45 lines
2.1 KiB
Markdown
45 lines
2.1 KiB
Markdown
|
|
# Verify — reverse_proxy (Caddy)
|
|||
|
|
|
|||
|
|
`reverse_proxy` has no application UI of its own — it is the TLS terminator and router.
|
|||
|
|
"Working" is verified at the HTTP/TLS layer (what `/verify-service` can drive with a
|
|||
|
|
browser/HTTP client against the public hostnames it serves), not via an app login.
|
|||
|
|
|
|||
|
|
## Critical user journeys
|
|||
|
|
|
|||
|
|
1. **HTTPS serves with a valid cert** — request `https://<a host in
|
|||
|
|
reverse_proxy__routes>` (e.g. `https://test.askari.wingu.me`) → 200 with a valid
|
|||
|
|
Let's Encrypt certificate (trusted chain, CN/SAN matches the host, not expired).
|
|||
|
|
2. **HTTP redirects to HTTPS** — request `http://<host>` → 308/301 redirect to the
|
|||
|
|
`https://` URL (Caddy's automatic-HTTPS redirect).
|
|||
|
|
3. **A `respond` route returns its static body** — the test vhost returns its configured
|
|||
|
|
string with 200.
|
|||
|
|
4. **An `upstream` route proxies through** — once a real upstream is registered (M4b
|
|||
|
|
NetBird), `https://<host>` reaches the upstream's response, not a Caddy error page.
|
|||
|
|
5. **An unknown host is not served a valid cert** — a hostname not in
|
|||
|
|
`reverse_proxy__routes` does not get a certificate / is not routed (no accidental
|
|||
|
|
catch-all).
|
|||
|
|
|
|||
|
|
## What good looks like
|
|||
|
|
|
|||
|
|
- The browser padlock shows a valid Let's Encrypt certificate for the requested host;
|
|||
|
|
the SAN matches and the chain is trusted.
|
|||
|
|
- `http://` visibly becomes `https://` in the address bar.
|
|||
|
|
- The expected body (static `respond` text, or the upstream's page) renders.
|
|||
|
|
|
|||
|
|
## Not browser-verifiable
|
|||
|
|
|
|||
|
|
- Certificate *renewal* (60-day cadence) — confirm out of band via `docker logs caddy`
|
|||
|
|
/ Loki, not a single browser session.
|
|||
|
|
- Behaviour when port 80 is blocked (HTTP-01 would fail) — an infrastructure/firewall
|
|||
|
|
check, route to the manual handoff.
|
|||
|
|
- The deferred DNS-01 path for mesh/LAN-only services (Phase 2, ADR-024) — not yet live.
|
|||
|
|
|
|||
|
|
## Test data
|
|||
|
|
|
|||
|
|
Provisioned in the **staging** deploy (no Authentik user needed — there is no SSO on the
|
|||
|
|
proxy itself):
|
|||
|
|
|
|||
|
|
- At least one `reverse_proxy__routes` entry with a public DNS A-record pointing at the
|
|||
|
|
staging host, so HTTP-01 can complete. A static `respond` route is enough for journeys
|
|||
|
|
1–3 and 5.
|