fix(web): default mgmt proxy to the HTTPS self-signed mgmt API

The mgmt API serves HTTPS with the host's self-signed identity cert and requires
mTLS-or-bearer auth (the mTLS work), but the web console's proxy still defaulted to
`http://127.0.0.1:47990` — so a deployment copying .env.example got a plain-HTTP
request to an HTTPS port (→ 502 Bad Gateway, observed live on the Bazzite box).

- .env.example + server/util/auth.ts + vite.config.ts: default PUNKTFUNK_MGMT_URL to
  https://127.0.0.1:47990.
- vite dev proxy: `secure: false` (the host cert is self-signed).
- Document that the deployment needs PUNKTFUNK_MGMT_TOKEN (matching the host's) and
  NODE_TLS_REJECT_UNAUTHORIZED=0 — the web server's only outbound TLS is the loopback
  hop to the host's own self-signed cert, so disabling verify there is scoped + safe.

The running Bazzite box is already fixed live (web.env → https + token + cert-skip,
verified: login 200, /api/v1/status 200). This makes fresh deployments correct.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

web/.env.example

@@ -6,14 +6,21 @@
 # never admits anyone by accident.
 PUNKTFUNK_UI_PASSWORD=change-me
 
-# Management API the console proxies to. Keep it loopback — it should NOT be LAN-exposed;
-# the login-gated web server is the only path to it.
-PUNKTFUNK_MGMT_URL=http://127.0.0.1:47990
+# Management API the console proxies to. It serves HTTPS (the host's own identity cert) and
+# requires auth (mTLS or the bearer below). Keep this loopback — the login-gated web server is
+# the only path to it.
+PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
 
-# Bearer token for the management API, injected server-side by the /api proxy (never sent
-# to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN.
+# REQUIRED: bearer token for the management API, injected server-side by the /api proxy (never
+# sent to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN — otherwise
+# the proxy gets 401.
 PUNKTFUNK_MGMT_TOKEN=
 
+# REQUIRED with the HTTPS mgmt API: the host presents a SELF-SIGNED identity cert on loopback,
+# which the proxy's fetch would otherwise reject (→ 502). The web server makes no other outbound
+# TLS calls, so disabling verification here only affects the loopback hop to the host's own cert.
+NODE_TLS_REJECT_UNAUTHORIZED=0
+
 # OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived
 # from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions).
 # PUNKTFUNK_UI_SECRET=

web/README.md

@@ -15,8 +15,9 @@ Query** through **orval** codegen from the OpenAPI spec · **shadcn/ui** (Tailwi
 bun install               # runs `prepare` → codegen (orval + paraglide)
 bun run dev               # http://localhost:3000
 
-# The dev server proxies /api → http://127.0.0.1:47990 (the host's management API).
-# Point it elsewhere: PUNKTFUNK_MGMT_URL=http://<host>:47990 bun run dev
+# The dev server proxies /api → https://127.0.0.1:47990 (the host's mgmt API; it serves HTTPS
+# with the host's self-signed identity cert — the dev proxy uses `secure: false`).
+# Point it elsewhere: PUNKTFUNK_MGMT_URL=https://<host>:47990 bun run dev
 ```
 
 Start a host with the management API up:
@@ -37,7 +38,10 @@ If the host runs with `--mgmt-token`, set it under **Settings → API token** (s
 bun run build             # → .output/  (Nitro server, `bun` preset, + .output/public assets)
 PORT=3000 HOST=0.0.0.0 \
   PUNKTFUNK_UI_PASSWORD=… PUNKTFUNK_MGMT_TOKEN=… \
+  PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 NODE_TLS_REJECT_UNAUTHORIZED=0 \
   bun run start           # = bun run .output/server/index.mjs
+# (the mgmt API is HTTPS w/ the host's self-signed cert on loopback → the proxy's fetch needs
+#  NODE_TLS_REJECT_UNAUTHORIZED=0; it makes no other outbound TLS calls. See .env.example.)
 bun run lint              # tsc --noEmit
 ```
 

web/server/util/auth.ts

@@ -14,9 +14,11 @@ export function uiPassword(): string {
   return process.env.PUNKTFUNK_UI_PASSWORD ?? ''
 }
 
-/** The management API the proxy forwards to (loopback by default — never LAN-exposed). */
+/** The management API the proxy forwards to (loopback by default — never LAN-exposed). It serves
+ * HTTPS with the host's self-signed identity cert, so the deployment also sets
+ * NODE_TLS_REJECT_UNAUTHORIZED=0 for the (loopback-only) proxy fetch — see .env.example. */
 export function mgmtUrl(): string {
-  return process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990'
+  return process.env.PUNKTFUNK_MGMT_URL ?? 'https://127.0.0.1:47990'
 }
 
 /** Bearer token for the management API, injected server-side. */

web/vite.config.ts

@@ -14,12 +14,13 @@ const serverDir = fileURLToPath(new URL('./server', import.meta.url))
 // The management API the console drives. The browser always talks same-origin (/api/...):
 // in `vite dev` the dev server proxies it (below); in the built Bun/Nitro server a Nitro
 // route-rule proxies it (below). Override the upstream with PUNKTFUNK_MGMT_URL.
-const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990'
+const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'https://127.0.0.1:47990'
 
 export default defineConfig({
   server: {
     proxy: {
-      '/api': { target: MGMT_URL, changeOrigin: true },
+      // `secure: false`: the host serves its own self-signed identity cert on loopback.
+      '/api': { target: MGMT_URL, changeOrigin: true, secure: false },
     },
   },
   plugins: [