diff --git a/docker/Caddyfile b/docker/Caddyfile index 1202aba3..1329665b 100644 --- a/docker/Caddyfile +++ b/docker/Caddyfile @@ -1,12 +1,12 @@ -# Tx OS — Caddy reverse proxy + TLS termination. +# Tx OS — Caddy reverse proxy + TLS termination (HTTPS_MODE=local|byo). # -# Defaults (HTTPS_MODE=local or byo): listen on :443 with the mounted -# certificate pair from /certs, redirect HTTP→HTTPS automatically. -# When HTTPS_MODE=skip, we serve plaintext on :80 only (developer-only; -# the host script never enables this in production paths). +# This Caddyfile is the default. The compose `caddy` service entrypoint +# loads docker/Caddyfile.skip instead when HTTPS_MODE=skip, so this file +# can assume TLS certificates exist in /certs. # # The site MUST stay single-origin so the API session cookie # (sameSite=lax) keeps working across SPA + /api requests. + { # Disable Caddy's automatic Let's Encrypt issuance — we always # bring our own cert (mkcert locally, real cert in BYO mode). @@ -47,16 +47,9 @@ import spa_proxy } -# Plain HTTP — issue a permanent redirect to HTTPS in normal modes, -# but become the actual site when HTTPS_MODE=skip. +# Plain HTTP → permanent redirect to HTTPS. Skip-mode (no certs) is +# handled exclusively by docker/Caddyfile.skip, picked by the compose +# entrypoint when HTTPS_MODE=skip. :80 { - @skip expression {$HTTPS_MODE:local} == "skip" - handle @skip { - encode zstd gzip - import api_proxy - import spa_proxy - } - handle { - redir https://{host}{uri} permanent - } + redir https://{host}{uri} permanent }