Ilia Denisov
645df52c0b
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 8s
CI / integration (pull_request) Successful in 13s
CI / ui (pull_request) Successful in 32s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m8s
- Client IP: the compose caddy trusts X-Forwarded-For from private-range upstreams (trusted_proxies private_ranges), so the real client IP survives the host-caddy hop (it was logging the docker caddy hop 172.18.0.x for chat moderation and bucketing the gateway per-IP rate limiter on it). Correct and spoof-safe in both contours (prod has no host caddy); peerIP unit-tested. - Ad banner gated off behind a compile-time SHOW_AD_BANNER=false (the if-branch, the AdBanner import and banner.ts are tree-shaken out of the prod bundle). - Landing: the Telegram entry is just the 64px logo (clickable, no button/text). - TG-fullscreen header: title + menu centred as a pair (hamburger right of the title), pinned to the bottom of the TG nav band. - Edge-swipe back (Screen): a left-edge rightward drag navigates to back (touch/pen only, armed from <=24px; skipped inside Telegram). - Chat soft-keyboard: a bottom-sheet Modal lifted above the keyboard by a visualViewport-driven transform (compositor-only, no page/sheet relayout). iOS-specific, needs on-device tuning; native resize=none awaits Capacitor. - Tests: e2e for the in-game '✓ in friends' item and a board→board tile relocation; codec units for last_activity_unix + OutgoingRequestList. Deferred to the next PR (agreed): #4 enrich the your-turn/game-end push; #5 hide finished games from the lobby.
44 lines
1.6 KiB
Caddyfile
44 lines
1.6 KiB
Caddyfile
# Edge reverse proxy for the Scrabble contour. A single Basic-Auth gate covers
|
|
# every operator surface under /_gm (the backend-rendered admin console and the
|
|
# Grafana subpath); everything else (the SPA at / and /telegram/, plus the
|
|
# Connect edge) goes to the gateway. Mirrors ../galaxy-game's /_gm model.
|
|
#
|
|
# CADDY_SITE_ADDRESS is ":80" in the test contour (the host caddy terminates TLS
|
|
# and forwards); set it to a domain in prod (Stage 18) so this caddy does its own
|
|
# ACME and the contour is self-contained.
|
|
{
|
|
admin off
|
|
# Trust X-Forwarded-For from private-range upstreams so the real client IP survives
|
|
# (chat moderation + per-IP rate limiting in the gateway). Test contour: the host caddy
|
|
# (a private IP) is trusted, so its forwarded client IP is preserved. Prod (no host caddy):
|
|
# clients connect from public IPs, which are NOT trusted, so Caddy uses the real peer —
|
|
# the same config is correct (and spoof-safe) in both contours (Stage 17).
|
|
servers {
|
|
trusted_proxies static private_ranges
|
|
}
|
|
}
|
|
|
|
{$CADDY_SITE_ADDRESS::80} {
|
|
# Operator surfaces under /_gm: a single shared Basic-Auth, then route.
|
|
@gm path /_gm /_gm/*
|
|
handle @gm {
|
|
basic_auth {
|
|
{$GM_BASICAUTH_USER:gm} {$GM_BASICAUTH_HASH}
|
|
}
|
|
# Grafana serves from this sub-path (GF_SERVER_SERVE_FROM_SUB_PATH=true), so
|
|
# the prefix is forwarded intact, not stripped.
|
|
handle /_gm/grafana* {
|
|
reverse_proxy grafana:3000
|
|
}
|
|
# Everything else under /_gm is the backend-rendered admin console.
|
|
handle {
|
|
reverse_proxy backend:8080
|
|
}
|
|
}
|
|
|
|
# The SPA (/, /telegram/) and the Connect edge are served by the gateway.
|
|
handle {
|
|
reverse_proxy gateway:8081
|
|
}
|
|
}
|