From a7a80f8c1616efe229d8fa800b50d4134f17c3fe Mon Sep 17 00:00:00 2001 From: Marcel Date: Mon, 11 May 2026 13:18:11 +0200 Subject: [PATCH] docs(deployment): route SSE through Caddy in topology mermaid MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The top-level deployment diagram lagged the C4 L2 diagram, which correctly notes that SSE notifications are fronted by Caddy. The mermaid showed Browser → Backend direct, which would only be true if the backend port were exposed publicly (it is not — all docker ports bind to 127.0.0.1). Fixes the inconsistency Markus flagged on PR #499: the public surface is Caddy and Caddy only. Co-Authored-By: Claude Opus 4.7 --- docs/DEPLOYMENT.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index e995739c..bd7b7a1a 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -33,14 +33,14 @@ graph TD Backend -->|S3 API :9000| MinIO[(MinIO)] Backend -->|HTTP :8000 internal| OCR["OCR Service\nPython FastAPI"] OCR -->|presigned URL| MinIO - Browser -->|SSE direct| Backend + Caddy -->|SSE proxy_pass| Backend ``` **Key facts:** - Caddy terminates TLS and reverse-proxies to frontend (`:3000`) and backend (`:8080`). The Caddyfile is committed at [`infra/caddy/Caddyfile`](../infra/caddy/Caddyfile) and is installed on the host as `/etc/caddy/Caddyfile` (symlink). - The host binds all docker-published ports to `127.0.0.1` only; Caddy is the sole external entry point. - The OCR service has **no published port** — reachable only on the internal Docker network from the backend. -- SSE notifications go directly backend → browser (not via the SvelteKit SSR layer). +- SSE notifications transit Caddy (browser → Caddy → backend); the backend is never reachable directly from the public internet. The SvelteKit SSR layer is bypassed for SSE, but Caddy is not. - The Caddyfile responds `404` on `/actuator/*` (defense in depth). Internal monitoring scrapes the backend on the docker network, not through Caddy. - Production and staging cohabit on the same host via docker compose project names: `archiv-production` (ports 8080/3000) and `archiv-staging` (ports 8081/3001).