Serving static web app from inside Confluence Server P2 plug-in for “behind-the-firewall” environments

We currently have a Confluence Server plug-in that delivers a web app from our servers within in an iframe independent of the Confluence instance server. We’d like in the future to deliver the web app’s actual HTML/JS/CSS from within our plug-in rather than our server for “behind-the-firewall” secure environments. Are there any recommended practices/Confluence component recommendations for how best to accomplish this? The Atlassian docs are rather thin on details. Would general practices for delivering static content from a servlet apply or would one have to declare every single HTML, CSS, and JS file as web resources and tie it all together with a Velocity template replacing our web app’s main .html page?