customer-installer/setup_nginx_proxy.sh

#!/usr/bin/env bash
set -Eeuo pipefail

# =============================================================================
# OPNsense NGINX Reverse Proxy Setup Script
# =============================================================================
# Dieses Script konfiguriert einen NGINX Reverse Proxy auf OPNsense
# für eine neue n8n-Instanz über die OPNsense API.
# =============================================================================

SCRIPT_VERSION="1.0.8"

# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}"
export DEBUG

# Logging functions
log_ts() { date "+[%F %T]"; }
info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; }
warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; }
die() {
  if [[ "$DEBUG" == "1" ]]; then
    echo "$(log_ts) ERROR: $*" >&2
  else
    echo "{\"error\": \"$*\"}"
  fi
  exit 1
}

# =============================================================================
# Default Configuration
# =============================================================================
# OPNsense kann über Hostname ODER IP angesprochen werden
# Port 4444 ist der Standard-Port für die OPNsense WebUI/API
OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}"
OPNSENSE_PORT="${OPNSENSE_PORT:-4444}"
OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"
OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"

# Wildcard-Zertifikat UUID (muss in OPNsense nachgeschlagen werden)
# Kann über --certificate-uuid oder Umgebungsvariable gesetzt werden
CERTIFICATE_UUID="${CERTIFICATE_UUID:-}"

# =============================================================================
# Usage
# =============================================================================
usage() {
  cat >&2 <<'EOF'
Usage:
  bash setup_nginx_proxy.sh [options]

Required options (for proxy setup):
  --ctid <id>              Container ID (used as description)
  --hostname <name>        Hostname (e.g., sb-1768736636)
  --fqdn <domain>          Full domain name (e.g., sb-1768736636.userman.de)
  --backend-ip <ip>        Backend IP address (e.g., 192.168.45.135)
  --backend-port <port>    Backend port (default: 5678)

Optional:
  --opnsense-host <ip>     OPNsense IP or hostname (default: 192.168.45.1)
  --opnsense-port <port>   OPNsense WebUI/API port (default: 4444)
  --certificate-uuid <uuid> UUID of the SSL certificate in OPNsense
  --list-certificates      List available certificates and exit
  --test-connection        Test API connection and exit
  --debug                  Enable debug mode
  --help                   Show this help

Examples:
  # List certificates:
  bash setup_nginx_proxy.sh --list-certificates --debug

  # Test API connection:
  bash setup_nginx_proxy.sh --test-connection --debug

  # Setup proxy:
  bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \
    --fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135

  # With custom OPNsense IP:
  bash setup_nginx_proxy.sh --opnsense-host 192.168.45.1 --list-certificates
EOF
}

# =============================================================================
# Default values for arguments
# =============================================================================
CTID=""
HOSTNAME=""
FQDN=""
BACKEND_IP=""
BACKEND_PORT="5678"
LIST_CERTIFICATES="0"
TEST_CONNECTION="0"

# =============================================================================
# Argument parsing
# =============================================================================
while [[ $# -gt 0 ]]; do
  case "$1" in
    --ctid) CTID="${2:-}"; shift 2 ;;
    --hostname) HOSTNAME="${2:-}"; shift 2 ;;
    --fqdn) FQDN="${2:-}"; shift 2 ;;
    --backend-ip) BACKEND_IP="${2:-}"; shift 2 ;;
    --backend-port) BACKEND_PORT="${2:-}"; shift 2 ;;
    --opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;
    --opnsense-port) OPNSENSE_PORT="${2:-}"; shift 2 ;;
    --certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;;
    --list-certificates) LIST_CERTIFICATES="1"; shift 1 ;;
    --test-connection) TEST_CONNECTION="1"; shift 1 ;;
    --debug) DEBUG="1"; export DEBUG; shift 1 ;;
    --help|-h) usage; exit 0 ;;
    *) die "Unknown option: $1 (use --help)" ;;
  esac
done

# =============================================================================
# API Base URL (nach Argument-Parsing setzen!)
# =============================================================================
API_BASE="https://${OPNSENSE_HOST}:${OPNSENSE_PORT}/api"

# =============================================================================
# API Helper Functions (MÜSSEN VOR list_certificates definiert werden!)
# =============================================================================

