design.md 1.7 KB
Context
The trojan-go config template at roles/trojan/templates/trojan-config.json.j2 sets remote_port: {{ trojan_fallback_port }} (default 8080). This is the port trojan-go forwards non-authenticated HTTPS traffic to for camouflage. Currently nothing listens on this port, so trojan-go fails to operate correctly.
Goals / Non-Goals
Goals:
- Provide a working HTTP fallback on port 8080 for trojan-go camouflage
- Keep the nginx setup minimal — a generic static page, no reverse proxy logic
Non-Goals:
- Full nginx reverse proxy or multi-site configuration
- Serving the actual Let's Encrypt TLS site on this port (trojan-go handles TLS on 443)
Decisions
Add nginx tasks inside the trojan role rather than a separate role
The nginx fallback is tightly coupled to the trojan deployment — it exists solely as camouflage for trojan-go. Adding tasks to the existing trojan role keeps the relationship clear and avoids an extra role.
Use a simple inline nginx config, not a full vhost template directory
The fallback only needs a minimal server block: listen on trojan_fallback_port, serve a generic static HTML page. A single nginx-fallback.conf.j2 template deployed to /etc/nginx/conf.d/ is sufficient.
Allow the fallback port through UFW
The base role handles firewall rules. The landing role already opens port 80 via allowed_ports. Add trojan_fallback_port to the landing allowed_ports list so nginx is reachable.
Risks / Trade-offs
- [nginx not installed] → Installing nginx adds a dependency; ensure the task installs it before deploying the config
- [port conflict] →
trojan_fallback_portis hardcoded as 8080 in defaults; if another service uses this port, nginx will fail to start