setup_nginx_proxy.sh

#!/usr/bin/env bash
set -Eeuo pipefail

# =============================================================================
# OPNsense NGINX Reverse Proxy Setup Script
# =============================================================================
# Dieses Script konfiguriert einen NGINX Reverse Proxy auf OPNsense
# für eine neue n8n-Instanz über die OPNsense API.
# =============================================================================

# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}"
export DEBUG

# Logging functions
log_ts() { date "+[%F %T]"; }
info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; }
warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; }
die() {
  if [[ "$DEBUG" == "1" ]]; then
    echo "$(log_ts) ERROR: $*" >&2
  else
    echo "{\"error\": \"$*\"}"
  fi
  exit 1
}

# =============================================================================
# Default Configuration
# =============================================================================
# OPNsense kann über Hostname ODER IP angesprochen werden
OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}"
OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"
OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"

# Wildcard-Zertifikat UUID (muss in OPNsense nachgeschlagen werden)
# Kann über --certificate-uuid oder Umgebungsvariable gesetzt werden
CERTIFICATE_UUID="${CERTIFICATE_UUID:-}"

# =============================================================================
# Usage
# =============================================================================
usage() {
  cat >&2 <<'EOF'
Usage:
  bash setup_nginx_proxy.sh [options]

Required options (for proxy setup):
  --ctid <id>              Container ID (used as description)
  --hostname <name>        Hostname (e.g., sb-1768736636)
  --fqdn <domain>          Full domain name (e.g., sb-1768736636.userman.de)
  --backend-ip <ip>        Backend IP address (e.g., 192.168.45.135)
  --backend-port <port>    Backend port (default: 5678)

Optional:
  --opnsense-host <ip>     OPNsense IP or hostname (default: 192.168.45.1)
  --certificate-uuid <uuid> UUID of the SSL certificate in OPNsense
  --list-certificates      List available certificates and exit
  --test-connection        Test API connection and exit
  --debug                  Enable debug mode
  --help                   Show this help

Examples:
  # List certificates:
  bash setup_nginx_proxy.sh --list-certificates --debug

  # Test API connection:
  bash setup_nginx_proxy.sh --test-connection --debug

  # Setup proxy:
  bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \
    --fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135

  # With custom OPNsense IP:
  bash setup_nginx_proxy.sh --opnsense-host 192.168.45.1 --list-certificates
EOF
}

# =============================================================================
# Default values for arguments
# =============================================================================
CTID=""
HOSTNAME=""
FQDN=""
BACKEND_IP=""
BACKEND_PORT="5678"
LIST_CERTIFICATES="0"
TEST_CONNECTION="0"

# =============================================================================
# Argument parsing
# =============================================================================
while [[ $# -gt 0 ]]; do
  case "$1" in
    --ctid) CTID="${2:-}"; shift 2 ;;
    --hostname) HOSTNAME="${2:-}"; shift 2 ;;
    --fqdn) FQDN="${2:-}"; shift 2 ;;
    --backend-ip) BACKEND_IP="${2:-}"; shift 2 ;;
    --backend-port) BACKEND_PORT="${2:-}"; shift 2 ;;
    --opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;
    --certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;;
    --list-certificates) LIST_CERTIFICATES="1"; shift 1 ;;
    --test-connection) TEST_CONNECTION="1"; shift 1 ;;
    --debug) DEBUG="1"; export DEBUG; shift 1 ;;
    --help|-h) usage; exit 0 ;;
    *) die "Unknown option: $1 (use --help)" ;;
  esac
done

# =============================================================================
# API Base URL (nach Argument-Parsing setzen!)
# =============================================================================
API_BASE="https://${OPNSENSE_HOST}/api"

# =============================================================================
# API Helper Functions (MÜSSEN VOR list_certificates definiert werden!)
# =============================================================================

# Make API request to OPNsense
api_request() {
  local method="$1"
  local endpoint="$2"
  local data="${3:-}"
  
  local url="${API_BASE}${endpoint}"
  local auth="${OPNSENSE_API_KEY}:${OPNSENSE_API_SECRET}"
  
  info "API ${method} ${url}"
  
  local response
  if [[ -n "$data" ]]; then
    response=$(curl -s -k -X "${method}" \
      -u "${auth}" \
      -H "Content-Type: application/json" \
      -d "${data}" \
      "${url}" 2>&1)
  else
    response=$(curl -s -k -X "${method}" \
      -u "${auth}" \
      "${url}" 2>&1)
  fi
  
  echo "$response"
}

# Search for existing item by description
search_by_description() {
  local endpoint="$1"
  local description="$2"
  
  local response
  response=$(api_request "GET" "${endpoint}/search")
  
