ansible-proxy-chain/openspec/changes/archive/2026-04-22-add-nginx-fallback-for-trojan/proposal.md

Why

The trojan-go service is configured to forward non-Trojan traffic to remote_port: 8080 as a fallback camouflage web server, but no service is currently listening on port 8080. This causes trojan-go to fail on startup because the fallback port is unreachable.

What Changes

• Install nginx as the fallback web server listening on trojan_fallback_port (8080)
• Deploy a minimal nginx vhost that serves as HTTPS camouflage (a generic static page)
• Add a UFW firewall rule to allow traffic on the fallback port
• Extend the trojan role to manage the nginx fallback

Capabilities

New Capabilities

• nginx-fallback: Nginx fallback web server on the landing server for Trojan camouflage

Modified Capabilities

Impact

• roles/trojan/tasks/main.yml — add nginx installation and configuration tasks
• roles/trojan/templates/ — new nginx vhost template
• group_vars/landing.yml.example — document the fallback port variable