R3: split the landing into its own static container
- gateway/Dockerfile gains a `landing` target: caddy:2-alpine + the shared Vite build (identical build args keep the ui stage a single cached build); the gateway target drops landing.html from the embed. - The contour caddy routes /app/, /telegram/ and the Connect path to the gateway; the catch-all — the landing at / and any stray path — goes to the new landing service, so junk traffic is absorbed by static file serving. - deploy/landing/Caddyfile mirrors the webui caching (immutable assets, no-cache shells) and falls back unknown paths to the landing shell. - The gateway's / now 308-redirects to /app/ (keeps a local no-caddy run usable); webui placeholder landing.html removed. - CI deploy probe checks both / (landing) and /app/ (gateway). Verified: both images build; the landing container serves landing.html at / (no-cache) with junk-path fallback; the gateway image redirects / to /app/ and carries no landing content.
This commit is contained in:
Ilia Denisov
+22
-9
@@ -1,15 +1,18 @@
|
||||
# Multi-stage build for the gateway service. A node stage builds the static UI
|
||||
# (Vite), the result is embedded into the Go binary (gateway/internal/webui/dist),
|
||||
# and the Go stage — mirroring platform/telegram/Dockerfile — yields a static
|
||||
# binary shipped on distroless nonroot. So the single binary serves the SPA at /
|
||||
# and /telegram/ (docs/ARCHITECTURE.md §13) with no separate static container.
|
||||
# Multi-stage build for the gateway service and the landing image. A node stage
|
||||
# builds the static UI (Vite) once; the `landing` target serves that build from a
|
||||
# static caddy container (the public landing at /, R3), while the final gateway
|
||||
# target embeds it — minus landing.html — into the Go binary
|
||||
# (gateway/internal/webui/dist), which serves the game SPA at /app/ and
|
||||
# /telegram/ (docs/ARCHITECTURE.md §13). The Go stage mirrors
|
||||
# platform/telegram/Dockerfile and ships on distroless nonroot.
|
||||
#
|
||||
# The production UI build vars are image build-args, baked into the bundle.
|
||||
# Build from the repository root so go.work, pkg/, gateway/ and ui/ are all in the
|
||||
# Docker context:
|
||||
# Build from the repository root so go.work, pkg/, gateway/, ui/ and
|
||||
# deploy/landing/ are all in the Docker context:
|
||||
# docker build -f gateway/Dockerfile \
|
||||
# --build-arg VITE_GATEWAY_URL=https://example \
|
||||
# -t scrabble-gateway .
|
||||
# docker build -f gateway/Dockerfile --target landing -t scrabble-landing .
|
||||
|
||||
# --- UI build ----------------------------------------------------------------
|
||||
FROM node:22-alpine AS ui
|
||||
@@ -38,6 +41,14 @@ RUN pnpm install --frozen-lockfile
|
||||
COPY ui ./
|
||||
RUN pnpm build
|
||||
|
||||
# --- landing -------------------------------------------------------------------
|
||||
# The public landing page as its own static container (R3): the same Vite build
|
||||
# served by caddy at /, so stray public traffic is absorbed by static file
|
||||
# serving and never reaches the Go edge.
|
||||
FROM caddy:2-alpine AS landing
|
||||
COPY deploy/landing/Caddyfile /etc/caddy/Caddyfile
|
||||
COPY --from=ui /ui/dist /srv
|
||||
|
||||
# --- Go build ----------------------------------------------------------------
|
||||
FROM golang:1.26.3-alpine AS build
|
||||
WORKDIR /src
|
||||
@@ -46,9 +57,11 @@ COPY pkg ./pkg
|
||||
COPY gateway ./gateway
|
||||
|
||||
# Replace the committed placeholder with the freshly built UI before compiling, so
|
||||
# go:embed bakes the real bundle into the binary.
|
||||
# go:embed bakes the real bundle into the binary. The landing shell ships in the
|
||||
# landing image, not in the gateway (R3).
|
||||
RUN rm -rf gateway/internal/webui/dist
|
||||
COPY --from=ui /ui/dist gateway/internal/webui/dist
|
||||
RUN rm gateway/internal/webui/dist/landing.html
|
||||
|
||||