  # Extract UUID where description matches
  echo "$response" | python3 -c "
import json, sys
try:
    data = json.load(sys.stdin)
    rows = data.get('rows', [])
    for row in rows:
        if row.get('description', '') == '${description}':
            print(row.get('uuid', ''))
            sys.exit(0)
except:
    pass
" 2>/dev/null || true
}

# Find certificate by Common Name (CN)
find_certificate_by_cn() {
  local cn_pattern="$1"
  
  local response
  response=$(api_request "GET" "/trust/cert/search")
  
  # Extract UUID where CN contains the pattern (for wildcard certs)
  echo "$response" | python3 -c "
import json, sys
pattern = '${cn_pattern}'
try:
    data = json.load(sys.stdin)
    rows = data.get('rows', [])
    for row in rows:
        cn = row.get('cn', '')
        descr = row.get('descr', '')
        # Match wildcard or exact domain
        if pattern in cn or pattern in descr:
            print(row.get('uuid', ''))
            sys.exit(0)
        # Also check for wildcard pattern
        if cn.startswith('*.') and pattern.endswith(cn[2:]):
            print(row.get('uuid', ''))
            sys.exit(0)
except:
    pass
" 2>/dev/null || true
}

# =============================================================================
# Utility Functions
# =============================================================================

# Test API connection
test_connection() {
  info "Testing API connection to OPNsense at ${OPNSENSE_HOST}..."
  
  local response
  response=$(api_request "GET" "/core/firmware/status")
  
  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'status' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
    echo "✓ API connection successful to ${OPNSENSE_HOST}"
    echo "Response: $(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d, indent=2)[:500])" 2>/dev/null || echo "$response")"
    return 0
  else
    echo "✗ API connection failed to ${OPNSENSE_HOST}"
    echo "Response: $response"
    return 1
  fi
}

# List available certificates
list_certificates() {
  info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}..."
  
  local response
  response=$(api_request "GET" "/trust/cert/search")
  
  echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}):"
  echo "============================================================"
  echo "$response" | python3 -c "
import json, sys
try:
    data = json.load(sys.stdin)
    rows = data.get('rows', [])
    if not rows:
        print('No certificates found.')
        print('Raw response:', data)
    for row in rows:
        uuid = row.get('uuid', 'N/A')
        descr = row.get('descr', 'N/A')
        cn = row.get('cn', 'N/A')
        print(f'UUID: {uuid}')
        print(f'  Description: {descr}')
        print(f'  Common Name: {cn}')
        print()
except Exception as e:
    print(f'Error parsing response: {e}', file=sys.stderr)
    print(f'Raw response: {sys.stdin.read()}', file=sys.stderr)
    sys.exit(1)
" 2>&1
}

# =============================================================================
# Handle special commands first (before validation)
# =============================================================================

if [[ "$TEST_CONNECTION" == "1" ]]; then
  test_connection
  exit $?
fi

if [[ "$LIST_CERTIFICATES" == "1" ]]; then
  list_certificates
  exit 0
fi

# =============================================================================
# Validation (nur für Proxy-Setup)
# =============================================================================
[[ -n "$CTID" ]] || die "--ctid is required"
[[ -n "$HOSTNAME" ]] || die "--hostname is required"
[[ -n "$FQDN" ]] || die "--fqdn is required"
[[ -n "$BACKEND_IP" ]] || die "--backend-ip is required"

info "Configuration:"
info "  CTID: ${CTID}"
info "  Hostname: ${HOSTNAME}"
info "  FQDN: ${FQDN}"
info "  Backend: ${BACKEND_IP}:${BACKEND_PORT}"
info "  OPNsense: ${OPNSENSE_HOST}"
info "  Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"

# =============================================================================
# NGINX Configuration Steps
# =============================================================================

# Step 1: Create or update Upstream Server
create_upstream_server() {
  local description="$1"
  local server_ip="$2"
  local server_port="$3"
  
  info "Step 1: Creating Upstream Server..."
  
  # Check if upstream server already exists
  local existing_uuid
  existing_uuid=$(search_by_description "/nginx/settings/upstream_server" "${description}")
  
  local data
  data=$(cat <<EOF
{
  "upstream_server": {
    "description": "${description}",
    "server": "${server_ip}",
    "port": "${server_port}",
    "priority": "1",
    "max_conns": "",
    "max_fails": "",
    "fail_timeout": "",
    "no_use": "0"
  }
}
EOF
)
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "Upstream Server exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setUpstreamServer/${existing_uuid}" "$data")
  else
    info "Creating new Upstream Server..."
    response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")
    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
  fi
  
  info "Upstream Server UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 2: Create or update Upstream
create_upstream() {
  local description="$1"
  local server_uuid="$2"
  
  info "Step 2: Creating Upstream..."
  
