serve.zone/onebox
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Jürgen Kunz
2025-11-26 12:16:50 +00:00
parent e6f7d70d51
commit c46ceccb6c
13 changed files with 1970 additions and 473 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
readme.hints.md
View File

@@ -44,22 +44,30 @@ ts/database/
Migration 8 converted certificate storage from file paths to PEM content.
## Reverse Proxy SNI Support (November 2025)
## Reverse Proxy (November 2025 - Caddy)
The HTTPS reverse proxy now uses Node.js `https.createServer()` with SNI support:
- Uses Deno's Node.js compatibility layer for `node:https` module
- Implements `server.addContext(hostname, {cert, key})` for per-domain certificates
- Dynamic certificate addition via `addCertificate()` without server restart
- HTTP-to-HTTPS redirect when certificate exists for domain
- Wildcard pattern support (e.g., `*.bleu.de` covers `sub.bleu.de`)
The reverse proxy now uses **Caddy** for production-grade reverse proxying with native SNI support, HTTP/2, HTTP/3, and WebSocket handling.
**Architecture:**
- Caddy binary downloaded to `.nogit/caddy` on first run (v2.10.2)
- Caddy process managed by `CaddyManager` class
- Configuration pushed dynamically via Caddy Admin API (port 2019)
- Automatic HTTPS disabled - certificates managed externally via SmartACME
- Zero-downtime configuration updates
**Key files:**
- `ts/classes/reverseproxy.ts` - SNI-enabled HTTPS server
- `ts/classes/services.ts` - Dynamic route updates on service start/stop
- `ts/classes/caddy.ts` - CaddyManager class for binary and Admin API
- `ts/classes/reverseproxy.ts` - Delegates to CaddyManager
**Certificate workflow:**
1. `CertRequirementManager` creates requirements for domains
2. Daemon processes requirements via `certmanager.ts`
3. Certificates stored in database (PEM content)
4. `reverseProxy.addCertificate()` dynamically adds SNI context
5. HTTP requests redirect to HTTPS when cert exists
4. `reverseProxy.addCertificate()` writes PEM files to `.nogit/certs/` and updates Caddy config
5. Caddy serves TLS with the loaded certificates
**Configuration:**
- Dev mode: HTTP on 8080, HTTPS on 8443
- Production: HTTP on 80, HTTPS on 443
- Admin API: localhost:2019 (not exposed externally)
- Automatic HTTPS disabled to prevent Caddy from binding to default ports