# Make API request to OPNsense
api_request() {
  local method="$1"
  local endpoint="$2"
  local data="${3:-}"
  
  local url="${API_BASE}${endpoint}"
  local auth="${OPNSENSE_API_KEY}:${OPNSENSE_API_SECRET}"
  
  info "API ${method} ${url}"
  
  local response
  local http_code
  
  if [[ -n "$data" ]]; then
    response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
      -u "${auth}" \
      -H "Content-Type: application/json" \
      -d "${data}" \
      "${url}" 2>&1)
  else
    response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
      -u "${auth}" \
      "${url}" 2>&1)
  fi
  
  # Extract HTTP code from last line
  http_code=$(echo "$response" | tail -n1)
  response=$(echo "$response" | sed '$d')
  
  # Check for permission errors
  if [[ "$http_code" == "401" ]]; then
    warn "API Error 401: Unauthorized - Check API key and secret"
  elif [[ "$http_code" == "403" ]]; then
    warn "API Error 403: Forbidden - API user lacks permission for ${endpoint}"
  elif [[ "$http_code" == "404" ]]; then
    warn "API Error 404: Not Found - Endpoint ${endpoint} does not exist"
  elif [[ "$http_code" -ge 400 ]]; then
    warn "API Error ${http_code} for ${endpoint}"
  fi
  
  echo "$response"
}

# Check API response for errors and return status
# Usage: if check_api_response "$response" "endpoint_name"; then ... fi
check_api_response() {
  local response="$1"
  local endpoint_name="$2"
  
  # Check for JSON error responses
  local status
  status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'ok'))" 2>/dev/null || echo "ok")
  
  if [[ "$status" == "403" ]]; then
    die "Permission denied for ${endpoint_name}. Please add the required API permission in OPNsense: System > Access > Users > [API User] > Effective Privileges"
  elif [[ "$status" == "401" ]]; then
    die "Authentication failed for ${endpoint_name}. Check your API key and secret."
  fi
  
  # Check for validation errors
  local validation_error
  validation_error=$(echo "$response" | python3 -c "
import json,sys
try:
    d=json.load(sys.stdin)
    if 'validations' in d and d['validations']:
        for field, errors in d['validations'].items():
            print(f'{field}: {errors}')
except:
    pass
" 2>/dev/null || true)
  
  if [[ -n "$validation_error" ]]; then
    warn "Validation errors: ${validation_error}"
    return 1
  fi
  
  # Check for result status
  local result
  result=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('result', 'unknown'))" 2>/dev/null || echo "unknown")
  
  if [[ "$result" == "failed" ]]; then
    local message
    message=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('message', 'Unknown error'))" 2>/dev/null || echo "Unknown error")
    warn "API operation failed: ${message}"
    return 1
  fi
  
  return 0
}

# Search for existing item by description
# OPNsense NGINX API uses "search<Type>" format, e.g., searchUpstreamServer
search_by_description() {
  local search_endpoint="$1"
  local description="$2"
  
  local response
  response=$(api_request "GET" "${search_endpoint}")
  
  # Extract UUID where description matches
  echo "$response" | python3 -c "
import json, sys
try:
    data = json.load(sys.stdin)
    rows = data.get('rows', [])
    for row in rows:
        if row.get('description', '') == '${description}':
            print(row.get('uuid', ''))
            sys.exit(0)
except:
    pass
" 2>/dev/null || true
}

# Search for existing HTTP Server by servername
# HTTP Servers don't have a description field, they use servername
search_http_server_by_servername() {
  local servername="$1"
  
  local response
  response=$(api_request "GET" "/nginx/settings/searchHttpServer")
  
  # Extract UUID where servername matches
  echo "$response" | python3 -c "
import json, sys
try:
    data = json.load(sys.stdin)
    rows = data.get('rows', [])
    for row in rows:
        if row.get('servername', '') == '${servername}':
            print(row.get('uuid', ''))
            sys.exit(0)
except:
    pass
" 2>/dev/null || true
}

# Find certificate by Common Name (CN) or Description
# Returns the certificate ID used by NGINX API (not the full UUID)
find_certificate_by_cn() {
  local cn_pattern="$1"
  
  # First, get the certificate list from the HTTP Server schema
  # This gives us the correct certificate IDs that NGINX expects
  local response
  response=$(api_request "GET" "/nginx/settings/getHttpServer")
  
  # Extract certificate ID where description contains the pattern
  echo "$response" | python3 -c "
import json, sys
pattern = '${cn_pattern}'.lower()
try:
    data = json.load(sys.stdin)
    certs = data.get('httpserver', {}).get('certificate', {})
    for cert_id, cert_info in certs.items():
        if cert_id:  # Skip empty key
            value = cert_info.get('value', '').lower()
            if pattern in value:
                print(cert_id)
                sys.exit(0)
except Exception as e:
    print(f'Error: {e}', file=sys.stderr)
" 2>/dev/null || true
}