  # Check if upstream already exists
  local existing_uuid
  existing_uuid=$(search_by_description "/nginx/settings/upstream" "${description}")
  
  local data
  data=$(cat <<EOF
{
  "upstream": {
    "description": "${description}",
    "serverentries": "${server_uuid}",
    "load_balancing_algorithm": "",
    "tls_enable": "0",
    "tls_client_certificate": "",
    "tls_name_override": "",
    "tls_protocol_versions": "",
    "tls_session_reuse": "1",
    "tls_trusted_certificate": ""
  }
}
EOF
)
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "Upstream exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setUpstream/${existing_uuid}" "$data")
  else
    info "Creating new Upstream..."
    response=$(api_request "POST" "/nginx/settings/addUpstream" "$data")
    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
  fi
  
  info "Upstream UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 3: Create or update Location
create_location() {
  local description="$1"
  local upstream_uuid="$2"
  
  info "Step 3: Creating Location..."
  
  # Check if location already exists
  local existing_uuid
  existing_uuid=$(search_by_description "/nginx/settings/location" "${description}")
  
  local data
  data=$(cat <<EOF
{
  "location": {
    "description": "${description}",
    "urlpattern": "/",
    "matchtype": "",
    "enable_secrules": "0",
    "enable_learning_mode": "0",
    "xss_block_score": "",
    "sqli_block_score": "",
    "custom_policy": "",
    "rewrites": "",
    "upstream": "${upstream_uuid}",
    "path_prefix": "",
    "websocket": "1",
    "php_enable": "0",
    "php_override": "",
    "advanced_acl": "0",
    "force_https": "1",
    "honeypot": "0",
    "http_cache": "0",
    "http_cache_validity": "",
    "authbasic": "0",
    "authbasicuserfile": "",
    "satisfy": "",
    "naxsi_rules": "",
    "limit_request_connections": "",
    "limit_request_connections_burst": "",
    "limit_request_connections_nodelay": "0"
  }
}
EOF
)
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "Location exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setLocation/${existing_uuid}" "$data")
  else
    info "Creating new Location..."
    response=$(api_request "POST" "/nginx/settings/addLocation" "$data")
    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
  fi
  
  info "Location UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 4: Create or update HTTP Server
create_http_server() {
  local description="$1"
  local server_name="$2"
  local location_uuid="$3"
  local cert_uuid="$4"
  
  info "Step 4: Creating HTTP Server..."
  
  # Check if HTTP server already exists
  local existing_uuid
  existing_uuid=$(search_by_description "/nginx/settings/http_server" "${description}")
  
  # Determine certificate configuration
  local cert_config=""
  local acme_config="0"
  
  if [[ -n "$cert_uuid" ]]; then
    cert_config="\"certificate\": \"${cert_uuid}\","
    acme_config="0"
    info "Using existing certificate: ${cert_uuid}"
  else
    cert_config="\"certificate\": \"\","
    acme_config="1"
    info "Using ACME/Let's Encrypt for certificate"
  fi
  
  local data
  data=$(cat <<EOF
{
  "http_server": {
    "description": "${description}",
    "servername": "${server_name}",
    "listen_http_address": "",
    "listen_http_port": "",
    "listen_https_address": "",
    "listen_https_port": "443",
    "locations": "${location_uuid}",
    "rewrites": "",
    "root": "",
    ${cert_config}
    "ca": "",
    "verify_client": "",
    "access_log_format": "",
    "enable_acme_plugin": "${acme_config}",
    "charset": "",
    "https_only": "1",
    "block_nonpublic_data": "0",
    "naxsi_extensive_log": "0",
    "sendfile": "1",
    "security_header": "",
    "limit_request_connections": "",
    "limit_request_connections_burst": "",
    "limit_request_connections_nodelay": "0"
  }
}
EOF
)
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "HTTP Server exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setHttpServer/${existing_uuid}" "$data")
  else
    info "Creating new HTTP Server..."
    response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")
    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
  fi
  
  info "HTTP Server UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 5: Apply configuration
apply_config() {
  info "Step 5: Applying NGINX configuration..."
  
  local response
  response=$(api_request "POST" "/nginx/service/reconfigure" "{}")
  
  info "Reconfigure response: ${response}"
  
  # Check if successful
  local status
  status=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown")
  
  if [[ "$status" == "ok" ]]; then
    info "NGINX configuration applied successfully"
    return 0
  else
    warn "NGINX reconfigure status: ${status}"
    return 1
  fi
}

# =============================================================================
# Main
# =============================================================================
main() {
  info "Starting NGINX Reverse Proxy setup for CTID ${CTID}..."
  
