manawenuz/featherChat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Caddy host network mode for real client IPs

Browse Source 
- Caddy now uses network_mode: host (sees real IPv4/IPv6)
- All backend services on fixed IPs (172.28.0.10/20/30)
- Caddyfile uses IPs instead of Docker DNS names
- /myip now returns actual client IP, not Docker gateway

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Siavash Sameni
2026-03-30 11:19:23 +04:00
parent cac812665c
commit 47030a3b29
2 changed files with 10 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
warzone/deploy/docker/Caddyfile
View File

@@ -1,26 +1,17 @@
{ {
# Global ACME settings
email admin@manko.yoga email admin@manko.yoga
servers {
trusted_proxies static private_ranges
}
} }
voip.manko.yoga { voip.manko.yoga {
# TLS via Cloudflare DNS-01 challenge
tls { tls {
dns cloudflare {$CF_API_TOKEN} dns cloudflare {$CF_API_TOKEN}
} }
# Audio bridge WebSocket (wzp-web) # Audio bridge WebSocket (wzp-web)
# /audio/ws/* → wzp-web:8080/ws/*
handle_path /audio/* { handle_path /audio/* {
reverse_proxy wzp-web:8080 reverse_proxy 172.28.0.30:8080
} }
# Everything else → featherChat server # Everything else → featherChat server
# Web UI (/), API (/v1/*), WebSocket (/v1/ws/*) reverse_proxy 172.28.0.20:7700
reverse_proxy warzone-server:7700 {
header_up X-Real-IP {remote_host}
}
} }

24
warzone/deploy/docker/docker-compose.yml
View File

@@ -8,33 +8,23 @@
services: services:
# ─── Caddy reverse proxy (TLS termination) ─── # ─── Caddy reverse proxy (TLS termination) ───
# Uses host network so it sees real client IPs (not Docker NAT)
caddy: caddy:
build: build:
context: . context: .
dockerfile: Dockerfile.caddy dockerfile: Dockerfile.caddy
restart: unless-stopped restart: unless-stopped
ports: network_mode: host
- "80:80"
- "443:443"
- "443:443/udp" # HTTP/3 (QUIC)
volumes: volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro - ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy_data:/data - caddy_data:/data
- caddy_config:/config - caddy_config:/config
environment:
CF_API_TOKEN: /run/secrets/cf_api_token
secrets: secrets:
- cf_api_token - cf_api_token
# Caddy reads CF_API_TOKEN; the caddy-cloudflare image supports file-based secrets
# via the {$CF_API_TOKEN} placeholder in Caddyfile.
# We mount the secret and set env to its content at runtime.
entrypoint: ["/bin/sh", "-c", "export CF_API_TOKEN=$(cat /run/secrets/cf_api_token) && caddy run --config /etc/caddy/Caddyfile --adapter caddyfile"] entrypoint: ["/bin/sh", "-c", "export CF_API_TOKEN=$(cat /run/secrets/cf_api_token) && caddy run --config /etc/caddy/Caddyfile --adapter caddyfile"]
depends_on: depends_on:
- warzone-server - warzone-server
- wzp-web - wzp-web
networks:
- frontend
- backend
# ─── featherChat server ─── # ─── featherChat server ───
warzone-server: warzone-server:
@@ -50,7 +40,8 @@ services:
- server_data:/data - server_data:/data
command: ["--bind", "0.0.0.0:7700", "--enable-bots"] command: ["--bind", "0.0.0.0:7700", "--enable-bots"]
networks: networks:
- backend backend:
ipv4_address: 172.28.0.20
# ─── WZP QUIC relay (audio SFU) ─── # ─── WZP QUIC relay (audio SFU) ───
wzp-relay: wzp-relay:
@@ -63,7 +54,7 @@ services:
- "--listen" - "--listen"
- "0.0.0.0:4433" - "0.0.0.0:4433"
- "--auth-url" - "--auth-url"
- "http://warzone-server:7700/v1/auth/validate" - "http://172.28.0.20:7700/v1/auth/validate"
networks: networks:
backend: backend:
ipv4_address: 172.28.0.10 ipv4_address: 172.28.0.10
@@ -81,12 +72,13 @@ services:
- "--relay" - "--relay"
- "172.28.0.10:4433" - "172.28.0.10:4433"
- "--auth-url" - "--auth-url"
- "http://warzone-server:7700/v1/auth/validate" - "http://172.28.0.20:7700/v1/auth/validate"
depends_on: depends_on:
- wzp-relay - wzp-relay
- warzone-server - warzone-server
networks: networks:
- backend backend:
ipv4_address: 172.28.0.30
secrets: secrets:
cf_api_token: cf_api_token: