feat: single-domain path-based routing (no subdomains required)

Move SPA assets from /assets/ to /_app/ (Vite assetsDir config) so
Traefik can route /assets/* to Logto without conflict. All services
on one hostname with path-based routing:

- /oidc/*, /interaction/*, /assets/* → Logto
- /server/* → server-ui (prefix stripped)
- /api/* → cameleer-saas
- /* (catch-all) → cameleer-saas SPA

Customer needs only 1 DNS record. Server gets OIDC_JWK_SET_URI for
Docker-internal JWK fetch (standard Spring split config).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-compose.yml

@@ -65,7 +65,7 @@ services:
     entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
     environment:
       DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
-      ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
+      ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
       ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
       TRUST_PROXY_HEADER: 1
     healthcheck:
@@ -76,7 +76,7 @@ services:
       start_period: 15s
     labels:
       - traefik.enable=true
-      - traefik.http.routers.logto.rule=Host(`auth.${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.logto.rule=PathPrefix(`/oidc`) || PathPrefix(`/interaction`) || PathPrefix(`/assets`)
       - traefik.http.routers.logto.entrypoints=websecure
       - traefik.http.routers.logto.tls=true
       - traefik.http.services.logto.loadbalancer.server.port=3001
@@ -95,7 +95,7 @@ services:
     environment:
       LOGTO_ENDPOINT: http://logto:3001
       LOGTO_ADMIN_ENDPOINT: http://logto:3002
-      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
+      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
       PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
       PUBLIC_PROTOCOL: ${PUBLIC_PROTOCOL:-https}
       PG_HOST: postgres
@@ -133,8 +133,8 @@ services:
       SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
       SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
       LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
-      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
-      LOGTO_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}/oidc
+      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
+      LOGTO_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}/oidc
       LOGTO_JWK_SET_URI: ${LOGTO_ENDPOINT:-http://logto:3001}/oidc/jwks
       LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
       LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
@@ -142,7 +142,12 @@ services:
       CLICKHOUSE_URL: jdbc:clickhouse://clickhouse:8123/cameleer
     labels:
       - traefik.enable=true
-      - traefik.http.routers.spa.rule=Host(`${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.api.rule=PathPrefix(`/api`)
+      - traefik.http.routers.api.entrypoints=websecure
+      - traefik.http.routers.api.tls=true
+      - traefik.http.routers.api.service=spa
+      - traefik.http.routers.spa.rule=PathPrefix(`/`)
+      - traefik.http.routers.spa.priority=1
       - traefik.http.routers.spa.entrypoints=websecure
       - traefik.http.routers.spa.tls=true
       - traefik.http.services.spa.loadbalancer.server.port=8080
@@ -165,7 +170,8 @@ services:
       CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}
       CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production}
       CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default}
-      CAMELEER_OIDC_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}/oidc
+      CAMELEER_OIDC_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}/oidc
+      CAMELEER_OIDC_JWK_SET_URI: ${LOGTO_ENDPOINT:-http://logto:3001}/oidc/jwks
       CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local}
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"]
@@ -196,9 +202,11 @@ services:
       CAMELEER_API_URL: http://cameleer3-server:8081
     labels:
       - traefik.enable=true
-      - traefik.http.routers.server-ui.rule=Host(`server.${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.server-ui.rule=PathPrefix(`/server`)
       - traefik.http.routers.server-ui.entrypoints=websecure
       - traefik.http.routers.server-ui.tls=true
+      - traefik.http.routers.server-ui.middlewares=server-ui-strip
+      - traefik.http.middlewares.server-ui-strip.stripprefix.prefixes=/server
       - traefik.http.routers.server-ui.service=server-ui
       - traefik.http.services.server-ui.loadbalancer.server.port=80
     networks:

docker/logto-bootstrap.sh

@@ -43,7 +43,6 @@ SERVER_UI_PASS="${SERVER_UI_PASS:-admin}"
 # Redirect URIs (derived from PUBLIC_HOST and PUBLIC_PROTOCOL)
 HOST="${PUBLIC_HOST:-localhost}"
 PROTO="${PUBLIC_PROTOCOL:-https}"
-AUTH_HOST="auth.${HOST}"
 SPA_REDIRECT_URIS="[\"${PROTO}://${HOST}/callback\"]"
 SPA_POST_LOGOUT_URIS="[\"${PROTO}://${HOST}/login\"]"
 TRAD_REDIRECT_URIS="[\"http://${HOST}:8081/oidc/callback\"]"
@@ -106,7 +105,7 @@ get_admin_token() {
 get_default_token() {
   curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
-    -H "Host: auth.${HOST}" \
+    -H "Host: ${HOST}" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
@@ -118,18 +117,18 @@ log "Got Management API token."
 
 # --- Helper: Logto API calls ---
 api_get() {
-  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: auth.${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
 }
 api_post() {
-  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: auth.${HOST}" \
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_put() {
-  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: auth.${HOST}" \
+  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_delete() {
-  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: auth.${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
+  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 
 # ============================================================

ui/src/components/Layout.tsx

@@ -162,7 +162,7 @@ export function Layout() {
         <Sidebar.FooterLink
           icon={<ObsIcon />}
           label="View Dashboard"
-          onClick={() => window.open(`${window.location.protocol}//server.${window.location.hostname}`, '_blank', 'noopener')}
+          onClick={() => window.open('/server/', '_blank', 'noopener')}
         />
 
         {/* User info + logout */}

ui/src/config.ts

@@ -22,7 +22,7 @@ export async function fetchConfig(): Promise<AppConfig> {
 
   // Fallback to env vars (Vite dev mode)
   cached = {
-    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `${window.location.protocol}//auth.${window.location.hostname}`,
+    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || window.location.origin,
     logtoClientId: import.meta.env.VITE_LOGTO_CLIENT_ID || '',
     logtoResource: import.meta.env.VITE_LOGTO_RESOURCE || '',
     scopes: [

ui/vite.config.ts

@@ -15,5 +15,6 @@ export default defineConfig({
   build: {
     outDir: 'dist',
     emptyOutDir: true,
+    assetsDir: '_app',
   },
 });