  # Use CTID as description for all components
  local description="${CTID}"
  
  # Step 1: Create Upstream Server
  local upstream_server_uuid
  upstream_server_uuid=$(create_upstream_server "${description}" "${BACKEND_IP}" "${BACKEND_PORT}")
  [[ -n "$upstream_server_uuid" ]] || die "Failed to create Upstream Server"
  
  # Step 2: Create Upstream
  local upstream_uuid
  upstream_uuid=$(create_upstream "${description}" "${upstream_server_uuid}")
  [[ -n "$upstream_uuid" ]] || die "Failed to create Upstream"
  
  # Step 3: Create Location
  local location_uuid
  location_uuid=$(create_location "${description}" "${upstream_uuid}")
  [[ -n "$location_uuid" ]] || die "Failed to create Location"
  
  # Auto-detect certificate if not provided
  local cert_uuid="${CERTIFICATE_UUID}"
  if [[ -z "$cert_uuid" ]]; then
    info "Auto-detecting wildcard certificate for userman.de..."
    cert_uuid=$(find_certificate_by_cn "userman.de")
    if [[ -n "$cert_uuid" ]]; then
      info "Found certificate: ${cert_uuid}"
    else
      warn "No wildcard certificate found, will use ACME/Let's Encrypt"
    fi
  fi
  
  # Step 4: Create HTTP Server
  local http_server_uuid
  http_server_uuid=$(create_http_server "${description}" "${FQDN}" "${location_uuid}" "${cert_uuid}")
  [[ -n "$http_server_uuid" ]] || die "Failed to create HTTP Server"
  
  # Step 5: Apply configuration
  apply_config || warn "Configuration may need manual verification"
  
  # Output result as JSON
  local result
  result=$(cat <<EOF
{
  "success": true,
  "ctid": "${CTID}",
  "fqdn": "${FQDN}",
  "backend": "${BACKEND_IP}:${BACKEND_PORT}",
  "nginx": {
    "upstream_server_uuid": "${upstream_server_uuid}",
    "upstream_uuid": "${upstream_uuid}",
    "location_uuid": "${location_uuid}",
    "http_server_uuid": "${http_server_uuid}"
  }
}
EOF
)
  
  if [[ "$DEBUG" == "1" ]]; then
    echo "$result"
  else
    # Compact JSON
    echo "$result" | python3 -c "import json,sys; print(json.dumps(json.load(sys.stdin)))" 2>/dev/null || echo "$result"
  fi
}

main
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`#!/usr/bin/env bash`
			`set -Eeuo pipefail`

			`# =============================================================================`
			`# OPNsense NGINX Reverse Proxy Setup Script`
			`# =============================================================================`
			`# Dieses Script konfiguriert einen NGINX Reverse Proxy auf OPNsense`
			`# für eine neue n8n-Instanz über die OPNsense API.`
			`# =============================================================================`

			`# Debug mode: 0 = nur JSON, 1 = Logs auf stderr`
			`DEBUG="${DEBUG:-0}"`
			`export DEBUG`

			`# Logging functions`
			`log_ts() { date "+[%F %T]"; }`
			`info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; }`
			`warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; }`
			`die() {`
			`if [[ "$DEBUG" == "1" ]]; then`
			`echo "$(log_ts) ERROR: $*" >&2`
			`else`
			`echo "{\"error\": \"$*\"}"`
			`fi`
			`exit 1`
			`}`

			`# =============================================================================`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`# Default Configuration`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`# =============================================================================`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`# OPNsense kann über Hostname ODER IP angesprochen werden`
			`OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}"`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"`
			`OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"`

			`# Wildcard-Zertifikat UUID (muss in OPNsense nachgeschlagen werden)`
			`# Kann über --certificate-uuid oder Umgebungsvariable gesetzt werden`
			`CERTIFICATE_UUID="${CERTIFICATE_UUID:-}"`

			`# =============================================================================`
			`# Usage`
			`# =============================================================================`
			`usage() {`
			`cat >&2 <<'EOF'`
			`Usage:`
			`bash setup_nginx_proxy.sh [options]`

Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`Required options (for proxy setup):`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`--ctid <id> Container ID (used as description)`
			`--hostname <name> Hostname (e.g., sb-1768736636)`
			`--fqdn <domain> Full domain name (e.g., sb-1768736636.userman.de)`
			`--backend-ip <ip> Backend IP address (e.g., 192.168.45.135)`
			`--backend-port <port> Backend port (default: 5678)`

			`Optional:`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`--opnsense-host <ip> OPNsense IP or hostname (default: 192.168.45.1)`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`--certificate-uuid <uuid> UUID of the SSL certificate in OPNsense`
			`--list-certificates List available certificates and exit`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`--test-connection Test API connection and exit`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`--debug Enable debug mode`
			`--help Show this help`

Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`Examples:`
			`# List certificates:`
			`bash setup_nginx_proxy.sh --list-certificates --debug`

			`# Test API connection:`
			`bash setup_nginx_proxy.sh --test-connection --debug`

			`# Setup proxy:`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \`
			`--fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00
			`# With custom OPNsense IP:`
			`bash setup_nginx_proxy.sh --opnsense-host 192.168.45.1 --list-certificates`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`EOF`
			`}`

			`# =============================================================================`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`# Default values for arguments`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`# =============================================================================`
			`CTID=""`
			`HOSTNAME=""`
			`FQDN=""`
			`BACKEND_IP=""`
			`BACKEND_PORT="5678"`
			`LIST_CERTIFICATES="0"`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`TEST_CONNECTION="0"`
Proxy Setup Init 2026-01-18 17:05:15 +01:00
			`# =============================================================================`
			`# Argument parsing`
			`# =============================================================================`
			`while [[ $# -gt 0 ]]; do`
			`case "$1" in`
			`--ctid) CTID="${2:-}"; shift 2 ;;`
			`--hostname) HOSTNAME="${2:-}"; shift 2 ;;`
			`--fqdn) FQDN="${2:-}"; shift 2 ;;`
			`--backend-ip) BACKEND_IP="${2:-}"; shift 2 ;;`
			`--backend-port) BACKEND_PORT="${2:-}"; shift 2 ;;`
			`--opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;`
			`--certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;;`
			`--list-certificates) LIST_CERTIFICATES="1"; shift 1 ;;`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`--test-connection) TEST_CONNECTION="1"; shift 1 ;;`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`--debug) DEBUG="1"; export DEBUG; shift 1 ;;`
			`--help\|-h) usage; exit 0 ;;`
			`*) die "Unknown option: $1 (use --help)" ;;`
			`esac`
			`done`

			`# =============================================================================`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`# API Base URL (nach Argument-Parsing setzen!)`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`# =============================================================================`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`API_BASE="https://${OPNSENSE_HOST}/api"`
Proxy Setup Init 2026-01-18 17:05:15 +01:00
			`# =============================================================================`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`# API Helper Functions (MÜSSEN VOR list_certificates definiert werden!)`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`# =============================================================================`

			`# Make API request to OPNsense`
			`api_request() {`
			`local method="$1"`
			`local endpoint="$2"`
			`local data="${3:-}"`

			`local url="${API_BASE}${endpoint}"`
			`local auth="${OPNSENSE_API_KEY}:${OPNSENSE_API_SECRET}"`

Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`info "API ${method} ${url}"`
Proxy Setup Init 2026-01-18 17:05:15 +01:00
			`local response`
			`if [[ -n "$data" ]]; then`
			`response=$(curl -s -k -X "${method}" \`
			`-u "${auth}" \`
			`-H "Content-Type: application/json" \`
			`-d "${data}" \`
			`"${url}" 2>&1)`
			`else`
			`response=$(curl -s -k -X "${method}" \`
			`-u "${auth}" \`
			`"${url}" 2>&1)`
			`fi`

			`echo "$response"`
			`}`

			`# Search for existing item by description`
			`search_by_description() {`
			`local endpoint="$1"`
			`local description="$2"`

			`local response`
			`response=$(api_request "GET" "${endpoint}/search")`

			`# Extract UUID where description matches`
			`echo "$response" \| python3 -c "`
			`import json, sys`
			`try:`
			`data = json.load(sys.stdin)`
			`rows = data.get('rows', [])`
			`for row in rows:`
			`if row.get('description', '') == '${description}':`
			`print(row.get('uuid', ''))`
			`sys.exit(0)`
			`except:`
			`pass`
			`" 2>/dev/null \|\| true`
			`}`

			`# Find certificate by Common Name (CN)`
			`find_certificate_by_cn() {`
			`local cn_pattern="$1"`

			`local response`
			`response=$(api_request "GET" "/trust/cert/search")`

			`# Extract UUID where CN contains the pattern (for wildcard certs)`
			`echo "$response" \| python3 -c "`
			`import json, sys`
			`pattern = '${cn_pattern}'`
			`try:`
			`data = json.load(sys.stdin)`
			`rows = data.get('rows', [])`
			`for row in rows:`
			`cn = row.get('cn', '')`
			`descr = row.get('descr', '')`
			`# Match wildcard or exact domain`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`if pattern in cn or pattern in descr:`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`print(row.get('uuid', ''))`
			`sys.exit(0)`
			`# Also check for wildcard pattern`
Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`if cn.startswith('*.') and pattern.endswith(cn[2:]):`
Proxy Setup Init 2026-01-18 17:05:15 +01:00			`print(row.get('uuid', ''))`
			`sys.exit(0)`
			`except:`
			`pass`
			`" 2>/dev/null \|\| true`
			`}`

