From ca40536fd313c4da37bed038a1435376425c533f Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 00:22:51 +0200
Subject: [PATCH] fix: add Docker network alias for Logto self-discovery with
 TLS

Add PUBLIC_HOST as network alias on the logto container so its
internal ADMIN_ENDPOINT calls (http://PUBLIC_HOST:3002) resolve
inside Docker directly, bypassing Traefik. Browser traffic goes
through Traefik on host port 3002 with TLS termination.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 9d12570..f3ae821 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -84,10 +84,13 @@ services:
       - traefik.http.services.logto.loadbalancer.server.port=3001
       - traefik.http.routers.logto-console.rule=PathPrefix(`/`)
       - traefik.http.routers.logto-console.entrypoints=admin-console
+      - traefik.http.routers.logto-console.tls=true
       - traefik.http.routers.logto-console.service=logto-console
       - traefik.http.services.logto-console.loadbalancer.server.port=3002
     networks:
-      - cameleer
+      cameleer:
+        aliases:
+          - ${PUBLIC_HOST:-localhost}
 
   logto-bootstrap:
     image: postgres:16-alpine