[codex] Add Caddy agent ingress allowlist#34
Draft
wingsrabbit wants to merge 2 commits into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
nodes.agent_allowed_cidrsas the configured agent ingress allowlist, with IPv4/IPv6 IP/CIDR validation and normalization.127.0.0.1:18080; Caddy now owns public 80/443/8080 and protects 8080 with aremote_ipallowlist.public_ipdoes not match.Security Semantics
agent_allowed_cidrs; a request from node A's IP using node B's token is rejected with 403.Migration
nodes.agent_allowed_cidrscolumn.db.init_db(), nodes with an empty allowlist inherit their existingpublic_ipas/32or/128when valid.public_ipremain blank and must be filled by an admin before they can pass the 8080 allowlist.public_ipremains an observation from the latest report; it is no longer used as ingress configuration.Compatibility
deploy/update.shnow also copiessupervisord.confandentrypoint.shso existing containers switch to the internal gunicorn + Caddy 8080 model during standard update.nc-centerwithdocker execbecause 18080 is container-internal.manage.py create-nodenow hot-reloads Caddy with the candidate allowlist before writing the node.Validation
python3 -m unittest discover -s backend -p 'test_*.py'passed: 10 tests.\n-python3 -m compileall backend agentpassed.\n-npm run buildinfrontend/passed; Vite reported the existing large chunk warning.\n- Generated Caddyfile sample includes:8080,remote_ip, guardedreverse_proxy 127.0.0.1:18080, and fallbackrespond 403.\n- Local machine does not havecaddyor Docker installed, so realcaddy validatewas not run locally.\n\n## Rollback\n- Revert this PR and deploy the previous release.\n- If already deployed, run the standard updater after revert, or reruninstall-center.shfrom the previous release to restore the old runtime wiring.\n- Database rollback is not required for app startup: the added column is additive. If a strict schema rollback is desired, back upnc.sqlitefirst and dropnodes.agent_allowed_cidrsmanually only after reverting code.