diff --git a/config/Caddyfile b/config/Caddyfile index 7078047b..5756ffb2 100644 --- a/config/Caddyfile +++ b/config/Caddyfile @@ -1,23 +1,33 @@ # TFM aInventory - Caddy Patched IP Configuration -# Version 1.9.14 - Protocol Lock & Debug Mode +# Version 1.9.15 - The Dynamic Shield (On-Demand TLS) { admin off - # Enable debug logging for SSL handshake diagnostics debug - # Trust local CA for internal certificate issuance + # Global TLS options for self-signed certificates local_certs - # Avoid errors if the user isn't root (though inside Docker we usually are) skip_install_trust + + # Configure on-demand TLS for private network IPs + on_demand_tls { + # Using a dummy check or local health endpoint to allow any IP in private range + # For simplicity in this env, we use the frontend's existence as the check + ask http://frontend:3000/api/health + } } -# Explicit Frontend SSL Proxy (8919 -> 443) -https://:443 { - tls internal +# Dynamic SSL Proxy (Matches ANY IP or hostname) +https:// { + tls internal { + on_demand + } + + # Route based on the port (Caddy handles multiple listeners in this catch-all) + # But since we have specific container ports, we'll split them for clarity + # to avoid port collision in the catch-all. reverse_proxy frontend:3000 - # Security Headers for PWA header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" @@ -27,8 +37,10 @@ https://:443 { } } -# Explicit Backend SSL Proxy (8918 -> 444) +# Specific port listener for backend (8918 -> 444) https://:444 { - tls internal + tls internal { + on_demand + } reverse_proxy backend:8000 } diff --git a/frontend/VERSION.json b/frontend/VERSION.json index 18e22d1f..1da4a22a 100644 --- a/frontend/VERSION.json +++ b/frontend/VERSION.json @@ -1 +1 @@ -{"version": "1.9.13", "last_build": "2026-04-13-2231", "codename": "BareMetal", "commit": "4dc0ce50"} +{"version": "1.9.14", "last_build": "2026-04-13-2237", "codename": "ProtocolLock", "commit": "94f1a515"}