# =============================================================================
# Utility Functions
# =============================================================================

# Test API connection
test_connection() {
  info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
  
  echo "Testing various API endpoints..."
  echo ""
  
  # Test 1: Firmware status (general API access)
  echo "1. Testing /core/firmware/status..."
  local response
  response=$(api_request "GET" "/core/firmware/status")
  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'connection' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
    echo "   ✓ Firmware API: OK"
  else
    echo "   ✗ Firmware API: FAILED"
    echo "   Response: $response"
  fi
  
  # Test 2: NGINX settings (required for this script)
  echo ""
  echo "2. Testing /nginx/settings/searchHttpServer..."
  response=$(api_request "GET" "/nginx/settings/searchHttpServer")
  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
    echo "   ✓ NGINX HTTP Server API: OK"
    local count
    count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
    echo "   Found ${count} HTTP Server(s)"
  else
    echo "   ✗ NGINX HTTP Server API: FAILED"
    echo "   Response: $response"
  fi
  
  # Test 3: NGINX upstream servers
  echo ""
  echo "3. Testing /nginx/settings/searchUpstreamServer..."
  response=$(api_request "GET" "/nginx/settings/searchUpstreamServer")
  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
    echo "   ✓ NGINX Upstream Server API: OK"
    local count
    count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
    echo "   Found ${count} Upstream Server(s)"
  else
    echo "   ✗ NGINX Upstream Server API: FAILED"
    echo "   Response: $response"
  fi
  
  # Test 4: Trust/Certificates (optional)
  echo ""
  echo "4. Testing /trust/cert/search (optional)..."
  response=$(api_request "GET" "/trust/cert/search")
  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
    echo "   ✓ Trust/Cert API: OK"
  else
    local status
    status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'unknown'))" 2>/dev/null || echo "unknown")
    if [[ "$status" == "403" ]]; then
      echo "   ⚠ Trust/Cert API: 403 Forbidden (API user needs 'System: Trust: Certificates' permission)"
      echo "   Note: You can still use --certificate-uuid to specify the certificate manually"
    else
      echo "   ✗ Trust/Cert API: FAILED"
      echo "   Response: $response"
    fi
  fi
  
  echo ""
  echo "Connection test complete."
  return 0
}

# List available certificates
list_certificates() {
  info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
  
  local response
  response=$(api_request "GET" "/trust/cert/search")
  
  echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}:${OPNSENSE_PORT}):"
  echo "============================================================"
  echo "$response" | python3 -c "
import json, sys
try:
    data = json.load(sys.stdin)
    rows = data.get('rows', [])
    if not rows:
        print('No certificates found.')
        print('Raw response:', data)
    for row in rows:
        uuid = row.get('uuid', 'N/A')
        descr = row.get('descr', 'N/A')
        cn = row.get('cn', 'N/A')
        print(f'UUID: {uuid}')
        print(f'  Description: {descr}')
        print(f'  Common Name: {cn}')
        print()
except Exception as e:
    print(f'Error parsing response: {e}', file=sys.stderr)
    print(f'Raw response: {sys.stdin.read()}', file=sys.stderr)
    sys.exit(1)
" 2>&1
}

# =============================================================================
# Handle special commands first (before validation)
# =============================================================================

if [[ "$TEST_CONNECTION" == "1" ]]; then
  test_connection
  exit $?
fi

if [[ "$LIST_CERTIFICATES" == "1" ]]; then
  list_certificates
  exit 0
fi

# =============================================================================
# Validation (nur für Proxy-Setup)
# =============================================================================
[[ -n "$CTID" ]] || die "--ctid is required"
[[ -n "$HOSTNAME" ]] || die "--hostname is required"
[[ -n "$FQDN" ]] || die "--fqdn is required"
[[ -n "$BACKEND_IP" ]] || die "--backend-ip is required"

info "Script Version: ${SCRIPT_VERSION}"
info "Configuration:"
info "  CTID: ${CTID}"
info "  Hostname: ${HOSTNAME}"
info "  FQDN: ${FQDN}"
info "  Backend: ${BACKEND_IP}:${BACKEND_PORT}"
info "  OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}"
info "  Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"

# =============================================================================
# NGINX Configuration Steps
# =============================================================================

# Step 1: Create or update Upstream Server
create_upstream_server() {
  local description="$1"
  local server_ip="$2"
  local server_port="$3"
  
  info "Step 1: Creating Upstream Server..."
  
