docs(deployment): route SSE through Caddy in topology mermaid
Some checks failed
CI / Unit & Component Tests (push) Failing after 2m48s
CI / OCR Service Tests (push) Successful in 16s
CI / Unit & Component Tests (pull_request) Failing after 2m48s
CI / Backend Unit Tests (pull_request) Successful in 4m8s
CI / fail2ban Regex (pull_request) Successful in 37s
CI / Compose Bucket Idempotency (pull_request) Failing after 49s
CI / Backend Unit Tests (push) Successful in 4m7s
CI / fail2ban Regex (push) Successful in 36s
CI / Compose Bucket Idempotency (push) Failing after 1m15s
CI / OCR Service Tests (pull_request) Successful in 16s
Some checks failed
CI / Unit & Component Tests (push) Failing after 2m48s
CI / OCR Service Tests (push) Successful in 16s
CI / Unit & Component Tests (pull_request) Failing after 2m48s
CI / Backend Unit Tests (pull_request) Successful in 4m8s
CI / fail2ban Regex (pull_request) Successful in 37s
CI / Compose Bucket Idempotency (pull_request) Failing after 49s
CI / Backend Unit Tests (push) Successful in 4m7s
CI / fail2ban Regex (push) Successful in 36s
CI / Compose Bucket Idempotency (push) Failing after 1m15s
CI / OCR Service Tests (pull_request) Successful in 16s
The top-level deployment diagram lagged the C4 L2 diagram, which correctly notes that SSE notifications are fronted by Caddy. The mermaid showed Browser → Backend direct, which would only be true if the backend port were exposed publicly (it is not — all docker ports bind to 127.0.0.1). Fixes the inconsistency Markus flagged on PR #499: the public surface is Caddy and Caddy only. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Marcel
@@ -33,14 +33,14 @@ graph TD
|
|||||||
Backend -->|S3 API :9000| MinIO[(MinIO)]
|
Backend -->|S3 API :9000| MinIO[(MinIO)]
|
||||||
Backend -->|HTTP :8000 internal| OCR["OCR Service\nPython FastAPI"]
|
Backend -->|HTTP :8000 internal| OCR["OCR Service\nPython FastAPI"]
|
||||||
OCR -->|presigned URL| MinIO
|
OCR -->|presigned URL| MinIO
|
||||||
Browser -->|SSE direct| Backend
|
Caddy -->|SSE proxy_pass| Backend
|
||||||
```
|
```
|
||||||
|
|
||||||
**Key facts:**
|
**Key facts:**
|
||||||
- Caddy terminates TLS and reverse-proxies to frontend (`:3000`) and backend (`:8080`). The Caddyfile is committed at [`infra/caddy/Caddyfile`](../infra/caddy/Caddyfile) and is installed on the host as `/etc/caddy/Caddyfile` (symlink).
|
- Caddy terminates TLS and reverse-proxies to frontend (`:3000`) and backend (`:8080`). The Caddyfile is committed at [`infra/caddy/Caddyfile`](../infra/caddy/Caddyfile) and is installed on the host as `/etc/caddy/Caddyfile` (symlink).
|
||||||
- The host binds all docker-published ports to `127.0.0.1` only; Caddy is the sole external entry point.
|
- The host binds all docker-published ports to `127.0.0.1` only; Caddy is the sole external entry point.
|
||||||
- The OCR service has **no published port** — reachable only on the internal Docker network from the backend.
|
- The OCR service has **no published port** — reachable only on the internal Docker network from the backend.
|
||||||
- SSE notifications go directly backend → browser (not via the SvelteKit SSR layer).
|
- SSE notifications transit Caddy (browser → Caddy → backend); the backend is never reachable directly from the public internet. The SvelteKit SSR layer is bypassed for SSE, but Caddy is not.
|
||||||
- The Caddyfile responds `404` on `/actuator/*` (defense in depth). Internal monitoring scrapes the backend on the docker network, not through Caddy.
|
- The Caddyfile responds `404` on `/actuator/*` (defense in depth). Internal monitoring scrapes the backend on the docker network, not through Caddy.
|
||||||
- Production and staging cohabit on the same host via docker compose project names: `archiv-production` (ports 8080/3000) and `archiv-staging` (ports 8081/3001).
|
- Production and staging cohabit on the same host via docker compose project names: `archiv-production` (ports 8080/3000) and `archiv-staging` (ports 8081/3001).
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user