Files
punktfunk/web/server
enricobuehler f4e37ac3b3 fix(web): default mgmt proxy to the HTTPS self-signed mgmt API
The mgmt API serves HTTPS with the host's self-signed identity cert and requires
mTLS-or-bearer auth (the mTLS work), but the web console's proxy still defaulted to
`http://127.0.0.1:47990` — so a deployment copying .env.example got a plain-HTTP
request to an HTTPS port (→ 502 Bad Gateway, observed live on the Bazzite box).

- .env.example + server/util/auth.ts + vite.config.ts: default PUNKTFUNK_MGMT_URL to
  https://127.0.0.1:47990.
- vite dev proxy: `secure: false` (the host cert is self-signed).
- Document that the deployment needs PUNKTFUNK_MGMT_TOKEN (matching the host's) and
  NODE_TLS_REJECT_UNAUTHORIZED=0 — the web server's only outbound TLS is the loopback
  hop to the host's own self-signed cert, so disabling verify there is scoped + safe.

The running Bazzite box is already fixed live (web.env → https + token + cert-skip,
verified: login 200, /api/v1/status 200). This makes fresh deployments correct.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 07:50:41 +00:00
..