The SPA computes its redirect origin as (force_ssl ? "https://" : "http://") + general.host. With host set to "https://files.${BASE_DOMAIN}" that produced "http://https://files.ulicraft.net", so every client-side redirect broke and the page never routed anywhere. Server-side this was invisible: SecureOrigin strips the scheme before the Host check, so `curl /` returned 200, the API answered, and the uptime monitor stayed green — only real browsers failed. The tell is a `POST /report?...msg=Redirecting to http://https://...` line in the log. Set host to the bare hostname and force_ssl=true (which the origin needs to build https://, and which only emits an HSTS header — it does not redirect, so it can't loop behind the plain-http nginx→caddy hop). Verified: origin is now "https://files.ulicraft.net"; login + ls still work. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
32 lines
824 B
Cheetah
32 lines
824 B
Cheetah
{
|
|
"general": {
|
|
"name": "Ulicraft Files",
|
|
"host": "files.${BASE_DOMAIN}",
|
|
"force_ssl": true,
|
|
"secret_key": "${FILES_SECRET_KEY}",
|
|
"editor": "base",
|
|
"display_hidden": false,
|
|
"upload_button": true,
|
|
"fork_button": false
|
|
},
|
|
"auth": {
|
|
"admin": "${FILES_ADMIN_PASSWORD_HASH}"
|
|
},
|
|
"middleware": {
|
|
"identity_provider": {
|
|
"type": "${FILES_IDP_TYPE}",
|
|
"params": "${FILES_IDP_PARAMS}"
|
|
},
|
|
"attribute_mapping": {
|
|
"related_backend": "files",
|
|
"params": "{\"files\":{\"type\":\"local\",\"path\":\"/data/files/\",\"password\":\"${FILES_LOCAL_SECRET}\"}}"
|
|
}
|
|
},
|
|
"connections": [
|
|
{
|
|
"label": "files",
|
|
"type": "local"
|
|
}
|
|
]
|
|
}
|