diff options
| author | ertopogo <erwin.t.pombett@gmail.com> | 2026-03-13 00:33:28 +0100 |
|---|---|---|
| committer | ertopogo <erwin.t.pombett@gmail.com> | 2026-03-13 00:33:28 +0100 |
| commit | b34873f98052ac5fb4bf6731a25730075796d764 (patch) | |
| tree | 0b27ef2996894287aaf382b43956d6cf45352e94 /docs/CADDY_ARAUCARIA.md | |
Diffstat (limited to 'docs/CADDY_ARAUCARIA.md')
| -rw-r--r-- | docs/CADDY_ARAUCARIA.md | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/docs/CADDY_ARAUCARIA.md b/docs/CADDY_ARAUCARIA.md new file mode 100644 index 0000000..975c85b --- /dev/null +++ b/docs/CADDY_ARAUCARIA.md @@ -0,0 +1,80 @@ +# CADDY_ARAUCARIA + +## Objectif +Publier la stack medias en HTTPS via Caddy sur `araucaria`, sans exposition directe des ports applicatifs vers les clients. + +## Prerequis +- Caddy installe et actif sur `araucaria`. +- `araucaria` peut joindre la VM `konenpan` sur les ports internes: + - viewer-bff `8082` + - media-access-api `8081` + - MinIO API `9000` (si necessaire) + - MinIO Console `9001` (admin uniquement) + +## Noms DNS recommandes +- `photos.arauco.online` +- `media-api.arauco.online` +- `minio-console.arauco.online` +- `minio.arauco.online` (optionnel, a limiter) + +## Caddyfile (exemple) +```caddy +photos.arauco.online { + encode zstd gzip + reverse_proxy 192.168.99.23:8082 +} + +media-api.arauco.online { + encode zstd gzip + reverse_proxy 192.168.99.23:8081 +} + +minio-console.arauco.online { + encode zstd gzip + reverse_proxy 192.168.99.23:9001 +} + +minio.arauco.online { + encode zstd gzip + reverse_proxy 192.168.99.23:9000 +} +``` + +## Application +```bash +sudo caddy validate --config /etc/caddy/Caddyfile +sudo systemctl reload caddy +sudo systemctl status caddy --no-pager +``` + +## Validation +```bash +curl -I https://photos.arauco.online +curl -I https://media-api.arauco.online/health +curl -I https://minio-console.arauco.online +``` + +## Checklist debug rapide +Utiliser cette sequence en cas de "connexion a echoue" depuis le navigateur. + +```bash +# DNS -> araucaria +dig +short photos.arauco.online + +# TLS/HTTP sur le front Caddy +curl -vkI https://photos.arauco.online + +# Etat et config Caddy +sudo caddy validate --config /etc/caddy/Caddyfile +sudo systemctl status caddy --no-pager +sudo journalctl -u caddy -n 100 --no-pager + +# Connectivite backend depuis araucaria +curl -I http://192.168.99.23:8082/health +curl -I http://192.168.99.23:8081/health +``` + +## Recommandations securite +- Exposer `minio-console` uniquement aux admins (ACL reseau/VPN/IP allowlist). +- Ne pas autoriser de lecture anonyme sur le bucket prive. +- Conserver l'enforcement ACL dans `media-access-api` (deny-by-default + URLs pre-signees). |