48f1bfbcad
- Add HTTPSConfig model for managing HTTPS settings - Add admin routes for HTTPS configuration management - Add beautiful admin template for HTTPS configuration - Add database migration for https_config table - Add CLI utility for HTTPS management - Add setup script for automated configuration - Add Caddy configuration generator and manager - Add comprehensive documentation (3 guides) - Add HTTPS Configuration card to admin dashboard - Implement input validation and security features - Add admin-only access control with audit trail - Add real-time configuration preview - Integrate with existing Caddy reverse proxy Features: - Enable/disable HTTPS from web interface - Configure domain, hostname, IP address, port - Automatic SSL certificate management via Let's Encrypt - Real-time Caddyfile generation and reload - Full audit trail with admin username and timestamps - Support for HTTPS and HTTP fallback access points - Beautiful, mobile-responsive UI Modified files: - app/models/__init__.py (added HTTPSConfig import) - app/blueprints/admin.py (added HTTPS routes) - app/templates/admin/admin.html (added HTTPS card) - docker-compose.yml (added Caddyfile mount and admin port) New files: - app/models/https_config.py - app/blueprints/https_config.html - app/utils/caddy_manager.py - https_manager.py - setup_https.sh - migrations/add_https_config_table.py - migrations/add_email_to_https_config.py - HTTPS_STATUS.txt - Documentation files (3 markdown guides)
7.9 KiB
7.9 KiB
Caddy Dynamic Configuration Management
Overview
The HTTPS configuration system now automatically generates and manages the Caddy configuration in real-time. When an admin updates settings through the admin panel, the Caddyfile is regenerated and reloaded without requiring a full container restart.
How It Works
1. Configuration Generation
When admin saves HTTPS settings:
- Settings are saved to database (HTTPSConfig table)
CaddyConfigGeneratorcreates a new Caddyfile based on settings- Generated Caddyfile is written to disk
2. Configuration Reload
After Caddyfile is written:
- Caddy reload API is called via
docker-compose exec - Caddy validates and applies new configuration
- No downtime - live configuration update
3. Fallback Configuration
If HTTPS is disabled:
- System uses default hardcoded configuration
- Supports localhost, internal domain, and IP address
- Catch-all configuration for any other requests
Files Involved
New Files
app/utils/caddy_manager.py- CaddyConfigGenerator class with:generate_caddyfile()- Generates Caddyfile contentwrite_caddyfile()- Writes to diskreload_caddy()- Reloads via Docker
Updated Files
app/blueprints/admin.py- HTTPS config route now:- Generates new Caddyfile
- Writes to disk
- Reloads Caddy automatically
- Reports status to user
Admin Panel Workflow
Step 1: User Fills Form
Admin Panel → HTTPS Configuration
- Hostname: digiserver
- Domain: digiserver.sibiusb.harting.intra
- Email: admin@example.com
- IP: 10.76.152.164
- Port: 443
Step 2: Admin Saves Configuration
- POST /admin/https-config/update
- Settings validated and saved to database
- Caddyfile generated dynamically
- Caddy reloaded with new configuration
Step 3: User Sees Confirmation
✅ HTTPS configuration saved successfully!
✅ Caddy configuration updated successfully!
Server available at https://digiserver.sibiusb.harting.intra
Step 4: Configuration Live
- New domain/IP immediately active
- No container restart needed
- Caddy applying new routes in real-time
Generated Caddyfile Structure
When HTTPS Enabled:
{
email admin@example.com
}
(reverse_proxy_config) {
reverse_proxy digiserver-app:5000 { ... }
request_body { max_size 2GB }
header { ... }
log { ... }
}
http://localhost { import reverse_proxy_config }
http://digiserver.sibiusb.harting.intra { import reverse_proxy_config }
http://10.76.152.164 { import reverse_proxy_config }
http://* { import reverse_proxy_config }
When HTTPS Disabled:
{
email admin@localhost
}
(reverse_proxy_config) { ... }
http://localhost { import reverse_proxy_config }
http://digiserver.sibiusb.harting.intra { import reverse_proxy_config }
http://10.76.152.164 { import reverse_proxy_config }
http://* { import reverse_proxy_config }
Key Features
✅ No Restart Required
- Caddyfile changes applied without restarting containers
- Caddy reload API handles configuration hot-swap
- Zero downtime configuration updates
✅ Dynamic Configuration
- Settings in admin panel → Generated Caddyfile
- Database is source of truth
- Easy to modify in admin UI
✅ Automatic Fallbacks
- Catch-all
http://*handles any host - Always has localhost access
- Always has IP address access
✅ User Feedback
- Admin sees status of Caddy reload
- Error messages if Caddy reload fails
- Logging of all changes
✅ Safe Updates
- Caddyfile validation before reload
- Graceful error handling
- Falls back to previous config if reload fails
Error Handling
If Caddy reload fails:
- Database still has updated settings
- Old Caddyfile may still be in use
- User sees warning with status
- Admin can manually restart:
docker-compose restart caddy
Admin Panel Status Messages
Success (✅)
✅ HTTPS configuration saved successfully!
