From cdd760228389419538c5455e6df939024b793f7d Mon Sep 17 00:00:00 2001
From: Vivek Kumar Dutta <vivek.dutta@iopsys.eu>
Date: Fri, 23 Jan 2026 15:37:16 +0530
Subject: [PATCH] sulu-builder: enable nginx-mod-ws-auth as backend

---
 sulu/sulu-base/Makefile                       |  4 +--
 sulu/sulu-builder/Config.in                   |  6 +++++
 sulu/sulu-builder/Config_builder.in           |  6 +++++
 sulu/sulu-builder/Makefile                    | 26 +++++--------------
 .../files/etc/sulu/nginx.locations            | 24 +++++++++++------
 .../files/etc/uci-defaults/40-add-sulu-config | 21 +--------------
 6 files changed, 37 insertions(+), 50 deletions(-)
 create mode 100644 sulu/sulu-builder/Config.in
 create mode 100644 sulu/sulu-builder/Config_builder.in

diff --git a/sulu/sulu-base/Makefile b/sulu/sulu-base/Makefile
index 611a0f6ad..787ebd771 100644
--- a/sulu/sulu-base/Makefile
+++ b/sulu/sulu-base/Makefile
@@ -5,11 +5,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-base
-PKG_VERSION:=5.3.14
+PKG_VERSION:=5.4.0
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu.git
-PKG_SOURCE_VERSION:=0c393542cab0679016967558448f5ad5e8c03f81
+PKG_SOURCE_VERSION:=5261722b1f88be676b0bdcffcb08baadfdc269bd
 PKG_MIRROR_HASH:=skip
 
 SULU_MOD:=core
diff --git a/sulu/sulu-builder/Config.in b/sulu/sulu-builder/Config.in
new file mode 100644
index 000000000..2ad0e3726
--- /dev/null
+++ b/sulu/sulu-builder/Config.in
@@ -0,0 +1,6 @@
+if PACKAGE_sulu
+	config SULU_DEFAULT_UI
+		depends on PACKAGE_sulu
+		bool "Makes Sulu run on port 443 instead of 8443"
+		default n
+endif
diff --git a/sulu/sulu-builder/Config_builder.in b/sulu/sulu-builder/Config_builder.in
new file mode 100644
index 000000000..3a209a441
--- /dev/null
+++ b/sulu/sulu-builder/Config_builder.in
@@ -0,0 +1,6 @@
+if PACKAGE_sulu-builder
+	config SULU_BUILDER_DEFAULT_UI
+		depends on PACKAGE_sulu-builder
+		bool "Makes Sulu run on port 443 instead of 8443"
+		default n
+endif
diff --git a/sulu/sulu-builder/Makefile b/sulu/sulu-builder/Makefile
index ab251c994..bb5476156 100644
--- a/sulu/sulu-builder/Makefile
+++ b/sulu/sulu-builder/Makefile
@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-builder
-PKG_VERSION:=5.3.14
+PKG_VERSION:=5.4.0
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu-builder.git
-PKG_SOURCE_VERSION:=17285a9a8262c664dd8da03a1257b9e6e495dd2c
+PKG_SOURCE_VERSION:=d66466774bdce454cb33e0e55f13da4ca4194dd4
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_SOURCE_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_BUILD_DIR:=$(BUILD_DIR)/sulu-$(PKG_VERSION)/sulu-builder-$(PKG_SOURCE_VERSION)
@@ -28,8 +28,9 @@ define Package/sulu/default
 	CATEGORY:=Utilities
 	SUBMENU:=SULU
 	TITLE:=SULU-CE
-	DEPENDS:=+mosquitto-auth-plugin +usermngr +userinterface +obuspa
+	DEPENDS:=+usermngr +userinterface +obuspa
 	DEPENDS+=+@OBUSPA_LOCAL_MQTT_LISTENER
+	DEPENDS:=+nginx-mod-ws-auth
 	EXTRA_DEPENDS:=nginx
 endef
 