Update with BLACKBOXAI 2026-01-18 17:23:40 +01:00			`# =============================================================================`
			`# Utility Functions`
			`# =============================================================================`

			`# Test API connection`
			`test_connection() {`
			`info "Testing API connection to OPNsense at ${OPNSENSE_HOST}..."`

			`local response`
			`response=$(api_request "GET" "/core/firmware/status")`

			`if echo "$response" \| python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'status' in d else 'FAIL')" 2>/dev/null \| grep -q "OK"; then`
			`echo "✓ API connection successful to ${OPNSENSE_HOST}"`
			`echo "Response: $(echo "$response" \| python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d, indent=2)[:500])" 2>/dev/null \|\| echo "$response")"`
			`return 0`
			`else`
			`echo "✗ API connection failed to ${OPNSENSE_HOST}"`
			`echo "Response: $response"`
			`return 1`
			`fi`
			`}`

			`# List available certificates`
			`list_certificates() {`
			`info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}..."`

			`local response`
			`response=$(api_request "GET" "/trust/cert/search")`

			`echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}):"`
			`echo "============================================================"`
			`echo "$response" \| python3 -c "`
			`import json, sys`
			`try:`
			`data = json.load(sys.stdin)`
			`rows = data.get('rows', [])`
			`if not rows:`
			`print('No certificates found.')`
			`print('Raw response:', data)`
			`for row in rows:`
			`uuid = row.get('uuid', 'N/A')`
			`descr = row.get('descr', 'N/A')`
			`cn = row.get('cn', 'N/A')`
			`print(f'UUID: {uuid}')`
			`print(f' Description: {descr}')`
			`print(f' Common Name: {cn}')`
			`print()`
			`except Exception as e:`
			`print(f'Error parsing response: {e}', file=sys.stderr)`
			`print(f'Raw response: {sys.stdin.read()}', file=sys.stderr)`
			`sys.exit(1)`
			`" 2>&1`
			`}`

			`# =============================================================================`
			`# Handle special commands first (before validation)`
			`# =============================================================================`

			`if [[ "$TEST_CONNECTION" == "1" ]]; then`
			`test_connection`
			`exit $?`
			`fi`

			`if [[ "$LIST_CERTIFICATES" == "1" ]]; then`
			`list_certificates`
			`exit 0`
			`fi`

			`# =============================================================================`
			`# Validation (nur für Proxy-Setup)`
			`# =============================================================================`
			`[[ -n "$CTID" ]] \|\| die "--ctid is required"`
			`[[ -n "$HOSTNAME" ]] \|\| die "--hostname is required"`
			`[[ -n "$FQDN" ]] \|\| die "--fqdn is required"`
			`[[ -n "$BACKEND_IP" ]] \|\| die "--backend-ip is required"`

			`info "Configuration:"`
			`info " CTID: ${CTID}"`
			`info " Hostname: ${HOSTNAME}"`
			`info " FQDN: ${FQDN}"`
			`info " Backend: ${BACKEND_IP}:${BACKEND_PORT}"`
			`info " OPNsense: ${OPNSENSE_HOST}"`
			`info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"`

Proxy Setup Init 2026-01-18 17:05:15 +01:00			`# =============================================================================`
			`# NGINX Configuration Steps`
			`# =============================================================================`

			`# Step 1: Create or update Upstream Server`
			`create_upstream_server() {`
			`local description="$1"`
			`local server_ip="$2"`
			`local server_port="$3"`

			`info "Step 1: Creating Upstream Server..."`

			`# Check if upstream server already exists`
			`local existing_uuid`
			`existing_uuid=$(search_by_description "/nginx/settings/upstream_server" "${description}")`

			`local data`
			`data=$(cat <<EOF`
			`{`
			`"upstream_server": {`
			`"description": "${description}",`
			`"server": "${server_ip}",`
			`"port": "${server_port}",`
			`"priority": "1",`
			`"max_conns": "",`
			`"max_fails": "",`
			`"fail_timeout": "",`
			`"no_use": "0"`
			`}`
			`}`
			`EOF`
			`)`

			`local response`
			`if [[ -n "$existing_uuid" ]]; then`
			`info "Upstream Server exists (UUID: ${existing_uuid}), updating..."`
			`response=$(api_request "POST" "/nginx/settings/setUpstreamServer/${existing_uuid}" "$data")`
			`else`
			`info "Creating new Upstream Server..."`
			`response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")`
			`existing_uuid=$(echo "$response" \| python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null \|\| true)`
			`fi`

			`info "Upstream Server UUID: ${existing_uuid}"`
			`echo "$existing_uuid"`
			`}`

