|
7 | 7 | demo.meridianhub.cloud, *.demo.meridianhub.cloud { |
8 | 8 | tls /etc/caddy/certs/origin-cert.pem /etc/caddy/certs/origin-key.pem |
9 | 9 |
|
10 | | - # Health/readiness probes bypass basic auth (used by Docker and load balancers) |
11 | | - @health_probes { |
12 | | - path /healthz /readyz |
13 | | - } |
14 | | - handle @health_probes { |
15 | | - reverse_proxy meridian:8090 |
16 | | - } |
17 | | - |
18 | | - # MCP paths bypass basic auth — MCP clients use Bearer tokens, not basic auth. |
19 | | - @mcp_paths { |
20 | | - path /mcp /sse /message |
21 | | - } |
22 | | - handle @mcp_paths { |
23 | | - reverse_proxy mcp-server:8090 |
24 | | - } |
25 | | - |
26 | | - # OAuth discovery returns 404 when OAuth is disabled. This prevents the |
27 | | - # frontend SPA catch-all from serving HTML to MCP clients doing discovery. |
28 | | - @oauth_discovery { |
29 | | - path /.well-known/oauth-authorization-server /.well-known/oauth-protected-resource |
30 | | - } |
31 | | - handle @oauth_discovery { |
32 | | - respond 404 |
33 | | - } |
34 | | - |
35 | | - # Protect the rest of the demo site with HTTP basic auth. |
| 10 | + # Protect the demo site with HTTP basic auth, excluding specific paths. |
36 | 11 | @protected { |
37 | 12 | not path /healthz /readyz /mcp /sse /message /.well-known/oauth-* |
38 | 13 | } |
39 | 14 | basicauth @protected { |
40 | 15 | demo $2a$14$xfFb2xnq6vOhKOEh7TTgTula3G.F6MxoT7DawQLGBPziCgjTcWCrS |
41 | 16 | } |
42 | 17 |
|
43 | | - # Dex OIDC endpoints |
44 | | - handle /dex/* { |
45 | | - reverse_proxy dex:5556 |
46 | | - } |
| 18 | + # Use route for explicit ordering — first match wins, no resorting. |
| 19 | + route { |
| 20 | + # Health/readiness probes |
| 21 | + @health_probes path /healthz /readyz |
| 22 | + reverse_proxy @health_probes meridian:8090 |
47 | 23 |
|
48 | | - # API: ConnectRPC + version |
49 | | - @api { |
50 | | - path /meridian.* /grpc.* /version |
51 | | - } |
52 | | - handle @api { |
53 | | - reverse_proxy meridian:8090 |
54 | | - } |
| 24 | + # OAuth discovery returns 404 when OAuth is disabled. Prevents the |
| 25 | + # SPA catch-all from returning HTML to MCP clients doing discovery. |
| 26 | + @oauth_discovery path /.well-known/oauth-authorization-server /.well-known/oauth-protected-resource |
| 27 | + respond @oauth_discovery 404 |
| 28 | + |
| 29 | + # MCP Server: streamable HTTP + legacy SSE transport |
| 30 | + @mcp_paths path /mcp /sse /message |
| 31 | + reverse_proxy @mcp_paths mcp-server:8090 |
| 32 | + |
| 33 | + # Dex OIDC endpoints |
| 34 | + @dex path /dex/* |
| 35 | + reverse_proxy @dex dex:5556 |
| 36 | + |
| 37 | + # API: ConnectRPC + version |
| 38 | + @api path /meridian.* /grpc.* /version |
| 39 | + reverse_proxy @api meridian:8090 |
55 | 40 |
|
56 | | - # Frontend: static files with SPA fallback |
57 | | - handle { |
| 41 | + # Frontend: static files with SPA fallback (catch-all, must be last) |
58 | 42 | root * /var/www/html |
59 | 43 | @hashed path /assets/* |
60 | 44 | header @hashed Cache-Control "public, max-age=31536000, immutable" |
|
0 commit comments