# Reduce the workspace to what the gateway needs: gateway + pkg (loadtest is not in
|
||||
# this context; its scrabble/gateway replace targets ./gateway, which is present here).
|
||||
@@ -56,6 +69,6 @@ RUN go work edit -dropuse=./backend -dropuse=./platform/telegram -dropuse=./load
|
||||
RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -o /out/gateway ./gateway/cmd/gateway
|
||||
|
||||
# --- runtime -----------------------------------------------------------------
|
||||
FROM gcr.io/distroless/static-debian12:nonroot
|
||||
FROM gcr.io/distroless/static-debian12:nonroot AS gateway
|
||||
COPY --from=build /out/gateway /usr/local/bin/gateway
|
||||
ENTRYPOINT ["/usr/local/bin/gateway"]
|
||||
|
||||
@@ -158,14 +158,16 @@ func (s *Server) HTTPHandler() http.Handler {
|
||||
// does not serve the app shell at the operator path.
|
||||
mux.Handle("/_gm/", http.NotFoundHandler())
|
||||
}
|
||||
// The embedded UI: the game SPA under /app/ (web) and /telegram/ (the Telegram Mini
|
||||
// App), with a separate landing page at the catch-all "/" — the single-origin model
|
||||
// (docs/ARCHITECTURE.md §13). All sit below the h2c wrap so the Connect edge (a more
|
||||
// specific prefix) keeps priority. Each SPA mount falls back to the app shell
|
||||
// (index.html) for the hash router; "/" falls back to the landing (landing.html).
|
||||
// The embedded UI: the game SPA under /app/ (web) and /telegram/ (the Telegram
|
||||
// Mini App) — the single-origin model (docs/ARCHITECTURE.md §13). Both sit below
|
||||
// the h2c wrap so the Connect edge (a more specific prefix) keeps priority, and
|
||||
// each mount falls back to the app shell (index.html) for the hash router. The
|
||||
// public landing moved to its own static container behind the contour caddy
|
||||
// (R3), so the catch-all redirects a stray root hit to the app shell — which
|
||||
// keeps a local no-caddy run usable.
|
||||
mux.Handle("/telegram/", webui.Handler("/telegram/", "index.html"))
|
||||
mux.Handle("/app/", webui.Handler("/app/", "index.html"))
|
||||
mux.Handle("/", webui.Handler("", "landing.html"))
|
||||
mux.Handle("/", http.RedirectHandler("/app/", http.StatusPermanentRedirect))
|
||||
// Every request body on the public listener is capped (the admin proxy POSTs
|
||||
// included); the h2c server carries explicit stream/idle sizing (R3).
|
||||
return h2c.NewHandler(maxBodyHandler(s.maxBodyBytes, mux), &http2.Server{
|
||||
|
||||
@@ -197,6 +197,26 @@ func TestExecuteOversizedPayloadRejected(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestRootRedirectsToApp verifies the gateway no longer serves a landing at "/"
|
||||
// (it lives in the landing container since R3): a stray root hit is redirected
|
||||
// to the app shell.
|
||||
func TestRootRedirectsToApp(t *testing.T) {
|
||||
front := httptest.NewServer(connectsrv.NewServer(connectsrv.Deps{}).HTTPHandler())
|
||||
defer front.Close()
|
||||
|
||||
client := &http.Client{CheckRedirect: func(*http.Request, []*http.Request) error {
|
||||
return http.ErrUseLastResponse
|
||||
}}
|
||||
resp, err := client.Get(front.URL + "/")
|
||||
if err != nil {
|
||||
t.Fatalf("get /: %v", err)
|
||||
}
|
||||
defer func() { _ = resp.Body.Close() }()
|
||||
if resp.StatusCode != http.StatusPermanentRedirect || resp.Header.Get("Location") != "/app/" {
|
||||
t.Fatalf("GET / = %d -> %q, want 308 -> /app/", resp.StatusCode, resp.Header.Get("Location"))
|
||||
}
|
||||
}
|
||||
|
||||
func TestExecuteUnknownMessageType(t *testing.T) {
|
||||
client, cleanup := newEdge(t, func(w http.ResponseWriter, r *http.Request) {})
|
||||
defer cleanup()
|
||||
|
||||
-16
@@ -1,16 +0,0 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<title>Scrabble</title>
|
||||
</head>
|
||||
<body>
|
||||
<!-- scrabble-landing -->
|
||||
<p>
|
||||
Landing build placeholder. The production gateway image embeds the real Vite
|
||||
build (see gateway/Dockerfile); seeing this page means the binary was built
|
||||
without a UI build.
