serve.zone/onebox
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Update documentation for Caddy reverse proxy integration and Docker service configuration

Browse Source
This commit is contained in:
Jürgen Kunz
2025-11-26 13:51:48 +00:00
parent f0bc08c7c2
commit 3e8cd6e3d0
2 changed files with 57 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
readme.hints.md
View File

@@ -44,30 +44,40 @@ ts/database/
Migration 8 converted certificate storage from file paths to PEM content.
## Reverse Proxy (November 2025 - Caddy)
## Reverse Proxy (November 2025 - Caddy Docker Service)
The reverse proxy now uses **Caddy** for production-grade reverse proxying with native SNI support, HTTP/2, HTTP/3, and WebSocket handling.
The reverse proxy uses **Caddy** running as a Docker Swarm service for production-grade reverse proxying with native SNI support, HTTP/2, HTTP/3, and WebSocket handling.
**Architecture:**
- Caddy binary downloaded to `.nogit/caddy` on first run (v2.10.2)
- Caddy process managed by `CaddyManager` class
- Caddy runs as Docker Swarm service (`onebox-caddy`) on the overlay network
- No binary download required - uses `caddy:2-alpine` Docker image
- Configuration pushed dynamically via Caddy Admin API (port 2019)
- Automatic HTTPS disabled - certificates managed externally via SmartACME
- Zero-downtime configuration updates
- Services reached by Docker service name (e.g., `onebox-hello-world:80`)
**Key files:**
- `ts/classes/caddy.ts` - CaddyManager class for binary and Admin API
- `ts/classes/caddy.ts` - CaddyManager class for Docker service and Admin API
- `ts/classes/reverseproxy.ts` - Delegates to CaddyManager
**Certificate workflow:**
1. `CertRequirementManager` creates requirements for domains
2. Daemon processes requirements via `certmanager.ts`
3. Certificates stored in database (PEM content)
4. `reverseProxy.addCertificate()` writes PEM files to `.nogit/certs/` and updates Caddy config
5. Caddy serves TLS with the loaded certificates
4. `reverseProxy.addCertificate()` passes PEM content to Caddy via `load_pem` (inline in config)
5. Caddy serves TLS with the loaded certificates (no volume mounts needed)
**Configuration:**
- Dev mode: HTTP on 8080, HTTPS on 8443
- Production: HTTP on 80, HTTPS on 443
- Admin API: localhost:2019 (not exposed externally)
- Automatic HTTPS disabled to prevent Caddy from binding to default ports
**Docker Service Configuration:**
- Service name: `onebox-caddy`
- Image: `caddy:2-alpine`
- Network: `onebox-network` (overlay, attachable)
- Startup: Writes initial config with `admin.listen: 0.0.0.0:2019` for host access
**Port Mapping:**
- Dev mode: HTTP on 8080, HTTPS on 8443, Admin on 2019
- Production: HTTP on 80, HTTPS on 443, Admin on 2019
- All ports use `PublishMode: 'host'` for direct binding
**Log Receiver:**
- Caddy sends access logs to `tcp/172.17.0.1:9999` (Docker bridge gateway)
- `CaddyLogReceiver` on host receives and processes logs