upgrade    $http_upgrade;
+#         proxy_set_header Connection "upgrade";
+#         proxy_read_timeout 3600s;
+#         proxy_buffering off;
+#     }
+# }