feat(dev-deploy): one /_gm gate for console + Grafana + Mailpit
Tests · Go / test (push) Successful in 1m59s
Tests · Go / test (push) Successful in 1m59s
Consolidate the operator console and the observability / captured-mail UIs behind a single Basic Auth gate, so one password (the admin-console account, dev: gm/gm-dev-password) unlocks all three, with links in the console nav: - Caddyfile.dev: a single basic_auth on /_gm/* fronts nested routes — /_gm/grafana/ -> Grafana, /_gm/mailpit/ -> Mailpit, catch-all -> the gateway/backend console. Caddy forwards the same Authorization header, which the backend console also accepts, so there is one prompt. The former top-level /grafana/ and /mailpit/ routes are removed. - Grafana: served under /_gm/grafana/ (sub-path) as anonymous Admin with the login form and basic auth disabled, so it relies solely on the /_gm gate and ignores the forwarded credentials. - Mailpit: MP_WEBROOT=/_gm/mailpit (and the healthcheck path) so its UI lives under the gate. - Operator console: add Grafana and Mailpit links to the nav.
This commit is contained in:
Ilia Denisov
@@ -29,28 +29,34 @@
|
||||
reverse_proxy galaxy-api:8080
|
||||
}
|
||||
|
||||
# Operator console. Shares the gateway public listener with `/api`; the
|
||||
# gateway applies the admin anti-abuse class and reverse-proxies to the
|
||||
# backend `/_gm` surface, which enforces Basic Auth and renders the pages.
|
||||
# Operator console + observability behind one Basic Auth gate. The gate
|
||||
# credential equals the admin-console account (dev: gm / gm-dev-password),
|
||||
# so Caddy forwards the same Authorization header to the backend `/_gm`
|
||||
# surface (its own Basic Auth) and to Grafana/Mailpit — one prompt covers
|
||||
# all three. The gateway applies the admin anti-abuse class to the console.
|
||||
@gm path /_gm /_gm/*
|
||||
handle @gm {
|
||||
reverse_proxy galaxy-api:8080
|
||||
}
|
||||
|
||||
# Grafana (observability UI) under /grafana/ — Caddy sub-path mode
|
||||
# (Grafana set with GF_SERVER_SERVE_FROM_SUB_PATH); its own login.
|
||||
handle /grafana/* {
|
||||
reverse_proxy galaxy-grafana:3000
|
||||
}
|
||||
|
||||
# Mailpit captured-mail UI under /mailpit/. Shows every message the
|
||||
# backend sent (relayed or not); basic-auth (dev: gm / gm-dev-password)
|
||||
# guards the OTP codes it exposes. Mailpit runs with MP_WEBROOT=/mailpit.
|
||||
handle /mailpit/* {
|
||||
basic_auth {
|
||||
gm "$2a$14$xVh1TLaZxh8fazlKrI9Mx.NQMQlMarYWtr3FRELmZIXuac/DeeTRO"
|
||||
}
|
||||
reverse_proxy galaxy-mailpit:8025
|
||||
|
||||
# Grafana under /_gm/grafana/ (sub-path mode; anonymous Admin, so the
|
||||
# /_gm gate is the only barrier — GF_AUTH_BASIC_ENABLED=false makes it
|
||||
# ignore the forwarded Authorization header).
|
||||
handle /_gm/grafana/* {
|
||||
reverse_proxy galaxy-grafana:3000
|
||||
}
|
||||
|
||||
# Mailpit captured-mail UI under /_gm/mailpit/ (MP_WEBROOT). Shows
|
||||
# every message the backend sent, relayed or not.
|
||||
handle /_gm/mailpit/* {
|
||||
reverse_proxy galaxy-mailpit:8025
|
||||
}
|
||||
|
||||
# The operator console itself (gateway -> backend /_gm surface).
|
||||
handle {
|
||||
reverse_proxy galaxy-api:8080
|
||||
}
|
||||
}
|
||||
|
||||
# Bare `/game` (no trailing slash) -> `/game/` so the SPA root
|
||||
|
||||
Reference in New Issue
Block a user