  # Check if upstream server already exists
  local existing_uuid
  existing_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}")
  
  # Note: OPNsense API expects specific values
  # no_use: empty string means "use this server" (not "0")
  local data
  data=$(cat <<EOF
{
  "upstream_server": {
    "description": "${description}",
    "server": "${server_ip}",
    "port": "${server_port}",
    "priority": "1",
    "max_conns": "",
    "max_fails": "",
    "fail_timeout": ""
  }
}
EOF
)
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "Upstream Server exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setUpstreamServer/${existing_uuid}" "$data")
  else
    info "Creating new Upstream Server..."
    response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")
    info "API Response: ${response}"
    # OPNsense returns {"uuid":"xxx"} or {"result":"saved","uuid":"xxx"}
    existing_uuid=$(echo "$response" | python3 -c "
import json,sys
try:
    d = json.load(sys.stdin)
    # Try different response formats
    uuid = d.get('uuid', '')
    if not uuid and 'rows' in d:
        # Sometimes returns in rows format
        uuid = d['rows'][0].get('uuid', '') if d['rows'] else ''
    print(uuid)
except Exception as e:
    print('', file=sys.stderr)
" 2>/dev/null || true)
  fi
  
  info "Upstream Server UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 2: Create or update Upstream
create_upstream() {
  local description="$1"
  local server_uuid="$2"
  
  info "Step 2: Creating Upstream..."
  
  # Check if upstream already exists
  local existing_uuid
  existing_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}")
  
  local data
  data=$(cat <<EOF
{
  "upstream": {
    "description": "${description}",
    "serverentries": "${server_uuid}",
    "load_balancing_algorithm": "",
    "tls_enable": "0",
    "tls_client_certificate": "",
    "tls_name_override": "",
    "tls_protocol_versions": "",
    "tls_session_reuse": "1",
    "tls_trusted_certificate": ""
  }
}
EOF
)
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "Upstream exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setUpstream/${existing_uuid}" "$data")
  else
    info "Creating new Upstream..."
    response=$(api_request "POST" "/nginx/settings/addUpstream" "$data")
    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
  fi
  
  info "Upstream UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 3: Create or update Location
create_location() {
  local description="$1"
  local upstream_uuid="$2"
  
  info "Step 3: Creating Location..."
  
  # Check if location already exists
  local existing_uuid
  existing_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}")
  
  local data
  data=$(cat <<EOF
{
  "location": {
    "description": "${description}",
    "urlpattern": "/",
    "matchtype": "",
    "enable_secrules": "0",
    "enable_learning_mode": "0",
    "xss_block_score": "",
    "sqli_block_score": "",
    "custom_policy": "",
    "rewrites": "",
    "upstream": "${upstream_uuid}",
    "path_prefix": "",
    "websocket": "1",
    "php_enable": "0",
    "php_override": "",
    "advanced_acl": "0",
    "force_https": "1",
    "honeypot": "0",
    "http_cache": "0",
    "http_cache_validity": "",
    "authbasic": "0",
    "authbasicuserfile": "",
    "satisfy": "",
    "naxsi_rules": "",
    "limit_request_connections": "",
    "limit_request_connections_burst": "",
    "limit_request_connections_nodelay": "0"
  }
}
EOF
)
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "Location exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setLocation/${existing_uuid}" "$data")
  else
    info "Creating new Location..."
    response=$(api_request "POST" "/nginx/settings/addLocation" "$data")
    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
  fi
  
  info "Location UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 4: Create or update HTTP Server
create_http_server() {
  local description="$1"
  local server_name="$2"
  local location_uuid="$3"
  local cert_uuid="$4"
  
  info "Step 4: Creating HTTP Server..."
  
  # Check if HTTP server already exists (by servername, not description)
  local existing_uuid
  existing_uuid=$(search_http_server_by_servername "${server_name}")
  
  # Determine certificate configuration
  local cert_config=""
  local acme_config="0"
  
  if [[ -n "$cert_uuid" ]]; then
    cert_config="\"certificate\": \"${cert_uuid}\","
    acme_config="0"
    info "Using existing certificate: ${cert_uuid}"
  else
    cert_config="\"certificate\": \"\","
    acme_config="1"
    info "Using ACME/Let's Encrypt for certificate"
  fi
  
