The smoke test was getting 403 from the upstream WAF (rate-limit on
webzavod's egress IP). 403 doesn't indicate a tunnel/routing problem
— it confirms the egress IP IS the WAF-recognized one and is being
throttled. Don't abort the rest of setup over a transient throttle;
the only response that should hard-fail is HTTP 200 with HTML body
(WAF interstitial), which means the tunnel was bypassed.
(A) Add proxy_cache zone for ui-dashboard.gnerim.ru. /api/ caches 200 for
1m, /map/api/ for 24h. proxy_cache_use_stale serves cached content during
upstream errors (incl. 403 from WAF rate limit). proxy_cache_lock collapses
concurrent fetches for the same URI. Cache zone declared in conf.d/ (must
be in http{} context).
(B) Playwright workers=2, retries=2 in CI. Cuts the parallel burst that
trips the WAF before nginx cache warms up; retries handle the residual
flake.
setup-pve201.sh now installs the conf.d cache file and pre-creates the
cache dir with nginx-user ownership.
gnezim