feat: production-ready TLS with self-signed cert init container

Standard OIDC architecture: subdomain routing (auth.HOST, server.HOST),
TLS via Traefik, self-signed cert auto-generated on first boot.

- Add traefik-certs init container (generates wildcard self-signed cert)
- Enable TLS on all Traefik routers (websecure entrypoint)
- HTTP→HTTPS redirect in traefik.yml
- Host-based routing for all services (no more path conflicts)
- PUBLIC_PROTOCOL env var (https default, configurable)
- Protocol-aware redirect URIs in bootstrap
- Protocol-aware UI fallbacks

Customer bootstrap: set PUBLIC_HOST + DNS records + docker compose up.
For production TLS, configure Traefik ACME (Let's Encrypt).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-compose.yml

@@ -1,7 +1,32 @@
 services:
+  traefik-certs:
+    image: alpine:latest
+    restart: "no"
+    entrypoint: ["sh", "-c"]
+    command:
+      - |
+        if [ ! -f /certs/cert.pem ]; then
+          apk add --no-cache openssl >/dev/null 2>&1
+          openssl req -x509 -newkey rsa:4096 \
+            -keyout /certs/key.pem -out /certs/cert.pem \
+            -days 365 -nodes \
+            -subj "/CN=$$PUBLIC_HOST" \
+            -addext "subjectAltName=DNS:$$PUBLIC_HOST,DNS:*.$$PUBLIC_HOST"
+          echo "Generated self-signed cert for $$PUBLIC_HOST"
+        else
+          echo "Certs already exist, skipping"
+        fi
+    environment:
+      PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
+    volumes:
+      - certs:/certs
+
   traefik:
     image: traefik:v3
     restart: unless-stopped
+    depends_on:
+      traefik-certs:
+        condition: service_completed_successfully
     ports:
       - "80:80"
       - "443:443"
@@ -9,6 +34,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/etc/traefik/traefik.yml:ro
       - acme:/etc/traefik/acme
+      - certs:/etc/traefik/certs:ro
     networks:
       - cameleer
 
@@ -39,7 +65,7 @@ services:
     entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
     environment:
       DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
-      ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
+      ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
       ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
       TRUST_PROXY_HEADER: 1
     healthcheck:
@@ -51,6 +77,8 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.logto.rule=Host(`auth.${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.logto.entrypoints=websecure
+      - traefik.http.routers.logto.tls=true
       - traefik.http.services.logto.loadbalancer.server.port=3001
     networks:
       - cameleer
@@ -67,8 +95,9 @@ services:
     environment:
       LOGTO_ENDPOINT: http://logto:3001
       LOGTO_ADMIN_ENDPOINT: http://logto:3002
-      LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
+      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
       PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
+      PUBLIC_PROTOCOL: ${PUBLIC_PROTOCOL:-https}
       PG_HOST: postgres
       PG_USER: ${POSTGRES_USER:-cameleer}
       PG_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
@@ -104,8 +133,8 @@ services:
       SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
       SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
       LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
-      LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
+      LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}
-      LOGTO_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc
+      LOGTO_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}/oidc
       LOGTO_JWK_SET_URI: ${LOGTO_ENDPOINT:-http://logto:3001}/oidc/jwks
       LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
       LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
@@ -113,12 +142,9 @@ services:
       CLICKHOUSE_URL: jdbc:clickhouse://clickhouse:8123/cameleer
     labels:
       - traefik.enable=true
-      - traefik.http.routers.api.rule=PathPrefix(`/api`)
+      - traefik.http.routers.spa.rule=Host(`${PUBLIC_HOST:-localhost}`)
-      - traefik.http.routers.api.service=api
+      - traefik.http.routers.spa.entrypoints=websecure
-      - traefik.http.services.api.loadbalancer.server.port=8080
+      - traefik.http.routers.spa.tls=true
-      - traefik.http.routers.spa.rule=PathPrefix(`/`)
-      - traefik.http.routers.spa.priority=1
-      - traefik.http.routers.spa.service=spa
       - traefik.http.services.spa.loadbalancer.server.port=8080
     networks:
       - cameleer
@@ -139,7 +165,7 @@ services:
       CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}
       CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production}
       CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default}
-      CAMELEER_OIDC_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc
+      CAMELEER_OIDC_ISSUER_URI: ${PUBLIC_PROTOCOL:-https}://auth.${PUBLIC_HOST:-localhost}/oidc
       CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local}
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"]
@@ -171,6 +197,8 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.server-ui.rule=Host(`server.${PUBLIC_HOST:-localhost}`)
+      - traefik.http.routers.server-ui.entrypoints=websecure
+      - traefik.http.routers.server-ui.tls=true
       - traefik.http.routers.server-ui.service=server-ui
       - traefik.http.services.server-ui.loadbalancer.server.port=80
     networks:
@@ -199,5 +227,6 @@ volumes:
   pgdata:
   chdata:
   acme:
+  certs:
   jardata:
   bootstrapdata:

docker/logto-bootstrap.sh

@@ -40,10 +40,12 @@ SERVER_ENDPOINT="${SERVER_ENDPOINT:-http://cameleer3-server:8081}"
 SERVER_UI_USER="${SERVER_UI_USER:-admin}"
 SERVER_UI_PASS="${SERVER_UI_PASS:-admin}"
 
-# Redirect URIs (derived from PUBLIC_HOST)
+# Redirect URIs (derived from PUBLIC_HOST and PUBLIC_PROTOCOL)
 HOST="${PUBLIC_HOST:-localhost}"
-SPA_REDIRECT_URIS="[\"http://${HOST}/callback\",\"http://${HOST}:5173/callback\"]"
+PROTO="${PUBLIC_PROTOCOL:-https}"
-SPA_POST_LOGOUT_URIS="[\"http://${HOST}/login\",\"http://${HOST}:5173/login\"]"
+AUTH_HOST="auth.${HOST}"
+SPA_REDIRECT_URIS="[\"${PROTO}://${HOST}/callback\"]"
+SPA_POST_LOGOUT_URIS="[\"${PROTO}://${HOST}/login\"]"
 TRAD_REDIRECT_URIS="[\"http://${HOST}:8081/oidc/callback\"]"
 TRAD_POST_LOGOUT_URIS="[\"http://${HOST}:8081\"]"
 

traefik.yml

@@ -4,6 +4,11 @@ api:
 entryPoints:
   web:
     address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
   websecure:
     address: ":443"
 
@@ -12,3 +17,10 @@ providers:
     endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
     network: cameleer
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/traefik/certs/cert.pem
+        keyFile: /etc/traefik/certs/key.pem

ui/src/components/Layout.tsx

@@ -162,7 +162,7 @@ export function Layout() {
         <Sidebar.FooterLink
           icon={<ObsIcon />}
           label="View Dashboard"
-          onClick={() => window.open(`http://server.${window.location.hostname}`, '_blank', 'noopener')}
+          onClick={() => window.open(`${window.location.protocol}//server.${window.location.hostname}`, '_blank', 'noopener')}
         />
 
         {/* User info + logout */}

ui/src/config.ts

@@ -22,7 +22,7 @@ export async function fetchConfig(): Promise<AppConfig> {
 
   // Fallback to env vars (Vite dev mode)
   cached = {
-    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `http://auth.${window.location.hostname}`,
+    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `${window.location.protocol}//auth.${window.location.hostname}`,
     logtoClientId: import.meta.env.VITE_LOGTO_CLIENT_ID || '',
     logtoResource: import.meta.env.VITE_LOGTO_RESOURCE || '',
     scopes: [