From fdbd1e2fee3d8444068ca2652d473360ebd70079 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 18 Jun 2026 01:27:38 +0000 Subject: [PATCH] fix(routing): unique pds alias so caddy resolves THIS stack's PDS on shared proxy The caddy sidecar uses on-demand TLS and asks http://app:3000/tls-check before issuing a cert. On a shared host every co-located stack aliases its main service 'app' on the 'proxy' overlay; caddy (on both proxy+internal) resolves bare 'app' to a FOREIGN stack's endpoint, so the tls-check connection is refused, no cert is issued, and the PDS is unreachable over HTTPS (xrpc/_health=000). Give the PDS a unique 'pds' alias on the internal network and point caddy's reverse_proxy + on_demand_tls ask at it; 'pds' exists only on internal, so it always resolves to this stack's PDS. Service name stays 'app' (no downstream breakage). --- Caddyfile | 4 ++-- compose.yml | 9 ++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Caddyfile b/Caddyfile index 1a18550..6a61adb 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,6 +1,6 @@ { on_demand_tls { - ask http://app:3000/tls-check + ask http://pds:3000/tls-check } } @@ -8,5 +8,5 @@ tls { on_demand } - reverse_proxy app:3000 + reverse_proxy pds:3000 } diff --git a/compose.yml b/compose.yml index 22b2891..7ff4bad 100644 --- a/compose.yml +++ b/compose.yml @@ -5,7 +5,14 @@ services: app: image: ghcr.io/bluesky-social/pds:0.4.219 networks: - - internal + # Unique alias so the caddy sidecar resolves THIS stack's PDS, not a foreign service. On a + # shared host the default service name `app` is aliased by every co-located stack on the + # `proxy` overlay; caddy (attached to both `proxy` and `internal`) otherwise resolves bare + # `app` to another stack's endpoint, so its on-demand-TLS `ask` to the PDS is refused and the + # cert is never issued (HTTPS dead). `pds` exists only on `internal`, so it resolves correctly. + internal: + aliases: + - pds environment: - PDS_HOSTNAME=${DOMAIN} - PDS_DATA_DIRECTORY=/pds