			`# Step 2: Create or update Upstream`
			`create_upstream() {`
			`local description="$1"`
			`local server_uuid="$2"`

			`info "Step 2: Creating Upstream..."`

			`# Check if upstream already exists`
			`local existing_uuid`
			`existing_uuid=$(search_by_description "/nginx/settings/upstream" "${description}")`

			`local data`
			`data=$(cat <<EOF`
			`{`
			`"upstream": {`
			`"description": "${description}",`
			`"serverentries": "${server_uuid}",`
			`"load_balancing_algorithm": "",`
			`"tls_enable": "0",`
			`"tls_client_certificate": "",`
			`"tls_name_override": "",`
			`"tls_protocol_versions": "",`
			`"tls_session_reuse": "1",`
			`"tls_trusted_certificate": ""`
			`}`
			`}`
			`EOF`
			`)`

			`local response`
			`if [[ -n "$existing_uuid" ]]; then`
			`info "Upstream exists (UUID: ${existing_uuid}), updating..."`
			`response=$(api_request "POST" "/nginx/settings/setUpstream/${existing_uuid}" "$data")`
			`else`
			`info "Creating new Upstream..."`
			`response=$(api_request "POST" "/nginx/settings/addUpstream" "$data")`
			`existing_uuid=$(echo "$response" \| python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null \|\| true)`
			`fi`

			`info "Upstream UUID: ${existing_uuid}"`
			`echo "$existing_uuid"`
			`}`

			`# Step 3: Create or update Location`
			`create_location() {`
			`local description="$1"`
			`local upstream_uuid="$2"`

			`info "Step 3: Creating Location..."`

			`# Check if location already exists`
			`local existing_uuid`
			`existing_uuid=$(search_by_description "/nginx/settings/location" "${description}")`

			`local data`
			`data=$(cat <<EOF`
			`{`
			`"location": {`
			`"description": "${description}",`
			`"urlpattern": "/",`
			`"matchtype": "",`
			`"enable_secrules": "0",`
			`"enable_learning_mode": "0",`
			`"xss_block_score": "",`
			`"sqli_block_score": "",`
			`"custom_policy": "",`
			`"rewrites": "",`
			`"upstream": "${upstream_uuid}",`
			`"path_prefix": "",`
			`"websocket": "1",`
			`"php_enable": "0",`
			`"php_override": "",`
			`"advanced_acl": "0",`
			`"force_https": "1",`
			`"honeypot": "0",`
			`"http_cache": "0",`
			`"http_cache_validity": "",`
			`"authbasic": "0",`
			`"authbasicuserfile": "",`
			`"satisfy": "",`
			`"naxsi_rules": "",`
			`"limit_request_connections": "",`
			`"limit_request_connections_burst": "",`
			`"limit_request_connections_nodelay": "0"`
			`}`
			`}`
			`EOF`
			`)`

			`local response`
			`if [[ -n "$existing_uuid" ]]; then`
			`info "Location exists (UUID: ${existing_uuid}), updating..."`
			`response=$(api_request "POST" "/nginx/settings/setLocation/${existing_uuid}" "$data")`
			`else`
			`info "Creating new Location..."`
			`response=$(api_request "POST" "/nginx/settings/addLocation" "$data")`
			`existing_uuid=$(echo "$response" \| python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null \|\| true)`
			`fi`

			`info "Location UUID: ${existing_uuid}"`
			`echo "$existing_uuid"`
			`}`

			`# Step 4: Create or update HTTP Server`
			`create_http_server() {`
			`local description="$1"`
			`local server_name="$2"`
			`local location_uuid="$3"`
			`local cert_uuid="$4"`

			`info "Step 4: Creating HTTP Server..."`

			`# Check if HTTP server already exists`
			`local existing_uuid`
			`existing_uuid=$(search_by_description "/nginx/settings/http_server" "${description}")`

			`# Determine certificate configuration`
			`local cert_config=""`
			`local acme_config="0"`

			`if [[ -n "$cert_uuid" ]]; then`
			`cert_config="\"certificate\": \"${cert_uuid}\","`
			`acme_config="0"`
			`info "Using existing certificate: ${cert_uuid}"`
			`else`
			`cert_config="\"certificate\": \"\","`
			`acme_config="1"`
			`info "Using ACME/Let's Encrypt for certificate"`
			`fi`

