Skip to content

HTTPS: two deployment variants (host-TLS / in-stack Caddy)#2

Merged
robozor merged 2 commits into
mainfrom
feature/https-proxy
Jun 14, 2026
Merged

HTTPS: two deployment variants (host-TLS / in-stack Caddy)#2
robozor merged 2 commits into
mainfrom
feature/https-proxy

Conversation

@robozor

@robozor robozor commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Dvě varianty nasazení, jeden .env

Každá varianta je samostatný compose (jeden -f), s popisem a způsobem použití v hlavičce souboru. Proměnné specifické pro variantu jsou v .env.example v komentovaných sekcích.

Varianta 1 — TLS na host/NAS proxy (docker-compose.prod.yml)

  • API servíruje HTTP (API_BIND, default :8000); TLS + certy řeší externí/host proxy.
  • Django věří X-Forwarded-Proto. 2 kontejnery (DB, API).
  • docker compose -f docker-compose.prod.yml up -d

Varianta 2 — HTTPS ve stacku přes Caddy (docker-compose.tls.yml)

  • Caddy publikuje 80/443, získá a automaticky obnovuje cert, API interní. 3 kontejnery.
  • Režim certu přes ACME_EMAIL: prázdné → self-signed (např. DOMAIN=localhost); e-mail → Let's Encrypt.
  • PROXY_HTTP/PROXY_HTTPS umí bind na konkrétní IP, když je :443 obsazené.
  • DOMAIN=localhost docker compose -f docker-compose.tls.yml up -d

Backend

  • SECURE_PROXY_SSL_HEADER (důvěra proxy); DOMAIN se automaticky propíše do ALLOWED_HOSTS + CSRF.
  • docker/proxy/Caddyfile — routování podle hostname, reverse_proxy na API.

Ověřeno

Testy + ruff zelené. Varianta 2 lokálně: https://localhost/healthz OK (self-signed), HTTP→HTTPS redirect 308, API endpointy přes TLS; oba configy validní.

Mimo rozsah

Reálný Let's Encrypt cert (Forpsi nemá Caddy DNS plugin → buď HTTP-01 přes routing, nebo acme-dns; řeší se zvlášť).

🤖 Generated with Claude Code

robozor and others added 2 commits June 14, 2026 12:43
@robozor @claude
Add HTTPS: two deployment variants + Caddy proxy
a4bb73f 
Two self-contained compose variants sharing one .env (variant-specific vars are
grouped in commented sections), each with a full description + usage in its header:

- docker-compose.prod.yml (Variant 1): TLS on a host/NAS proxy. API serves HTTP
  on $API_BIND (default :8000); Django trusts X-Forwarded-Proto. 2 containers.
- docker-compose.tls.yml (Variant 2): HTTPS inside the stack via Caddy. API is
  internal; Caddy publishes 80/443, obtains + auto-renews the cert. Cert mode via
  ACME_EMAIL (empty = self-signed CA, e.g. localhost; email = Let's Encrypt).
  PROXY_HTTP/PROXY_HTTPS bind a specific host IP when :443 is taken.

settings.py: SECURE_PROXY_SSL_HEADER; DOMAIN auto-adds to ALLOWED_HOSTS + CSRF.
docker/proxy/Caddyfile: hostname-routed, tls {$TLS_ARG}, reverse_proxy to api.

Verified: tests + ruff pass; Variant 2 serves https://localhost (self-signed),
HTTP->HTTPS redirect, API endpoints over TLS; both configs valid.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@robozor
Reframe deployment docs: plain language + mobile URL examples
6c23298 
Per review: the two compose files are documented as deployment scenarios (your
own proxy handles TLS, vs this stack handles TLS with auto-renewal), not as
test/dev variants. Removed ACME jargon (HTTP-01 / DNS-01) from the file headers
and .env — those are meaningless to a deployer. Each variant's header and the
README now show the exact address to enter in the mobile app (the API server
URL, e.g. https://api.robozor.cz). Self-signed localhost kept only as a one-line
local-check note.
@robozor robozor merged commit 6c9e3ad into main Jun 14, 2026
1 check passed
@robozor robozor deleted the feature/https-proxy branch June 14, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robozor