feat(caddy): add tls internal vhosts for upstream mirror hosts

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-24 04:47:38 +02:00
parent a6c4d3be8c
commit f513f60766
2 changed files with 24 additions and 2 deletions

View File

@@ -1,5 +1,9 @@
# auto_https off would disable TLS entirely, breaking `tls internal` for the
# air-gap mirror vhosts. disable_redirects keeps the apex/auth/packwiz sites
# plaintext on :80 (they use explicit http://) while still allowing internal
# TLS on the mirror hosts below.
{
auto_https off
auto_https disable_redirects
}
http://{$BASE_DOMAIN} {
@@ -15,3 +19,13 @@ http://packwiz.{$BASE_DOMAIN} {
root * /srv/pack
file_server browse
}
# Full client air-gap mirror (see plan/11-full-airgap-mirror.md): byte-exact
# copies of the real upstream hosts served over HTTPS with Caddy's local CA.
# dnsmasq spoofs these hostnames -> our host; the {host} placeholder roots each
# hostname at its own mirror subtree. Guests import the Caddy root CA once.
meta.prismlauncher.org, piston-meta.mojang.com, piston-data.mojang.com, libraries.minecraft.net, maven.neoforged.net, resources.download.minecraft.net {
tls internal
root * /srv/mirror/{host}
file_server
}

View File

@@ -35,7 +35,7 @@ services:
restart: unless-stopped
ports:
- "80:80"
# - "443:443" # future TLS (step-ca), deferred
- "443:443" # tls internal — air-gap mirror vhosts (see 11)
environment:
BASE_DOMAIN: ${BASE_DOMAIN}
volumes:
@@ -43,11 +43,19 @@ services:
- ./www:/srv/www:ro
- ./pack:/srv/pack:ro
- ./mirror/launcher:/srv/www/launcher:ro
- ./mirror/upstream:/srv/mirror:ro # byte-exact upstream mirror (see 11)
networks:
mcnet:
aliases:
- "auth.${BASE_DOMAIN}"
- "packwiz.${BASE_DOMAIN}"
# Air-gap spoof hosts -> Caddy, so internal containers resolve them too.
- "meta.prismlauncher.org"
- "piston-meta.mojang.com"
- "piston-data.mojang.com"
- "libraries.minecraft.net"
- "maven.neoforged.net"
- "resources.download.minecraft.net"
drasl:
image: unmojang/drasl:latest