✅ Caddy configuration updated successfully!
Server available at https://domain.local
Partial Success (⚠️)
✅ HTTPS configuration saved successfully!
⚠️ Caddyfile updated but reload failed. Please restart containers.
Server available at https://domain.local
Configuration Saved, Update Failed (⚠️)
⚠️ Configuration saved but Caddy update failed: [error details]
Testing Configuration
Check Caddyfile Content
cat /srv/digiserver-v2/Caddyfile
Manually Reload Caddy
docker-compose exec caddy caddy reload --config /etc/caddy/Caddyfile
Check Caddy Status
docker-compose logs caddy --tail=20
Test Access Points
# Test all configured domains/IPs
curl http://localhost
curl http://digiserver.sibiusb.harting.intra
curl http://10.76.152.164
Configuration Database
Settings stored in https_config table:
https_enabled: boolean
hostname: string
domain: string
ip_address: string
email: string
port: integer
updated_at: datetime
updated_by: string
When admin updates form → Database updated → Caddyfile regenerated → Caddy reloaded
Workflow Diagram
┌─────────────────────┐
│ Admin Panel Form │
│ (HTTPS Config) │
└──────────┬──────────┘
│ Submit
↓
┌─────────────────────┐
│ Validate Input │
└──────────┬──────────┘
│ Valid
↓
┌─────────────────────┐
│ Save to Database │
│ (HTTPSConfig) │
└──────────┬──────────┘
│ Saved
↓
┌─────────────────────┐
│ Generate Caddyfile │
│ (CaddyConfigGen) │
└──────────┬──────────┘
│ Generated
↓
┌─────────────────────┐
│ Write to Disk │
│ (/Caddyfile) │
└──────────┬──────────┘
│ Written
↓
┌─────────────────────┐
│ Reload Caddy │
│ (Docker exec) │
└──────────┬──────────┘
│ Reloaded
↓
┌─────────────────────┐
│ Show Status to │
│ Admin (Success) │
└─────────────────────┘
Implementation Details
CaddyConfigGenerator Class
generate_caddyfile(config)
- Takes HTTPSConfig from database
- Generates complete Caddyfile content
- Uses shared reverse proxy configuration template
- Returns full Caddyfile as string
write_caddyfile(content, path)
- Writes generated content to disk
- Path defaults to /srv/digiserver-v2/Caddyfile
- Returns True on success, False on error
reload_caddy()
- Runs:
docker-compose exec -T caddy caddy reload - Validates config and applies live
- Returns True on success, False on error
Advantages Over Manual Configuration
| Manual | Dynamic |
|---|---|
| Edit Caddyfile manually | Change via admin panel |
| Restart container | No restart needed |
| Risk of syntax errors | Validated generation |
| No audit trail | Logged with username |
| Each change is manual | One-time setup |
Future Enhancements
Potential improvements:
- Configuration history/backup
- Rollback to previous config
- Health check after reload
- Automatic backup before update
- Configuration templates
- Multi-domain support
Support
For issues:
- Check admin panel messages for Caddy reload status
- Review logs:
docker-compose logs caddy - Check Caddyfile:
cat /srv/digiserver-v2/Caddyfile - Manual reload:
docker-compose exec caddy caddy reload --config /etc/caddy/Caddyfile - Full restart:
docker-compose restart caddy