fix: Caddy host network mode for real client IPs
- Caddy now uses network_mode: host (sees real IPv4/IPv6) - All backend services on fixed IPs (172.28.0.10/20/30) - Caddyfile uses IPs instead of Docker DNS names - /myip now returns actual client IP, not Docker gateway Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Siavash Sameni
@@ -1,26 +1,17 @@
|
||||
{
|
||||
# Global ACME settings
|
||||
email admin@manko.yoga
|
||||
servers {
|
||||
trusted_proxies static private_ranges
|
||||
}
|
||||
}
|
||||
|
||||
voip.manko.yoga {
|
||||
# TLS via Cloudflare DNS-01 challenge
|
||||
tls {
|
||||
dns cloudflare {$CF_API_TOKEN}
|
||||
}
|
||||
|
||||
# Audio bridge WebSocket (wzp-web)
|
||||
# /audio/ws/* → wzp-web:8080/ws/*
|
||||
handle_path /audio/* {
|
||||
reverse_proxy wzp-web:8080
|
||||
reverse_proxy 172.28.0.30:8080
|
||||
}
|
||||
|
||||
# Everything else → featherChat server
|
||||
# Web UI (/), API (/v1/*), WebSocket (/v1/ws/*)
|
||||
reverse_proxy warzone-server:7700 {
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
reverse_proxy 172.28.0.20:7700
|
||||
}
|
||||
|
||||
@@ -8,33 +8,23 @@
|
||||
|
||||
services:
|
||||
# ─── Caddy reverse proxy (TLS termination) ───
|
||||
# Uses host network so it sees real client IPs (not Docker NAT)
|
||||
caddy:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile.caddy
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "443:443/udp" # HTTP/3 (QUIC)
|
||||
network_mode: host
|
||||
volumes:
|
||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
||||
- caddy_data:/data
|
||||
- caddy_config:/config
|
||||
environment:
|
||||
CF_API_TOKEN: /run/secrets/cf_api_token
|
||||
secrets:
|
||||
- cf_api_token
|
||||
# Caddy reads CF_API_TOKEN; the caddy-cloudflare image supports file-based secrets
|
||||
# via the {$CF_API_TOKEN} placeholder in Caddyfile.
|
||||
# We mount the secret and set env to its content at runtime.
|
||||
entrypoint: ["/bin/sh", "-c", "export CF_API_TOKEN=$(cat /run/secrets/cf_api_token) && caddy run --config /etc/caddy/Caddyfile --adapter caddyfile"]
|
||||
depends_on:
|
||||
- warzone-server
|
||||
- wzp-web
|
||||
networks:
|
||||
- frontend
|
||||
- backend
|
||||
|
||||
# ─── featherChat server ───
|
||||
warzone-server:
|
||||
@@ -50,7 +40,8 @@ services:
|
||||
- server_data:/data
|
||||
command: ["--bind", "0.0.0.0:7700", "--enable-bots"]
|
||||
networks:
|
||||
- backend
|
||||
backend:
|
||||
ipv4_address: 172.28.0.20
|
||||
|
||||
# ─── WZP QUIC relay (audio SFU) ───
|
||||
wzp-relay:
|
||||
@@ -63,7 +54,7 @@ services:
|
||||
- "--listen"
|
||||
- "0.0.0.0:4433"
|
||||
- "--auth-url"
|
||||
- "http://warzone-server:7700/v1/auth/validate"
|
||||
- "http://172.28.0.20:7700/v1/auth/validate"
|
||||
networks:
|
||||
backend:
|
||||
ipv4_address: 172.28.0.10
|
||||
@@ -81,12 +72,13 @@ services:
|
||||
- "--relay"
|
||||
- "172.28.0.10:4433"
|
||||
- "--auth-url"
|
||||
- "http://warzone-server:7700/v1/auth/validate"
|
||||
- "http://172.28.0.20:7700/v1/auth/validate"
|
||||
depends_on:
|
||||
- wzp-relay
|
||||
- warzone-server
|
||||
networks:
|
||||
- backend
|
||||
backend:
|
||||
ipv4_address: 172.28.0.30
|
||||
|
||||
secrets:
|
||||
cf_api_token:
|
||||
|
||||
Reference in New Issue
Block a user