From 95c405858272be0a17ef07a4e34de874af62d553 Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Mon, 15 Jun 2026 07:50:41 +0000 Subject: [PATCH] fix(web): default mgmt proxy to the HTTPS self-signed mgmt API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The mgmt API serves HTTPS with the host's self-signed identity cert and requires mTLS-or-bearer auth (the mTLS work), but the web console's proxy still defaulted to `http://127.0.0.1:47990` — so a deployment copying .env.example got a plain-HTTP request to an HTTPS port (→ 502 Bad Gateway, observed live on the Bazzite box). - .env.example + server/util/auth.ts + vite.config.ts: default PUNKTFUNK_MGMT_URL to https://127.0.0.1:47990. - vite dev proxy: `secure: false` (the host cert is self-signed). - Document that the deployment needs PUNKTFUNK_MGMT_TOKEN (matching the host's) and NODE_TLS_REJECT_UNAUTHORIZED=0 — the web server's only outbound TLS is the loopback hop to the host's own self-signed cert, so disabling verify there is scoped + safe. The running Bazzite box is already fixed live (web.env → https + token + cert-skip, verified: login 200, /api/v1/status 200). This makes fresh deployments correct. Co-Authored-By: Claude Opus 4.8 (1M context) --- web/.env.example | 17 ++++++++++++----- web/README.md | 8 ++++++-- web/server/util/auth.ts | 6 ++++-- web/vite.config.ts | 5 +++-- 4 files changed, 25 insertions(+), 11 deletions(-) diff --git a/web/.env.example b/web/.env.example index f90488f..bbfde43 100644 --- a/web/.env.example +++ b/web/.env.example @@ -6,14 +6,21 @@ # never admits anyone by accident. PUNKTFUNK_UI_PASSWORD=change-me -# Management API the console proxies to. Keep it loopback — it should NOT be LAN-exposed; -# the login-gated web server is the only path to it. -PUNKTFUNK_MGMT_URL=http://127.0.0.1:47990 +# Management API the console proxies to. It serves HTTPS (the host's own identity cert) and +# requires auth (mTLS or the bearer below). Keep this loopback — the login-gated web server is +# the only path to it. +PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 -# Bearer token for the management API, injected server-side by the /api proxy (never sent -# to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN. +# REQUIRED: bearer token for the management API, injected server-side by the /api proxy (never +# sent to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN — otherwise +# the proxy gets 401. PUNKTFUNK_MGMT_TOKEN= +# REQUIRED with the HTTPS mgmt API: the host presents a SELF-SIGNED identity cert on loopback, +# which the proxy's fetch would otherwise reject (→ 502). The web server makes no other outbound +# TLS calls, so disabling verification here only affects the loopback hop to the host's own cert. +NODE_TLS_REJECT_UNAUTHORIZED=0 + # OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived # from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions). # PUNKTFUNK_UI_SECRET= diff --git a/web/README.md b/web/README.md index 3264117..1b66343 100644 --- a/web/README.md +++ b/web/README.md @@ -15,8 +15,9 @@ Query** through **orval** codegen from the OpenAPI spec · **shadcn/ui** (Tailwi bun install # runs `prepare` → codegen (orval + paraglide) bun run dev # http://localhost:3000 -# The dev server proxies /api → http://127.0.0.1:47990 (the host's management API). -# Point it elsewhere: PUNKTFUNK_MGMT_URL=http://:47990 bun run dev +# The dev server proxies /api → https://127.0.0.1:47990 (the host's mgmt API; it serves HTTPS +# with the host's self-signed identity cert — the dev proxy uses `secure: false`). +# Point it elsewhere: PUNKTFUNK_MGMT_URL=https://:47990 bun run dev ``` Start a host with the management API up: @@ -37,7 +38,10 @@ If the host runs with `--mgmt-token`, set it under **Settings → API token** (s bun run build # → .output/ (Nitro server, `bun` preset, + .output/public assets) PORT=3000 HOST=0.0.0.0 \ PUNKTFUNK_UI_PASSWORD=… PUNKTFUNK_MGMT_TOKEN=… \ + PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 NODE_TLS_REJECT_UNAUTHORIZED=0 \ bun run start # = bun run .output/server/index.mjs +# (the mgmt API is HTTPS w/ the host's self-signed cert on loopback → the proxy's fetch needs +# NODE_TLS_REJECT_UNAUTHORIZED=0; it makes no other outbound TLS calls. See .env.example.) bun run lint # tsc --noEmit ``` diff --git a/web/server/util/auth.ts b/web/server/util/auth.ts index 80c2919..f28ab7b 100644 --- a/web/server/util/auth.ts +++ b/web/server/util/auth.ts @@ -14,9 +14,11 @@ export function uiPassword(): string { return process.env.PUNKTFUNK_UI_PASSWORD ?? '' } -/** The management API the proxy forwards to (loopback by default — never LAN-exposed). */ +/** The management API the proxy forwards to (loopback by default — never LAN-exposed). It serves + * HTTPS with the host's self-signed identity cert, so the deployment also sets + * NODE_TLS_REJECT_UNAUTHORIZED=0 for the (loopback-only) proxy fetch — see .env.example. */ export function mgmtUrl(): string { - return process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990' + return process.env.PUNKTFUNK_MGMT_URL ?? 'https://127.0.0.1:47990' } /** Bearer token for the management API, injected server-side. */ diff --git a/web/vite.config.ts b/web/vite.config.ts index 24e13d5..3402f7f 100644 --- a/web/vite.config.ts +++ b/web/vite.config.ts @@ -14,12 +14,13 @@ const serverDir = fileURLToPath(new URL('./server', import.meta.url)) // The management API the console drives. The browser always talks same-origin (/api/...): // in `vite dev` the dev server proxies it (below); in the built Bun/Nitro server a Nitro // route-rule proxies it (below). Override the upstream with PUNKTFUNK_MGMT_URL. -const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990' +const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'https://127.0.0.1:47990' export default defineConfig({ server: { proxy: { - '/api': { target: MGMT_URL, changeOrigin: true }, + // `secure: false`: the host serves its own self-signed identity cert on loopback. + '/api': { target: MGMT_URL, changeOrigin: true, secure: false }, }, }, plugins: [