diff --git a/web/.env.example b/web/.env.example index f90488f..bbfde43 100644 --- a/web/.env.example +++ b/web/.env.example @@ -6,14 +6,21 @@ # never admits anyone by accident. PUNKTFUNK_UI_PASSWORD=change-me -# Management API the console proxies to. Keep it loopback — it should NOT be LAN-exposed; -# the login-gated web server is the only path to it. -PUNKTFUNK_MGMT_URL=http://127.0.0.1:47990 +# Management API the console proxies to. It serves HTTPS (the host's own identity cert) and +# requires auth (mTLS or the bearer below). Keep this loopback — the login-gated web server is +# the only path to it. +PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 -# Bearer token for the management API, injected server-side by the /api proxy (never sent -# to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN. +# REQUIRED: bearer token for the management API, injected server-side by the /api proxy (never +# sent to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN — otherwise +# the proxy gets 401. PUNKTFUNK_MGMT_TOKEN= +# REQUIRED with the HTTPS mgmt API: the host presents a SELF-SIGNED identity cert on loopback, +# which the proxy's fetch would otherwise reject (→ 502). The web server makes no other outbound +# TLS calls, so disabling verification here only affects the loopback hop to the host's own cert. +NODE_TLS_REJECT_UNAUTHORIZED=0 + # OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived # from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions). # PUNKTFUNK_UI_SECRET= diff --git a/web/README.md b/web/README.md index 3264117..1b66343 100644 --- a/web/README.md +++ b/web/README.md @@ -15,8 +15,9 @@ Query** through **orval** codegen from the OpenAPI spec · **shadcn/ui** (Tailwi bun install # runs `prepare` → codegen (orval + paraglide) bun run dev # http://localhost:3000 -# The dev server proxies /api → http://127.0.0.1:47990 (the host's management API). -# Point it elsewhere: PUNKTFUNK_MGMT_URL=http://:47990 bun run dev +# The dev server proxies /api → https://127.0.0.1:47990 (the host's mgmt API; it serves HTTPS +# with the host's self-signed identity cert — the dev proxy uses `secure: false`). +# Point it elsewhere: PUNKTFUNK_MGMT_URL=https://:47990 bun run dev ``` Start a host with the management API up: @@ -37,7 +38,10 @@ If the host runs with `--mgmt-token`, set it under **Settings → API token** (s bun run build # → .output/ (Nitro server, `bun` preset, + .output/public assets) PORT=3000 HOST=0.0.0.0 \ PUNKTFUNK_UI_PASSWORD=… PUNKTFUNK_MGMT_TOKEN=… \ + PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 NODE_TLS_REJECT_UNAUTHORIZED=0 \ bun run start # = bun run .output/server/index.mjs +# (the mgmt API is HTTPS w/ the host's self-signed cert on loopback → the proxy's fetch needs +# NODE_TLS_REJECT_UNAUTHORIZED=0; it makes no other outbound TLS calls. See .env.example.) bun run lint # tsc --noEmit ``` diff --git a/web/server/util/auth.ts b/web/server/util/auth.ts index 80c2919..f28ab7b 100644 --- a/web/server/util/auth.ts +++ b/web/server/util/auth.ts @@ -14,9 +14,11 @@ export function uiPassword(): string { return process.env.PUNKTFUNK_UI_PASSWORD ?? '' } -/** The management API the proxy forwards to (loopback by default — never LAN-exposed). */ +/** The management API the proxy forwards to (loopback by default — never LAN-exposed). It serves + * HTTPS with the host's self-signed identity cert, so the deployment also sets + * NODE_TLS_REJECT_UNAUTHORIZED=0 for the (loopback-only) proxy fetch — see .env.example. */ export function mgmtUrl(): string { - return process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990' + return process.env.PUNKTFUNK_MGMT_URL ?? 'https://127.0.0.1:47990' } /** Bearer token for the management API, injected server-side. */ diff --git a/web/vite.config.ts b/web/vite.config.ts index 24e13d5..3402f7f 100644 --- a/web/vite.config.ts +++ b/web/vite.config.ts @@ -14,12 +14,13 @@ const serverDir = fileURLToPath(new URL('./server', import.meta.url)) // The management API the console drives. The browser always talks same-origin (/api/...): // in `vite dev` the dev server proxies it (below); in the built Bun/Nitro server a Nitro // route-rule proxies it (below). Override the upstream with PUNKTFUNK_MGMT_URL. -const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990' +const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'https://127.0.0.1:47990' export default defineConfig({ server: { proxy: { - '/api': { target: MGMT_URL, changeOrigin: true }, + // `secure: false`: the host serves its own self-signed identity cert on loopback. + '/api': { target: MGMT_URL, changeOrigin: true, secure: false }, }, }, plugins: [