summaryrefslogtreecommitdiff
path: root/docs/CADDY_ARAUCARIA.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/CADDY_ARAUCARIA.md')
-rw-r--r--docs/CADDY_ARAUCARIA.md80
1 files changed, 80 insertions, 0 deletions
diff --git a/docs/CADDY_ARAUCARIA.md b/docs/CADDY_ARAUCARIA.md
new file mode 100644
index 0000000..975c85b
--- /dev/null
+++ b/docs/CADDY_ARAUCARIA.md
@@ -0,0 +1,80 @@
+# CADDY_ARAUCARIA
+
+## Objectif
+Publier la stack medias en HTTPS via Caddy sur `araucaria`, sans exposition directe des ports applicatifs vers les clients.
+
+## Prerequis
+- Caddy installe et actif sur `araucaria`.
+- `araucaria` peut joindre la VM `konenpan` sur les ports internes:
+ - viewer-bff `8082`
+ - media-access-api `8081`
+ - MinIO API `9000` (si necessaire)
+ - MinIO Console `9001` (admin uniquement)
+
+## Noms DNS recommandes
+- `photos.arauco.online`
+- `media-api.arauco.online`
+- `minio-console.arauco.online`
+- `minio.arauco.online` (optionnel, a limiter)
+
+## Caddyfile (exemple)
+```caddy
+photos.arauco.online {
+ encode zstd gzip
+ reverse_proxy 192.168.99.23:8082
+}
+
+media-api.arauco.online {
+ encode zstd gzip
+ reverse_proxy 192.168.99.23:8081
+}
+
+minio-console.arauco.online {
+ encode zstd gzip
+ reverse_proxy 192.168.99.23:9001
+}
+
+minio.arauco.online {
+ encode zstd gzip
+ reverse_proxy 192.168.99.23:9000
+}
+```
+
+## Application
+```bash
+sudo caddy validate --config /etc/caddy/Caddyfile
+sudo systemctl reload caddy
+sudo systemctl status caddy --no-pager
+```
+
+## Validation
+```bash
+curl -I https://photos.arauco.online
+curl -I https://media-api.arauco.online/health
+curl -I https://minio-console.arauco.online
+```
+
+## Checklist debug rapide
+Utiliser cette sequence en cas de "connexion a echoue" depuis le navigateur.
+
+```bash
+# DNS -> araucaria
+dig +short photos.arauco.online
+
+# TLS/HTTP sur le front Caddy
+curl -vkI https://photos.arauco.online
+
+# Etat et config Caddy
+sudo caddy validate --config /etc/caddy/Caddyfile
+sudo systemctl status caddy --no-pager
+sudo journalctl -u caddy -n 100 --no-pager
+
+# Connectivite backend depuis araucaria
+curl -I http://192.168.99.23:8082/health
+curl -I http://192.168.99.23:8081/health
+```
+
+## Recommandations securite
+- Exposer `minio-console` uniquement aux admins (ACL reseau/VPN/IP allowlist).
+- Ne pas autoriser de lecture anonyme sur le bucket prive.
+- Conserver l'enforcement ACL dans `media-access-api` (deny-by-default + URLs pre-signees).
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-23 01:58:16 +0000