marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(caddy): wrap actuator block in handle so it takes precedence over catch-all (#512) #517

Merged
marcel merged 1 commits from fix/issue-512-caddy-actuator-block-handle into main 2026-05-11 17:15:03 +02:00
Conversation 0 Commits 1 Files Changed 1 +10 -2
marcel commented 2026-05-11 17:12:53 +02:00
Owner
Copy Link

Summary

Closes #512.

The (block_actuator) Caddyfile snippet emitted respond @actuator 404 at the top level of each archive vhost. But each vhost also has a catch-all handle { reverse_proxy ... }. Caddy's handle blocks are mutually exclusive — once a handle matches, the request never reaches a top-level respond. The catch-all swallowed /actuator/* and proxied it to the backend, which Spring-Security'd 302 to /login.

Fix

Wrap the snippet body in handle /actuator/* { respond 404 }. Caddy sorts handle blocks by path specificity, so /actuator/* wins over the catch-all and the 404 is actually returned.

Verified locally

  • docker run --rm -v ./infra/caddy/Caddyfile:/etc/caddy/Caddyfile:ro caddy:2 caddy validate → Valid configuration

Test plan after merge

  • cd /opt/familienarchiv && git pull && systemctl reload caddy on the host
  • curl -o /dev/null -w "%{http_code}" https://staging.raddatz.cloud/actuator/health → 404 (was 302)
  • nightly.yml smoke step's /actuator/health → 404 assertion passes
  • Confirm /api/... and / routes are still proxied normally (the new handle block must not shadow anything else — /actuator/* is a strict prefix)

Notes

  • Defense-in-depth invariant from PR #499 / Nora's review (#8333) was effectively unmet on the live stack until now. Curl against staging today: HTTP 302 instead of HTTP 404. After this merge it'll be the documented behavior.

🤖 Generated with Claude Code

## Summary Closes #512. The `(block_actuator)` Caddyfile snippet emitted `respond @actuator 404` at the top level of each archive vhost. But each vhost also has a catch-all `handle { reverse_proxy ... }`. Caddy's `handle` blocks are mutually exclusive — once a `handle` matches, the request never reaches a top-level `respond`. The catch-all swallowed `/actuator/*` and proxied it to the backend, which Spring-Security'd 302 to `/login`. ## Fix Wrap the snippet body in `handle /actuator/* { respond 404 }`. Caddy sorts `handle` blocks by path specificity, so `/actuator/*` wins over the catch-all and the 404 is actually returned. ## Verified locally - [x] `docker run --rm -v ./infra/caddy/Caddyfile:/etc/caddy/Caddyfile:ro caddy:2 caddy validate` → Valid configuration ## Test plan after merge - [ ] `cd /opt/familienarchiv && git pull && systemctl reload caddy` on the host - [ ] `curl -o /dev/null -w "%{http_code}" https://staging.raddatz.cloud/actuator/health` → 404 (was 302) - [ ] `nightly.yml` smoke step's `/actuator/health → 404` assertion passes - [ ] Confirm `/api/...` and `/` routes are still proxied normally (the new `handle` block must not shadow anything else — `/actuator/*` is a strict prefix) ## Notes - Defense-in-depth invariant from PR #499 / Nora's review (#8333) was effectively unmet on the live stack until now. Curl against staging today: `HTTP 302` instead of `HTTP 404`. After this merge it'll be the documented behavior. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
marcel added 1 commit 2026-05-11 17:12:53 +02:00
fix(caddy): wrap actuator block in handle so it takes precedence over catch-all
Some checks failed
CI / Unit & Component Tests (pull_request) Has been cancelled
Details
CI / OCR Service Tests (pull_request) Has been cancelled
Details
CI / Backend Unit Tests (pull_request) Has been cancelled
Details
CI / fail2ban Regex (pull_request) Has been cancelled
Details
CI / Compose Bucket Idempotency (pull_request) Has been cancelled
Details
CI / Unit & Component Tests (push) Has been cancelled
Details
CI / OCR Service Tests (push) Has been cancelled
Details
CI / Backend Unit Tests (push) Has been cancelled
Details
CI / fail2ban Regex (push) Has been cancelled
Details
CI / Compose Bucket Idempotency (push) Has been cancelled
Details
2093fc0481 
Closes #512.

The previous `(block_actuator)` snippet emitted `respond @actuator 404`
at the top level of each archive vhost. But each vhost also has a
catch-all `handle { reverse_proxy ... }` that matches /actuator/*
too. Caddy's `handle` blocks are mutually exclusive — once one matches,
the request never reaches a top-level `respond`. So /actuator/health
was being proxied to the backend, which 302s to /login.

Wrap the actuator response in its own `handle /actuator/*` block.
Caddy sorts `handle` blocks by path specificity, so /actuator/* wins
over the catch-all and the 404 is actually returned.

Verified with `caddy validate` against the caddy:2 image.

Also unblocks the nightly.yml smoke test's `/actuator/health → 404`
assertion, which has been failing since the first staging deploy.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
marcel merged commit 9686e304c2 into main 2026-05-11 17:15:03 +02:00
marcel deleted branch fix/issue-512-caddy-actuator-block-handle 2026-05-11 17:15:04 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#517
Delete Branch "fix/issue-512-caddy-actuator-block-handle"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?