fix(caddy): wrap actuator block in `handle` so it takes precedence over catch-all (#512) #517

Merged

marcel merged 1 commits from fix/issue-512-caddy-actuator-block-handle into main

2026-05-11 17:15:03 +02:00

Author SHA1 Message Date

Author	SHA1	Message	Date
Marcel	2093fc0481	fix(caddy): wrap actuator block in `handle` so it takes precedence over catch-all Some checks failed CI / Unit & Component Tests (pull_request) Has been cancelled Details CI / OCR Service Tests (pull_request) Has been cancelled Details CI / Backend Unit Tests (pull_request) Has been cancelled Details CI / fail2ban Regex (pull_request) Has been cancelled Details CI / Compose Bucket Idempotency (pull_request) Has been cancelled Details CI / Unit & Component Tests (push) Has been cancelled Details CI / OCR Service Tests (push) Has been cancelled Details CI / Backend Unit Tests (push) Has been cancelled Details CI / fail2ban Regex (push) Has been cancelled Details CI / Compose Bucket Idempotency (push) Has been cancelled Details Closes #512. The previous `(block_actuator)` snippet emitted `respond @actuator 404` at the top level of each archive vhost. But each vhost also has a catch-all `handle { reverse_proxy ... }` that matches /actuator/* too. Caddy's `handle` blocks are mutually exclusive — once one matches, the request never reaches a top-level `respond`. So /actuator/health was being proxied to the backend, which 302s to /login. Wrap the actuator response in its own `handle /actuator/` block. Caddy sorts `handle` blocks by path specificity, so /actuator/ wins over the catch-all and the 404 is actually returned. Verified with `caddy validate` against the caddy:2 image. Also unblocks the nightly.yml smoke test's `/actuator/health → 404` assertion, which has been failing since the first staging deploy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 17:12:09 +02:00

Marcel

2093fc0481

fix(caddy): wrap actuator block in handle so it takes precedence over catch-all

CI / Unit & Component Tests (pull_request) Has been cancelled

Details

CI / OCR Service Tests (pull_request) Has been cancelled

Details

CI / Backend Unit Tests (pull_request) Has been cancelled

Details

CI / fail2ban Regex (pull_request) Has been cancelled

Details

CI / Compose Bucket Idempotency (pull_request) Has been cancelled

Details

CI / Unit & Component Tests (push) Has been cancelled

Details

CI / OCR Service Tests (push) Has been cancelled

Details

CI / Backend Unit Tests (push) Has been cancelled

Details

CI / fail2ban Regex (push) Has been cancelled

Details

CI / Compose Bucket Idempotency (push) Has been cancelled

Details

Closes #512.

The previous `(block_actuator)` snippet emitted `respond @actuator 404`
at the top level of each archive vhost. But each vhost also has a
catch-all `handle { reverse_proxy ... }` that matches /actuator/*
too. Caddy's `handle` blocks are mutually exclusive — once one matches,
the request never reaches a top-level `respond`. So /actuator/health
was being proxied to the backend, which 302s to /login.

Wrap the actuator response in its own `handle /actuator/*` block.
Caddy sorts `handle` blocks by path specificity, so /actuator/* wins
over the catch-all and the 404 is actually returned.

Verified with `caddy validate` against the caddy:2 image.

Also unblocks the nightly.yml smoke test's `/actuator/health → 404`
assertion, which has been failing since the first staging deploy.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-11 17:12:09 +02:00

fix(caddy): wrap actuator block in handle so it takes precedence over catch-all (#512) #517

1 Commits

fix(caddy): wrap actuator block in `handle` so it takes precedence over catch-all (#512) #517