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,12 +1,13 @@
|
||||
// Package webui serves the embedded static UI build over the public edge.
|
||||
//
|
||||
// The committed dist/ holds only placeholder index.html / landing.html so the gateway
|
||||
// module compiles with a plain `go build` (and in CI) without a UI build. The production
|
||||
// gateway image replaces dist/ with the real Vite build before compiling (see
|
||||
// gateway/Dockerfile), so the binary ships the UI inside it. Because Vite is built with a
|
||||
// relative asset base, one build serves under any path: the game SPA is mounted at /app/
|
||||
// (web) and /telegram/ (the Telegram Mini App), with a separate landing page at / — the
|
||||
// single-origin model in docs/ARCHITECTURE.md §13.
|
||||
// The committed dist/ holds only a placeholder index.html so the gateway module
|
||||
// compiles with a plain `go build` (and in CI) without a UI build. The production
|
||||
// gateway image replaces dist/ with the real Vite build — minus landing.html, which
|
||||
// ships in the separate landing container since R3 — before compiling (see
|
||||
// gateway/Dockerfile), so the binary ships the UI inside it. Because Vite is built
|
||||
// with a relative asset base, one build serves under any path: the game SPA is
|
||||
// mounted at /app/ (web) and /telegram/ (the Telegram Mini App) — the single-origin
|
||||
// model in docs/ARCHITECTURE.md §13.
|
||||
//
|
||||
// Caching (Stage 17): Vite emits hash-named files under assets/, so those are immutable and
|
||||
// cached hard (a reload/relaunch is a cache hit, not a re-download); the HTML shells carry
|
||||
@@ -35,10 +36,10 @@ func distFS() fs.FS {
|
||||
}
|
||||
|
||||
// Handler serves the embedded UI. An existing file is served directly (hash-named assets get
|
||||
// an immutable cache); every other path falls back to indexName (the SPA shell or the landing
|
||||
// page) so a client-side deep link still loads. When stripPrefix is non-empty it is removed
|
||||
// from the request path before lookup, so the same build serves under a sub-path (e.g.
|
||||
// "/app/" or "/telegram/").
|
||||
// an immutable cache); every other path falls back to indexName (the SPA shell) so a
|
||||
// client-side deep link still loads. When stripPrefix is non-empty it is removed from the
|
||||
// request path before lookup, so the same build serves under a sub-path (e.g. "/app/" or
|
||||
// "/telegram/").
|
||||
func Handler(stripPrefix, indexName string) http.Handler {
|
||||
content := distFS()
|
||||
files := http.FileServer(http.FS(content))
|
||||
|
||||
@@ -22,20 +22,12 @@ func body(t *testing.T, resp *http.Response) string {
|
||||
return string(b)
|
||||
}
|
||||
|
||||
// TestLandingMountServesLandingAndFallsBack: "/" serves the landing shell (no-cache) and
|
||||
// any unknown path falls back to it.
|
||||
func TestLandingMountServesLandingAndFallsBack(t *testing.T) {
|
||||
h := Handler("", "landing.html")
|
||||
|
||||
resp := get(t, h, "/")
|
||||
if resp.StatusCode != http.StatusOK || !strings.Contains(body(t, resp), "scrabble-landing") {
|
||||
t.Fatalf("GET / did not serve the landing shell (status %d)", resp.StatusCode)
|
||||
}
|
||||
if cc := get(t, h, "/").Header.Get("Cache-Control"); cc != "no-cache" {
|
||||
t.Errorf("landing Cache-Control = %q, want no-cache", cc)
|
||||
}
|
||||
if resp := get(t, h, "/whatever"); resp.StatusCode != http.StatusOK {
|
||||
t.Fatalf("GET /whatever status = %d, want 200 (fallback)", resp.StatusCode)
|
||||
// TestShellNoCache: the served HTML shell carries no-cache so a new deploy's
|
||||
// shell (and the asset URLs it references) is fetched fresh.
|
||||
func TestShellNoCache(t *testing.T) {
|
||||
h := Handler("/app/", "index.html")
|
||||
if cc := get(t, h, "/app/").Header.Get("Cache-Control"); cc != "no-cache" {
|
||||
t.Errorf("shell Cache-Control = %q, want no-cache", cc)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user