@@ -58,26 +59,11 @@ define Package/sulu-builder/description
 endef
 
 define Package/sulu/config
-	config SULU_DEFAULT_UI
-		depends on PACKAGE_sulu
-		bool "Makes Sulu run on port 443 instead of 8443"
-		default n
-
+	source "$(SOURCE)/Config.in"
 endef
 
 define Package/sulu-builder/config
-	config SULU_BUILDER_EXTRA_PACKAGES
-		depends on PACKAGE_sulu-builder
-		string "Space separated list of sulu packages"
-		help
-			You can specify the list of non core sulu package,
-			so that sulu-builder include them before building the core.
-
-	config SULU_BUILDER_DEFAULT_UI
-		depends on PACKAGE_sulu-builder
-		bool "Makes Sulu run on port 443 instead of 8443"
-		default n
-
+	source "$(SOURCE)/Config_builder.in"
 endef
 
 ifeq ($(BUILD_VARIANT),builder)
diff --git a/sulu/sulu-builder/files/etc/sulu/nginx.locations b/sulu/sulu-builder/files/etc/sulu/nginx.locations
index 4b3549ba9..34781f99c 100644
--- a/sulu/sulu-builder/files/etc/sulu/nginx.locations
+++ b/sulu/sulu-builder/files/etc/sulu/nginx.locations
@@ -16,11 +16,16 @@ location /maintenance.html {
 }
 
 location /wss {
-	proxy_pass_request_headers      on;
-	proxy_cache        off;
+	# Authenticate using JWT token
+	ws_auth;
+
 	proxy_http_version 1.1;
+
+	# WebSocket upgrade headers
 	proxy_set_header Upgrade $http_upgrade;
 	proxy_set_header Connection $connection_upgrade;
+
+	# Forward real client information
 	proxy_set_header    Host               $host;
 	proxy_set_header    X-Real-IP          $remote_addr;
 	proxy_set_header    X-Forwarded-For    $remote_addr;
@@ -28,12 +33,15 @@ location /wss {
 	proxy_set_header    X-Forwarded-Server $host;
 	proxy_set_header    X-Forwarded-Port   $server_port;
 	proxy_set_header    X-Forwarded-Proto  $scheme;
-	add_header          Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-	add_header Pragma 'no-cache';
-	add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,Content-Type,Range' always;
-	expires 0;
-	proxy_pass http://websocket;
+	proxy_pass http://127.0.0.1:9009;
+
+	# Disable buffering for real-time communication
+	proxy_buffering off;
+
+	# Timeouts for WebSocket (1 hour)
+	proxy_connect_timeout 3600;
+	proxy_send_timeout 3600;
+	proxy_read_timeout 3600;
 }
 
 location / {
diff --git a/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config b/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config
index 6e94774ce..ce42a530b 100644
--- a/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config
+++ b/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config
@@ -13,24 +13,6 @@ if [ ! -f "${UCI_TEMPLATE}" ]; then
 	return 1
 fi
 
-update_nginx_uci_template()
-{
-	local port
-
-	port="$(uci -q get mosquitto.sulu.port)"
-	port="${port:-9009}"
-
-	# Add map for WebSocket connection upgrade if not present
-	if ! grep -q "map \$http_upgrade \$connection_upgrade" ${UCI_TEMPLATE}; then
-		sed -i '/#UCI_HTTP_CONFIG$/i\   map $http_upgrade $connection_upgrade { default upgrade; "" close; }' ${UCI_TEMPLATE}
-	fi
-
-	# Add upstream websocket if not present
-	if ! grep -q "upstream websocket" ${UCI_TEMPLATE}; then
-		sed -i "/#UCI_HTTP_CONFIG$/i\   upstream websocket { server 127.0.0.1:${port}; }" ${UCI_TEMPLATE}
-	fi
-}
-
 add_sulu_config_to_mosquitto()
 {
 	uci_add mosquitto listener sulu
@@ -38,7 +20,7 @@ add_sulu_config_to_mosquitto()
 	uci_set mosquitto sulu port '9009'
 	uci_set mosquitto sulu no_remote_access '1'
 	uci_set mosquitto sulu protocol 'websockets'
-	uci_set mosquitto sulu auth_plugin '/usr/lib/mosquitto_auth_plugin.so'
+	uci_set mosquitto sulu allow_anonymous '1'
 	uci_set mosquitto sulu acl_file '/etc/sulu/mqtt.acl'
 }
 
@@ -67,6 +49,5 @@ add_sulu_userinterface_uci()
 
 add_sulu_config_to_mosquitto
 add_sulu_userinterface_uci
-update_nginx_uci_template
 
 /etc/sulu/sulu.sh