Add HTTPS reverse proxy with self-signed 100-year cert

- Nginx reverse proxy with WebUI and REST API for configuration
- Self-signed SSL certificate with own CA (100 years validity)
- Domain-based and IP/port-based routing
- Docker setup with host network mode
- All settings configurable via .env

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

nginx/entrypoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+set -e
+
+echo "=== Starting HTTPS Proxy ==="
+
+# Set default for WEBUI_PORT
+export WEBUI_PORT="${WEBUI_PORT:-8443}"
+
+# Generate certificates if needed
+/certs/generate-certs.sh
+
+# Replace env vars in nginx config template
+envsubst '${WEBUI_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
+
+# Ensure conf.d directory exists with empty config
+mkdir -p /etc/nginx/conf.d
+touch /etc/nginx/conf.d/proxy-targets.conf
+
+# Load existing config and generate nginx config
+if [ -f /data/proxy_config.json ]; then
+    echo "Loading existing proxy configuration..."
+    python3 -c "
+import sys
+sys.path.insert(0, '/app')
+from app import load_config, generate_nginx_config
+config = load_config()
+generate_nginx_config(config)
+print('Nginx config generated from saved configuration.')
+"
+fi
+
+# Start gunicorn in background
+echo "Starting WebUI..."
+cd /app
+gunicorn --bind 127.0.0.1:5000 --workers 2 --timeout 120 app:app &
+
+# Start nginx in foreground
+echo "Starting Nginx..."
+exec nginx -g "daemon off;"

nginx/nginx.conf

@@ -0,0 +1,41 @@
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+    sendfile on;
+    keepalive_timeout 65;
+
+    # WebUI / Admin interface
+    server {
+        listen ${WEBUI_PORT} ssl default_server;
+        server_name _;
+
+        ssl_certificate /certs/server.crt;
+        ssl_certificate_key /certs/server.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+
+        location / {
+            proxy_pass http://127.0.0.1:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+
+    # Include dynamic proxy configurations
+    include /etc/nginx/conf.d/*.conf;
+}