grenade/architecture
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: add reverse-proxy topology + external-TLS conventions

Browse Source 
Capture the cert + edge-proxy conventions worked through deploying the
helexa-bench UI:

- external-tls.md — publicly-trusted certs via Let's Encrypt (certbot,
  Cloudflare DNS-01, ECDSA, /root/.certbot-internal); the external
  counterpart to internal-tls.md. Decision rule: public name → LE,
  *.internal → internal CA.
- reverse-proxies.md — names the per-site edge proxies (oolon for
  kosherinata, hanzalova.internal for the office) and what sits behind
  each, the public-vs-mesh access paths + the "public names don't
  hairpin from inside the mesh" gotcha, per-vhost cert choice, nginx
  conventions, and the bench (bench.helexa.ai + bench.internal) worked
  example.
- readme + generic.md §11 cross-reference both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
rob thijssen
2026-06-14 15:50:57 +03:00
parent 200c41b4f1
commit 746c55fe94
4 changed files with 203 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
generic.md
View File

@@ -536,7 +536,7 @@ templated `step@<name>` unit. That pattern is documented separately in
**`internal-tls.md`**.
### Ingress
- Per-site nginx reverse proxy terminates all WAN inbound 443.
- Per-site nginx reverse proxy terminates all WAN inbound 443 (`oolon` for kosherinata, `hanzalova.internal` for the office). The named topology, the public-vs-mesh access paths (and the hairpin gotcha), and the per-vhost cert choice are in **`reverse-proxies.md`**; external (Let's Encrypt) cert provisioning in **`external-tls.md`**.
- Public DNS via Cloudflare, **unproxied by default** (CF's mTLS origin-pull has been unreliable). Revisit if/when that changes.
- nginx serves static frontends directly from `/var/www/<app>` and reverse-proxies API traffic to the internal host:port from `manifest.yml`.