jbrueckner/GhostGrid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(caddy): support HTTPS upstreams via https:// prefix

Browse Source 
When a route's upstream starts with https://, buildCaddyfile emits a
transport http { tls_insecure_skip_verify } block so Caddy connects over TLS
and accepts the self-signed certificate typical of backends like Semaphore.
Added a UI hint explaining the https:// prefix.
This commit is contained in:
Brückner
2026-06-08 14:43:29 +02:00
parent 6f621067b9
commit f6263ad2f3
3 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ARCHITECTURE.md
View File

@ -464,6 +464,9 @@ Manual: POST /api/semaphore/trigger/{bookingId} body { type: 'setup'|'teardown
buildCaddyfile(): buildCaddyfile():
{ local_certs } # global block { local_certs } # global block
per custom route { [encode] [tls internal] reverse_proxy <upstream> } per custom route { [encode] [tls internal] reverse_proxy <upstream> }
upstream prefixed with https:// → reverse_proxy gets a
transport http { tls_insecure_skip_verify } block
(for self-signed TLS backends like Semaphore)
importCaddyfileRoutes(): reads /etc/caddy/Caddyfile on first Caddy enable importCaddyfileRoutes(): reads /etc/caddy/Caddyfile on first Caddy enable
parses hostname/upstream blocks → seeds caddy table as custom routes parses hostname/upstream blocks → seeds caddy table as custom routes

12
server.ts
View File

@ -82,7 +82,17 @@ function buildCaddyfile(): string {
lines.push(`${route.hostname} {`); lines.push(`${route.hostname} {`);
if (route.compress) lines.push(' encode zstd gzip'); if (route.compress) lines.push(' encode zstd gzip');
if (route.tls) lines.push(' tls internal'); if (route.tls) lines.push(' tls internal');
lines.push(` reverse_proxy ${route.upstream}`); if (/^https:\/\//i.test(route.upstream)) {
// HTTPS upstream (e.g. Semaphore) — connect over TLS and skip certificate
// verification, since such backends typically use a self-signed cert.
lines.push(` reverse_proxy ${route.upstream} {`);
lines.push(' transport http {');
lines.push(' tls_insecure_skip_verify');
lines.push(' }');
lines.push(' }');
} else {
lines.push(` reverse_proxy ${route.upstream}`);
}
lines.push('}', ''); lines.push('}', '');
} }

1
src/components/Settings.tsx
View File

@ -930,6 +930,7 @@ export default function Settings({ currentUser: _currentUser }: SettingsProps) {
{caddyEnabled && ( {caddyEnabled && (
<div className="space-y-2"> <div className="space-y-2">
<Label>Proxy Routes</Label> <Label>Proxy Routes</Label>
<Hint>Prefix the upstream with https:// for TLS backends (e.g. Semaphore) — the certificate is not verified.</Hint>
{caddyStatus === 'unavailable' && ( {caddyStatus === 'unavailable' && (
<p className="text-[11px] font-mono text-amber-400 mb-2"> <p className="text-[11px] font-mono text-amber-400 mb-2">