  # HTTP Server configuration
  # Note: API uses "httpserver" not "http_server"
  # Required fields based on API schema
  # listen_http_address: "80" and listen_https_address: "443" for standard ports
  local data
  if [[ -n "$cert_uuid" ]]; then
    data=$(cat <<EOF
{
  "httpserver": {
    "servername": "${server_name}",
    "listen_http_address": "80",
    "listen_https_address": "443",
    "locations": "${location_uuid}",
    "certificate": "${cert_uuid}",
    "verify_client": "off",
    "access_log_format": "main",
    "https_only": "1",
    "http2": "1",
    "sendfile": "1"
  }
}
EOF
)
  else
    # Without certificate, enable ACME support
    data=$(cat <<EOF
{
  "httpserver": {
    "servername": "${server_name}",
    "listen_http_address": "80",
    "listen_https_address": "443",
    "locations": "${location_uuid}",
    "enable_acme_support": "1",
    "verify_client": "off",
    "access_log_format": "main",
    "https_only": "1",
    "http2": "1",
    "sendfile": "1"
  }
}
EOF
)
  fi
  
  local response
  if [[ -n "$existing_uuid" ]]; then
    info "HTTP Server exists (UUID: ${existing_uuid}), updating..."
    response=$(api_request "POST" "/nginx/settings/setHttpServer/${existing_uuid}" "$data")
  else
    info "Creating new HTTP Server..."
    response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")
    info "API Response: ${response}"
    existing_uuid=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('uuid',''))" 2>/dev/null || true)
  fi
  
  info "HTTP Server UUID: ${existing_uuid}"
  echo "$existing_uuid"
}

# Step 5: Apply configuration
apply_config() {
  info "Step 5: Applying NGINX configuration..."
  
  local response
  response=$(api_request "POST" "/nginx/service/reconfigure" "{}")
  
  info "Reconfigure response: ${response}"
  
  # Check if successful
  local status
  status=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown")
  
  if [[ "$status" == "ok" ]]; then
    info "NGINX configuration applied successfully"
    return 0
  else
    warn "NGINX reconfigure status: ${status}"
    return 1
  fi
}

# =============================================================================
# Main
# =============================================================================
main() {
  info "Starting NGINX Reverse Proxy setup for CTID ${CTID}..."
  
  # Use CTID as description for all components
  local description="${CTID}"
  
  # Step 1: Create Upstream Server
  local upstream_server_uuid
  upstream_server_uuid=$(create_upstream_server "${description}" "${BACKEND_IP}" "${BACKEND_PORT}")
  [[ -n "$upstream_server_uuid" ]] || die "Failed to create Upstream Server"
  
  # Step 2: Create Upstream
  local upstream_uuid
  upstream_uuid=$(create_upstream "${description}" "${upstream_server_uuid}")
  [[ -n "$upstream_uuid" ]] || die "Failed to create Upstream"
  
  # Step 3: Create Location
  local location_uuid
  location_uuid=$(create_location "${description}" "${upstream_uuid}")
  [[ -n "$location_uuid" ]] || die "Failed to create Location"
  
  # Auto-detect certificate if not provided
  local cert_uuid="${CERTIFICATE_UUID}"
  if [[ -z "$cert_uuid" ]]; then
    info "Auto-detecting wildcard certificate for userman.de..."
    cert_uuid=$(find_certificate_by_cn "userman.de")
    if [[ -n "$cert_uuid" ]]; then
      info "Found certificate: ${cert_uuid}"
    else
      warn "No wildcard certificate found, will use ACME/Let's Encrypt"
    fi
  fi
  
  # Step 4: Create HTTP Server
  local http_server_uuid
  http_server_uuid=$(create_http_server "${description}" "${FQDN}" "${location_uuid}" "${cert_uuid}")
  [[ -n "$http_server_uuid" ]] || die "Failed to create HTTP Server"
  
  # Step 5: Apply configuration
  apply_config || warn "Configuration may need manual verification"
  
  # Output result as JSON
  local result
  result=$(cat <<EOF
{
  "success": true,
  "ctid": "${CTID}",
  "fqdn": "${FQDN}",
  "backend": "${BACKEND_IP}:${BACKEND_PORT}",
  "nginx": {
    "upstream_server_uuid": "${upstream_server_uuid}",
    "upstream_uuid": "${upstream_uuid}",
    "location_uuid": "${location_uuid}",
    "http_server_uuid": "${http_server_uuid}"
  }
}
EOF
)
  
  if [[ "$DEBUG" == "1" ]]; then
    echo "$result"
  else
    # Compact JSON
    echo "$result" | python3 -c "import json,sys; print(json.dumps(json.load(sys.stdin)))" 2>/dev/null || echo "$result"
  fi
}

main