docs(enterprise): add path-based sandbox routing documentation#488
docs(enterprise): add path-based sandbox routing documentation#488jpshackelford wants to merge 1 commit intomainfrom
Conversation
Update the enterprise quick-start guide to document the path-based sandbox routing feature. Key changes: - Add tabbed DNS/TLS setup section covering both routing modes - Document path-based mode for environments without wildcard cert support - Update preflight DNS checks for both routing modes - Add Sandbox Routing Configuration section in Admin Console setup - Update requirements table to clarify routing mode dependencies - Add security callout for subdomain routing preference Co-authored-by: openhands <openhands@all-hands.dev>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
Documentation is well-structured with clear separation of routing modes. One critical clarification needed about certificate support, plus minor formatting consistency issue.
|
|
||
| **Certificate requirements:** Copy your TLS certificate (`.pem` or `.crt`) and private key | ||
| (`.pem` or `.key`) to the VM. Both CA-signed certificates (e.g., from Let's Encrypt) and | ||
| self-signed certificates are supported. | ||
|
|
There was a problem hiding this comment.
🔴 Critical: This statement contradicts the previous documentation which explicitly said "Self-signed certificates are not supported for the OpenHands application."
Questions to clarify:
- Does the application now actually support self-signed certificates for production domains (app., llm-proxy., runtime.*, etc.)?
- Or does this only mean the Admin Console (port 30000) tolerates self-signed certs during initial setup?
- If self-signed certs are now supported, was there a feature change? If not, this could mislead users into failed deployments.
The warning below (lines 193-197) only discusses the Admin Console fallback behavior, which doesn't clarify whether self-signed certs work for the main application endpoints. Please either:
- Revert to "CA-signed certificates are required" if self-signed certs still don't work for app endpoints
- Add explicit documentation about which endpoints support self-signed certs vs which require CA-signed
- Provide evidence that self-signed certs work end-to-end
| **Obtain a TLS certificate** with SANs for the above domains. **No wildcard SAN is required** — | ||
| only the base `runtime.<your-domain>` hostname. | ||
|
|
||
| <Info> |
There was a problem hiding this comment.
🟡 Suggestion: Use a Mintlify component (<Note> or <Info>) instead of plain bold text for consistency with line 186 which uses <Info>. This maintains uniform documentation styling.
| <Info> | |
| <Note> | |
| No wildcard DNS record is required. The `runtime.<your-domain>` record replaces `*.runtime.<your-domain>`. | |
| </Note> |
4 participants
Update the enterprise quick-start guide to document the path-based sandbox routing feature.
Key changes
Supersedes #486 which had merge state issues.
This PR was created by an AI agent (OpenHands) on behalf of the user.
@jpshackelford can click here to continue refining the PR