unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 5 Wiki Activity

fix(web): default mgmt proxy to the HTTPS self-signed mgmt API
apple / swift (push) Successful in 54s
Details
android / android (push) Failing after 54s
Details
ci / web (push) Successful in 38s
Details
ci / docs-site (push) Successful in 34s
Details
ci / rust (push) Failing after 2m30s
Details
ci / bench (push) Failing after 1m15s
Details
decky / build-publish (push) Failing after 4s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Failing after 0s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Failing after 1s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Failing after 0s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Failing after 1s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Failing after 0s
Details
docker / deploy-docs (push) Has been skipped
Details
flatpak / build-publish (push) Failing after 0s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 1s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 0s
Details
deb / build-publish (push) Successful in 3m22s
Details

Browse Source 
The mgmt API serves HTTPS with the host's self-signed identity cert and requires
mTLS-or-bearer auth (the mTLS work), but the web console's proxy still defaulted to
`http://127.0.0.1:47990` — so a deployment copying .env.example got a plain-HTTP
request to an HTTPS port (→ 502 Bad Gateway, observed live on the Bazzite box).

- .env.example + server/util/auth.ts + vite.config.ts: default PUNKTFUNK_MGMT_URL to
  https://127.0.0.1:47990.
- vite dev proxy: `secure: false` (the host cert is self-signed).
- Document that the deployment needs PUNKTFUNK_MGMT_TOKEN (matching the host's) and
  NODE_TLS_REJECT_UNAUTHORIZED=0 — the web server's only outbound TLS is the loopback
  hop to the host's own self-signed cert, so disabling verify there is scoped + safe.

The running Bazzite box is already fixed live (web.env → https + token + cert-skip,
verified: login 200, /api/v1/status 200). This makes fresh deployments correct.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-15 07:50:41 +00:00
parent ff1cc6c6d9
commit 95c4058582
4 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/README.md
+6 -2
View File
@@ -15,8 +15,9 @@ Query** through **orval** codegen from the OpenAPI spec · **shadcn/ui** (Tailwi
bun install # runs `prepare` → codegen (orval + paraglide)
bun run dev # http://localhost:3000
# The dev server proxies /api → http://127.0.0.1:47990 (the host's management API).
# Point it elsewhere: PUNKTFUNK_MGMT_URL=http://<host>:47990 bun run dev
# The dev server proxies /api → https://127.0.0.1:47990 (the host's mgmt API; it serves HTTPS
# with the host's self-signed identity cert — the dev proxy uses `secure: false`).
# Point it elsewhere: PUNKTFUNK_MGMT_URL=https://<host>:47990 bun run dev
```
Start a host with the management API up:
@@ -37,7 +38,10 @@ If the host runs with `--mgmt-token`, set it under **Settings → API token** (s
bun run build # → .output/ (Nitro server, `bun` preset, + .output/public assets)
PORT=3000 HOST=0.0.0.0 \
PUNKTFUNK_UI_PASSWORD=PUNKTFUNK_MGMT_TOKEN=\
PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 NODE_TLS_REJECT_UNAUTHORIZED=0 \
bun run start # = bun run .output/server/index.mjs
# (the mgmt API is HTTPS w/ the host's self-signed cert on loopback → the proxy's fetch needs
# NODE_TLS_REJECT_UNAUTHORIZED=0; it makes no other outbound TLS calls. See .env.example.)
bun run lint # tsc --noEmit
```