			`local data`
			`data=$(cat <<EOF`
			`{`
			`"http_server": {`
			`"description": "${description}",`
			`"servername": "${server_name}",`
			`"listen_http_address": "",`
			`"listen_http_port": "",`
			`"listen_https_address": "",`
			`"listen_https_port": "443",`
			`"locations": "${location_uuid}",`
			`"rewrites": "",`
			`"root": "",`
			`${cert_config}`
			`"ca": "",`
			`"verify_client": "",`
			`"access_log_format": "",`
			`"enable_acme_plugin": "${acme_config}",`
			`"charset": "",`
			`"https_only": "1",`
			`"block_nonpublic_data": "0",`
			`"naxsi_extensive_log": "0",`
			`"sendfile": "1",`
			`"security_header": "",`
			`"limit_request_connections": "",`
			`"limit_request_connections_burst": "",`
			`"limit_request_connections_nodelay": "0"`
			`}`
			`}`
			`EOF`
			`)`

			`local response`
			`if [[ -n "$existing_uuid" ]]; then`
			`info "HTTP Server exists (UUID: ${existing_uuid}), updating..."`
			`response=$(api_request "POST" "/nginx/settings/setHttpServer/${existing_uuid}" "$data")`
			`else`
			`info "Creating new HTTP Server..."`
			`response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")`
			`existing_uuid=$(echo "$response" \| python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null \|\| true)`
			`fi`

			`info "HTTP Server UUID: ${existing_uuid}"`
			`echo "$existing_uuid"`
			`}`

			`# Step 5: Apply configuration`
			`apply_config() {`
			`info "Step 5: Applying NGINX configuration..."`

			`local response`
			`response=$(api_request "POST" "/nginx/service/reconfigure" "{}")`

			`info "Reconfigure response: ${response}"`

			`# Check if successful`
			`local status`
			`status=$(echo "$response" \| python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null \|\| echo "unknown")`

			`if [[ "$status" == "ok" ]]; then`
			`info "NGINX configuration applied successfully"`
			`return 0`
			`else`
			`warn "NGINX reconfigure status: ${status}"`
			`return 1`
			`fi`
			`}`

			`# =============================================================================`
			`# Main`
			`# =============================================================================`
			`main() {`
			`info "Starting NGINX Reverse Proxy setup for CTID ${CTID}..."`

			`# Use CTID as description for all components`
			`local description="${CTID}"`

			`# Step 1: Create Upstream Server`
			`local upstream_server_uuid`
			`upstream_server_uuid=$(create_upstream_server "${description}" "${BACKEND_IP}" "${BACKEND_PORT}")`
			`[[ -n "$upstream_server_uuid" ]] \|\| die "Failed to create Upstream Server"`

			`# Step 2: Create Upstream`
			`local upstream_uuid`
			`upstream_uuid=$(create_upstream "${description}" "${upstream_server_uuid}")`
			`[[ -n "$upstream_uuid" ]] \|\| die "Failed to create Upstream"`

			`# Step 3: Create Location`
			`local location_uuid`
			`location_uuid=$(create_location "${description}" "${upstream_uuid}")`
			`[[ -n "$location_uuid" ]] \|\| die "Failed to create Location"`

			`# Auto-detect certificate if not provided`
			`local cert_uuid="${CERTIFICATE_UUID}"`
			`if [[ -z "$cert_uuid" ]]; then`
			`info "Auto-detecting wildcard certificate for userman.de..."`
			`cert_uuid=$(find_certificate_by_cn "userman.de")`
			`if [[ -n "$cert_uuid" ]]; then`
			`info "Found certificate: ${cert_uuid}"`
			`else`
			`warn "No wildcard certificate found, will use ACME/Let's Encrypt"`
			`fi`
			`fi`

			`# Step 4: Create HTTP Server`
			`local http_server_uuid`
			`http_server_uuid=$(create_http_server "${description}" "${FQDN}" "${location_uuid}" "${cert_uuid}")`
			`[[ -n "$http_server_uuid" ]] \|\| die "Failed to create HTTP Server"`

			`# Step 5: Apply configuration`
			`apply_config \|\| warn "Configuration may need manual verification"`

			`# Output result as JSON`
			`local result`
			`result=$(cat <<EOF`
			`{`
			`"success": true,`
			`"ctid": "${CTID}",`
			`"fqdn": "${FQDN}",`
			`"backend": "${BACKEND_IP}:${BACKEND_PORT}",`
			`"nginx": {`
			`"upstream_server_uuid": "${upstream_server_uuid}",`
			`"upstream_uuid": "${upstream_uuid}",`
			`"location_uuid": "${location_uuid}",`
			`"http_server_uuid": "${http_server_uuid}"`
			`}`
			`}`
			`EOF`
			`)`

			`if [[ "$DEBUG" == "1" ]]; then`
			`echo "$result"`
			`else`
			`# Compact JSON`
			`echo "$result" \| python3 -c "import json,sys; print(json.dumps(json.load(sys.stdin)))" 2>/dev/null \|\| echo "$result"`
			`fi`
			`}`

			`main`