From e0e65bb62c77435021a729f13b41796f6fa99826 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 00:44:33 +0200
Subject: [PATCH] feat: HTTPS admin console via Traefik with
 NODE_TLS_REJECT_UNAUTHORIZED

ADMIN_ENDPOINT set to HTTPS so OIDC issuer matches browser URL.
NODE_TLS_REJECT_UNAUTHORIZED=0 lets Logto's internal ky-based
OIDC self-discovery accept the self-signed cert through Traefik.
Remove in production with real certs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.dev.yml | 1 -
 docker-compose.yml     | 9 ++++++++-
 traefik.yml            | 2 ++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 580577f..feb22f6 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -8,7 +8,6 @@ services:
   logto:
     ports:
       - "3001:3001"
-      - "3002:3002"
 
   cameleer-saas:
     ports:
diff --git a/docker-compose.yml b/docker-compose.yml
index 94995e5..cdaa4a7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -30,6 +30,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
+      - "3002:3002"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/etc/traefik/traefik.yml:ro
@@ -66,8 +67,9 @@ services:
     environment:
       DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
       ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
-      ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
+      ADMIN_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}:3002
       TRUST_PROXY_HEADER: 1
+      NODE_TLS_REJECT_UNAUTHORIZED: "0"  # dev only — accept self-signed cert for internal OIDC discovery
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\""]
       interval: 5s
@@ -81,6 +83,11 @@ services:
       - traefik.http.routers.logto.entrypoints=websecure
       - traefik.http.routers.logto.tls=true
       - traefik.http.services.logto.loadbalancer.server.port=3001
+      - traefik.http.routers.logto-console.rule=PathPrefix(`/`)
+      - traefik.http.routers.logto-console.entrypoints=admin-console
+      - traefik.http.routers.logto-console.tls=true
+      - traefik.http.routers.logto-console.service=logto-console
+      - traefik.http.services.logto-console.loadbalancer.server.port=3002
     networks:
       - cameleer
 
diff --git a/traefik.yml b/traefik.yml
index 7ea7535..27df844 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -11,6 +11,8 @@ entryPoints:
           scheme: https
   websecure:
     address: ":443"
+  admin-console:
+    address: ":3002"
 
 providers:
   docker: