The outpost upstream was being passed directly to Caddy's dial field with the
full URL (http://host:port), but Caddy expects just host:port. This was causing
DNS lookup errors with a leading slash (/authentik.bologna.local.fuo.fi).
Now properly parses the URL to extract just the hostname and port.
The outpost route now preserves the original request host (e.g., email.fuo.fi)
instead of changing it to the upstream host. This allows Authentik to properly
construct redirect URLs after processing authentication callbacks.
- Replace AbortSignal.timeout() with AbortController for better compatibility
- Add detailed error logging to diagnose connection failures
- Improve health status logging (only warn once when becoming unhealthy)
- Add logging when Caddy recovers from unhealthy state
- Add current state to initialization log for debugging
This fixes the monitoring service continuously reporting failures and improves
restart detection after OOM crashes or container restarts.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Implemented health monitoring service that detects Caddy restarts/crashes
- Automatically reapplies configuration when Caddy restarts
- Added metrics settings UI for enabling Prometheus/Grafana monitoring
- Caddy metrics exposed on separate port (default: 9090) via reverse proxy
- Admin API (port 2019) kept internal-only for security
- Updated docker-compose.yml with metrics port documentation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Implemented health monitoring service that detects Caddy restarts/crashes
- Automatically reapplies configuration when Caddy restarts
- Added metrics settings UI for enabling Prometheus/Grafana monitoring
- Caddy metrics available at /metrics endpoint (configurable port/path)
- Updated docker-compose.yml with metrics port documentation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
When editing a proxy host with certificate_id set to null (auto), the
dropdown would not show "Managed by Caddy (Auto)" as selected and it
would revert to another certificate. There were two issues:
1. Form submission: Empty string from dropdown was treated as falsy,
returning undefined instead of null (means "don't change")
2. Database update: The ?? operator treated null as falsy and fell back
to existing value instead of saving null
Changes:
- app/(dashboard)/proxy-hosts/actions.ts: Check formData.has() and
explicitly convert empty string to null for auto mode
- src/lib/models/proxy-hosts.ts: Use !== undefined instead of ?? to
allow null values to be saved
- app/(dashboard)/proxy-hosts/ProxyHostsClient.tsx: Add Certificate
column to table showing "Managed by Caddy (Auto)" for auto certs
Applied same fixes to access_list_id for consistency.
Now when users select "Managed by Caddy (Auto)", it correctly sets
certificate_id to null, displays properly on subsequent edits, and
shows in the table view.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
When editing a proxy host with certificate_id set to null (auto), the
dropdown would not show "Managed by Caddy (Auto)" as selected. The issue
was that empty string from the dropdown was treated as falsy, returning
undefined instead of null, which means "don't change" in the update logic.
Changes:
- Check if certificate_id field exists with formData.has()
- Explicitly convert empty string to null for auto mode
- Apply same fix to access_list_id for consistency
Now when users select "Managed by Caddy (Auto)", it correctly sets
certificate_id to null and displays properly on subsequent edits.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The forward_auth directive only exists in Caddyfile syntax, not JSON config.
This fix converts Authentik authentication to use the underlying reverse_proxy
handler with proper configuration:
- Replace forward_auth handler with reverse_proxy
- Convert "private_ranges" keyword to actual CIDR blocks for JSON config
- Parse upstream URL to extract host:port for dial field (removing http://)
- Add handle_response block to copy Authentik headers on 2xx status
- Preserve X-Forwarded-Method and X-Forwarded-Uri headers
Fixes error: "unknown module: http.handlers.forward_auth"
Fixes error: "invalid IP address: 'private_ranges'"
Fixes error: "lookup /hostname: no such host" (dial with URL scheme)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
