feat: production-ready TLS with self-signed cert init container

Standard OIDC architecture: subdomain routing (auth.HOST, server.HOST), TLS via Traefik, self-signed cert auto-generated on first boot. - Add traefik-certs init container (generates wildcard self-signed cert) - Enable TLS on all Traefik routers (websecure entrypoint) - HTTP→HTTPS redirect in traefik.yml - Host-based routing for all services (no more path conflicts) - PUBLIC_PROTOCOL env var (https default, configurable) - Protocol-aware redirect URIs in bootstrap - Protocol-aware UI fallbacks Customer bootstrap: set PUBLIC_HOST + DNS records + docker compose up. For production TLS, configure Traefik ACME (Let's Encrypt). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 18:14:25 +02:00
parent 3694d4a7d6
commit e167d5475e
5 changed files with 59 additions and 16 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,32 @@
 services:
+  traefik-certs:
+    image: alpine:latest
+    restart: "no"
+    entrypoint: ["sh", "-c"]
+    command:
+      - |
+        if [ ! -f /certs/cert.pem ]; then
+          apk add --no-cache openssl >/dev/null 2>&1
+          openssl req -x509 -newkey rsa:4096 \
+            -keyout /certs/key.pem -out /certs/cert.pem \
+            -days 365 -nodes \
+            -subj "/CN=$$PUBLIC_HOST" \
+            -addext "subjectAltName=DNS:$$PUBLIC_HOST,DNS:*.$$PUBLIC_HOST"
+          echo "Generated self-signed cert for $$PUBLIC_HOST"
+        else
+          echo "Certs already exist, skipping"
+        fi
+    environment:
+      PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
+    volumes:
+      - certs:/certs
+
  traefik:
    image: traefik:v3
    restart: unless-stopped
+    depends_on:
+      traefik-certs:
+        condition: service_completed_successfully
    ports:
      - "80:80"
      - "443:443"
@@ -9,6 +34,7 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - acme:/etc/traefik/acme
+      - certs:/etc/traefik/certs:ro
    networks:
      - cameleer

@@ -39,7 +65,7 @@ services:
    entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
    environment:
      DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
-      ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
+      ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
      ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
      TRUST_PROXY_HEADER: 1
    healthcheck:
@@ -51,6 +77,8 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.logto.rule=Host(`auth.${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.logto.entrypoints=websecure
+      - traefik.http.routers.logto.tls=true
      - traefik.http.services.logto.loadbalancer.server.port=3001
    networks:
      - cameleer
@@ -67,8 +95,9 @@ services:
    environment:
      LOGTO_ENDPOINT: http://logto:3001
      LOGTO_ADMIN_ENDPOINT: http://logto:3002
-      LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
+      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
      PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
+      PUBLIC_PROTOCOL: ${PUBLIC_PROTOCOL:-https}
      PG_HOST: postgres
      PG_USER: ${POSTGRES_USER:-cameleer}
      PG_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
@@ -104,8 +133,8 @@ services:
      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
      LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
-      LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
-      LOGTO_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc
+      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
+      LOGTO_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}/oidc
      LOGTO_JWK_SET_URI: ${LOGTO_ENDPOINT:-http://logto:3001}/oidc/jwks
      LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
      LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
@@ -113,12 +142,9 @@ services:
      CLICKHOUSE_URL: jdbc:clickhouse://clickhouse:8123/cameleer
    labels:
      - traefik.enable=true
-      - traefik.http.routers.api.rule=PathPrefix(`/api`)
-      - traefik.http.routers.api.service=api
-      - traefik.http.services.api.loadbalancer.server.port=8080
-      - traefik.http.routers.spa.rule=PathPrefix(`/`)
-      - traefik.http.routers.spa.priority=1
-      - traefik.http.routers.spa.service=spa
+      - traefik.http.routers.spa.rule=Host(`${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.spa.entrypoints=websecure
+      - traefik.http.routers.spa.tls=true
      - traefik.http.services.spa.loadbalancer.server.port=8080
    networks:
      - cameleer
@@ -139,7 +165,7 @@ services:
      CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}
      CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production}
      CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default}
-      CAMELEER_OIDC_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc
+      CAMELEER_OIDC_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}/oidc
      CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local}
    healthcheck:
      test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"]
@@ -171,6 +197,8 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.server-ui.rule=Host(`server.${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.server-ui.entrypoints=websecure
+      - traefik.http.routers.server-ui.tls=true
      - traefik.http.routers.server-ui.service=server-ui
      - traefik.http.services.server-ui.loadbalancer.server.port=80
    networks:
@@ -199,5 +227,6 @@ volumes:
  pgdata:
  chdata:
  acme:
+  certs:
  jardata:
  bootstrapdata: