Add caddy and authentik sso documentation #1415
Conversation
Merge latest Changes from Upstream
…ntik-sso-documentation
📝 WalkthroughWalkthroughThe PR adds comprehensive documentation and a visual diagram for Caddy and Authentik Outpost reverse proxy integration. It includes setup prerequisites, environment file schemas, service configurations, firewall considerations, and deployment instructions with troubleshooting guidance. Changes
Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Fix all issues with AI agents
In `@docs/REVERSE_PROXY.md`:
- Around line 1336-1341: The reverse proxy target uses the bind address
"0.0.0.0" which is invalid as a connection target; update the "reverse_proxy
http://0.0.0.0:20211" entry to use a loopback address such as "127.0.0.1" or
"localhost" and, if un-commenting the IPv6 example, replace "[::1]" with the
proper loopback "[::1]" (ensure the IPv6 example remains commented or matches
the same loopback convention) so the reverse_proxy directive points to a valid
local service endpoint.
- Around line 1085-1088: The Network setting uses a personal container name
("Network=container:supermicro-ikvm-pve031-caddy") which is
environment-specific; remove this line or replace it with the correct Caddy
container reference for the pod (e.g., "Network=container:caddy") — or simply
delete the Network line if the pod/service already sets "Network=host" so
networking is defined at the pod level.
- Around line 823-828: The documented default for GRAPHQL_PORT in
REVERSE_PROXY.md is incorrect (shows GRAPHQL_PORT:-20212) and conflicts with the
.env.server example and the actual internal GraphQL server which uses 20219;
update the default value to 20219 in the env example so GRAPHQL_PORT,
BACKEND_API_URL and any references to the internal GraphQL service consistently
use 20219 (ensure the variable assignment syntax stays ${GRAPHQL_PORT:-20219}
and adjust any explanatory text if present).
- Around line 746-750: Replace the local development image reference "image:
localhost/netalertx-dev:dev-20260109-232454" with the official/public image or a
generic placeholder; for example use the official registry reference (e.g.,
ghcr.io/netalertx/netalertx:latest) or a clear placeholder like
"your-registry/netalertx:tag" so users can pull the image; update the
single-line image value in the compose example accordingly.
- Around line 948-950: Quadlet configuration currently references a local dev
image (Image=localhost/netalertx-dev:dev-20260109-232454) and uses Pull=missing;
replace the local image reference with the official published image name (e.g.,
Image=ghcr.io/netalertx/netalertx:latest or your release tag) and set Pull to a
value that ensures the official image is fetched (e.g., Pull=always or
Pull=if-not-present per your deployment policy) so the quadlet uses the official
build instead of the local dev image.
- Around line 1359-1364: Update the reverse_proxy targets to point to the
internal GraphQL host on the correct port 20219: replace the incorrect IPv6
target "reverse_proxy http://[::1]:6000" with "reverse_proxy http://[::1]:20219"
and verify the IPv4 proxy line "reverse_proxy http://0.0.0.0:20219" is the
intended GraphQL endpoint (or change it to the correct host like
http://127.0.0.1:20219 if required).
- Around line 1015-1027: The Quadlet has inconsistent GraphQL port and hostname:
update the Environment entries so GRAPHQL_PORT matches the internal port used by
the Caddy proxy (change GRAPHQL_PORT value to 20219 to match Caddyfile proxying)
and normalize BACKEND_API_URL hostname to netalertx.MYDOMAIN.TLD (replace
netalertx-fedora.MYDOMAIN.TLD with netalertx.MYDOMAIN.TLD) so examples and
configuration are consistent; verify the Caddyfile proxy target and any other
occurrences of GRAPHQL_PORT and BACKEND_API_URL to keep them synchronized.
- Around line 567-573: Replace the incorrect hostname occurrences
"authentik.MYDOMAIN.TLD" with the correct "netalertx.MYDOMAIN.TLD" in the
reverse proxy flow lines describing Web GUI, GraphQL and Authentik Outpost (the
three bullets referencing ports 80/443/20212/9443), ensuring the flow text and
examples consistently use netalertx.MYDOMAIN.TLD to match the Introduction.
🧹 Nitpick comments (2)
docs/REVERSE_PROXY.md (2)
710-712:pull: missingis Podman-specific syntax.Docker Compose uses
pull_policy: missinginstead ofpull: missing. Since the documentation mentions both Docker Compose and Podman, consider noting this difference or using the Docker Compose syntax with a comment about Podman.📝 Suggested fix
network_mode: host image: docker.io/library/caddy:latest - pull: missing + # Docker Compose syntax: pull_policy: missing + # Podman Compose syntax: pull: missing + pull_policy: missing
584-650: Add language specifiers to fenced code blocks.Multiple code blocks lack language specifiers, which affects syntax highlighting. Based on static analysis hints:
- Lines 584, 591, 613: Use
```textor```passwdfor passwd/group file contents- Lines 668, 686, 697: Use
```bashor```inifor environment files- Lines 704, 874, 888, 933, 1052: Use
```yamlfor Compose/Quadlet configs (or```inifor Quadlet)- Line 1153: Use
```nginxfor NGINX configuration- Line 1279: Use
```caddyfileor```textfor Caddyfile
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (10)
docs/img/REVERSE_PROXY/authentik-application-setup-01.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/authentik-login.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/authentik-outpost-setup-01.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/authentik-outpost-setup-02.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/authentik-provider-setup-01.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/authentik-provider-setup-02.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/authentik-sidebar.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/fedora-firewall.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/reverse_proxy_flow.pngis excluded by!**/*.pngdocs/img/REVERSE_PROXY/reverse_proxy_flow.svgis excluded by!**/*.svg
📒 Files selected for processing (2)
docs/REVERSE_PROXY.mddocs/img/REVERSE_PROXY/reverse_proxy_flow.drawio
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-10-19T01:40:57.095Z
Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1230
File: .devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template:1-2
Timestamp: 2025-10-19T01:40:57.095Z
Learning: In the NetAlertX repository, .devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template is an auto-generated file that is intentionally committed to source control. It cannot be regenerated automatically outside the devcontainer environment and is required for the devcontainer to start, creating a bootstrap dependency.
Applied to files:
docs/REVERSE_PROXY.md
📚 Learning: 2026-01-10T06:38:03.977Z
Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1400
File: install/production-filesystem/services/start-nginx.sh:38-43
Timestamp: 2026-01-10T06:38:03.977Z
Learning: In NetAlertX, nginx and PHP may run as root (when PUID=0) to support Synology NAS systems using AUFS (Another Union File System), which cannot use Linux capabilities assigned to binaries for privilege management. This is a known limitation of AUFS on Synology platforms.
Applied to files:
docs/REVERSE_PROXY.md
📚 Learning: 2025-09-20T14:09:29.159Z
Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1184
File: .devcontainer/scripts/setup.sh:103-116
Timestamp: 2025-09-20T14:09:29.159Z
Learning: In NetAlertX devcontainer setup, the netalertx user has write permissions to /var/log/nginx/ directory as it's explicitly chowned to netalertx:www-data in the Dockerfile, so setup.sh can write to nginx log files without sudo.
Applied to files:
docs/REVERSE_PROXY.md
🪛 LanguageTool
docs/REVERSE_PROXY.md
[style] ~583-~583: Consider a more concise word here.
Context: ...s as root which is a Security Risk. > In order to solve this, it's recommended to create ...
(IN_ORDER_TO_PREMIUM)
[style] ~1094-~1094: Consider a more concise word here.
Context: ...required to open up some Firewall Ports in order to be able to access the Endpoints from ou...
(IN_ORDER_TO_PREMIUM)
[style] ~1102-~1102: Consider a more concise word here.
Context: ...dora-firewall.png) ### Authentik Setup In order to enable Single Sign On (SSO) with Authen...
(IN_ORDER_TO_PREMIUM)
[grammar] ~1103-~1103: Use a hyphen to join words.
Context: ...tik Setup In order to enable Single Sign On (SSO) with Authentik, you will need t...
(QB_NEW_EN_HYPHEN)
[style] ~1106-~1106: Often, this adverbial phrase is redundant. Consider using an alternative.
Context: ...g/REVERSE_PROXY/authentik-sidebar.png) First of all, using the Left Sidebar, navigate to `A...
(FIRST_OF_ALL)
[style] ~1150-~1150: Consider a different phrase to strengthen your wording.
Context: ... Issues I was experiencing, I increased a lot the client_body_buffer_size and large_c...
(A_LOT_CONSIDERABLY)
🪛 markdownlint-cli2 (0.18.1)
docs/REVERSE_PROXY.md
584-584: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
591-591: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
613-613: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
668-668: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
686-686: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
697-697: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
704-704: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
874-874: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
888-888: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
933-933: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
1036-1036: Hard tabs
Column: 20
(MD010, no-hard-tabs)
1052-1052: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
1153-1153: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
1166-1166: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1167-1167: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1168-1168: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1173-1173: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1176-1176: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1177-1177: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1178-1178: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1179-1179: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1180-1180: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1181-1181: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1182-1182: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1183-1183: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1185-1185: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1186-1186: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1187-1187: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1189-1189: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1190-1190: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1192-1192: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1193-1193: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1194-1194: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1195-1195: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1196-1196: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1198-1198: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1199-1199: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1200-1200: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1202-1202: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1203-1203: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1204-1204: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1207-1207: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1208-1208: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1209-1209: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1211-1211: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1212-1212: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1213-1213: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1215-1215: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1216-1216: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1217-1217: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1219-1219: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1220-1220: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1221-1221: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1223-1223: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1224-1224: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1225-1225: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1227-1227: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1228-1228: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1231-1231: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1232-1232: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1234-1234: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1235-1235: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1240-1240: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1241-1241: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1261-1261: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1266-1266: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1268-1268: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1269-1269: Hard tabs
Column: 1
(MD010, no-hard-tabs)
1279-1279: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
1298-1298: Hard tabs
Column: 2
(MD010, no-hard-tabs)
1379-1379: Hard tabs
Column: 1
(MD010, no-hard-tabs)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: docker-tests
- GitHub Check: docker_dev
🔇 Additional comments (3)
docs/REVERSE_PROXY.md (2)
652-654: Good security warning about unauthenticated GraphQL.This warning appropriately highlights that the GraphQL endpoint is not protected by SSO, which aligns with the PR objectives noting that GraphQL SSO authentication needs further work.
1102-1145: Comprehensive Authentik setup instructions.The step-by-step setup guide with screenshots is well-structured and should help users configure the SSO integration correctly.
docs/img/REVERSE_PROXY/reverse_proxy_flow.drawio (1)
1-202: No action needed. The SVG filereverse_proxy_flow.svgexists in the same directory and is correctly referenced in the documentation. The.drawiofile serves as the source file for the exported SVG version, which is standard practice for diagram maintenance.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
| - Web GUI: | ||
|
|
||
| i. Client accesses `http://authentik.MYDOMAIN.TLD:80`: default (built-in Caddy) Redirect to `https://authentik.MYDOMAIN.TLD:443` | ||
|
|
||
| ii. Client accesses `https://authentik.MYDOMAIN.TLD:443` -> reverse Proxy to internal Port 20211 (NetAlertX Web GUI / NGINX - unencrypted) | ||
| - GraphQL: Client accesses `https://authentik.MYDOMAIN.TLD:20212` -> reverse Proxy to internal Port 20219 (NetAlertX GraphQL - unencrypted) | ||
| - Authentik Outpost: Client accesses `https://authentik.MYDOMAIN.TLD:9443` -> reverse Proxy to internal Port 6000 (Authentik Outpost Proxy - unencrypted) |
There was a problem hiding this comment.
Hostname inconsistency in flow description.
The flow description uses authentik.MYDOMAIN.TLD but the Introduction (lines 533-537) establishes that access should be via netalertx.MYDOMAIN.TLD. This appears to be a copy-paste error.
📝 Suggested fix
- Web GUI:
- i. Client accesses `http://authentik.MYDOMAIN.TLD:80`: default (built-in Caddy) Redirect to `https://authentik.MYDOMAIN.TLD:443`
+ i. Client accesses `http://netalertx.MYDOMAIN.TLD:80`: default (built-in Caddy) Redirect to `https://netalertx.MYDOMAIN.TLD:443`
- ii. Client accesses `https://authentik.MYDOMAIN.TLD:443` -> reverse Proxy to internal Port 20211 (NetAlertX Web GUI / NGINX - unencrypted)
-- GraphQL: Client accesses `https://authentik.MYDOMAIN.TLD:20212` -> reverse Proxy to internal Port 20219 (NetAlertX GraphQL - unencrypted)
-- Authentik Outpost: Client accesses `https://authentik.MYDOMAIN.TLD:9443` -> reverse Proxy to internal Port 6000 (Authentik Outpost Proxy - unencrypted)
+ ii. Client accesses `https://netalertx.MYDOMAIN.TLD:443` -> reverse Proxy to internal Port 20211 (NetAlertX Web GUI / NGINX - unencrypted)
+- GraphQL: Client accesses `https://netalertx.MYDOMAIN.TLD:20212` -> reverse Proxy to internal Port 20219 (NetAlertX GraphQL - unencrypted)
+- Authentik Outpost: Client accesses `https://netalertx.MYDOMAIN.TLD:9443` -> reverse Proxy to internal Port 6000 (Authentik Outpost Proxy - unencrypted)🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 567 - 573, Replace the incorrect hostname
occurrences "authentik.MYDOMAIN.TLD" with the correct "netalertx.MYDOMAIN.TLD"
in the reverse proxy flow lines describing Web GUI, GraphQL and Authentik
Outpost (the three bullets referencing ports 80/443/20212/9443), ensuring the
flow text and examples consistently use netalertx.MYDOMAIN.TLD to match the
Introduction.
|
|
||
| # Local built Image including latest Changes | ||
| image: localhost/netalertx-dev:dev-20260109-232454 | ||
|
|
||
| read_only: true # Make the container filesystem read-only |
There was a problem hiding this comment.
Replace development image with official image reference.
The compose example references a local development image (localhost/netalertx-dev:dev-20260109-232454) that users won't have. Replace with the official image or a placeholder.
📝 Suggested fix
# Local built Image including latest Changes
- image: localhost/netalertx-dev:dev-20260109-232454
+ # Replace with the official image from Docker Hub or GitHub Container Registry
+ image: jokobsk/netalertx:latest📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Local built Image including latest Changes | |
| image: localhost/netalertx-dev:dev-20260109-232454 | |
| read_only: true # Make the container filesystem read-only | |
| # Local built Image including latest Changes | |
| # Replace with the official image from Docker Hub or GitHub Container Registry | |
| image: jokobsk/netalertx:latest | |
| read_only: true # Make the container filesystem read-only |
🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 746 - 750, Replace the local development
image reference "image: localhost/netalertx-dev:dev-20260109-232454" with the
official/public image or a generic placeholder; for example use the official
registry reference (e.g., ghcr.io/netalertx/netalertx:latest) or a clear
placeholder like "your-registry/netalertx:tag" so users can pull the image;
update the single-line image value in the compose example accordingly.
| PORT: ${PORT:-20211} # Application port | ||
| PORT_SSL: ${PORT_SSL:-443} | ||
| GRAPHQL_PORT: ${GRAPHQL_PORT:-20212} # GraphQL API port | ||
| ALWAYS_FRESH_INSTALL: ${ALWAYS_FRESH_INSTALL:-false} # Set to true to reset your config and database on each container start | ||
| NETALERTX_DEBUG: ${NETALERTX_DEBUG:-0} # 0=kill all services and restart if any dies. 1 keeps running dead services. | ||
| BACKEND_API_URL: ${BACKEND_API_URL-"https://netalertx.MYDOMAIN.TLD:20212"} |
There was a problem hiding this comment.
GRAPHQL_PORT default value mismatch.
The default GRAPHQL_PORT:-20212 contradicts the .env.server example (line 691) which specifies GRAPHQL_PORT=20219. The internal GraphQL server listens on 20219, while 20212 is the external Caddy port.
📝 Suggested fix
PORT: ${PORT:-20211} # Application port
PORT_SSL: ${PORT_SSL:-443}
- GRAPHQL_PORT: ${GRAPHQL_PORT:-20212} # GraphQL API port
+ GRAPHQL_PORT: ${GRAPHQL_PORT:-20219} # GraphQL API internal port🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 823 - 828, The documented default for
GRAPHQL_PORT in REVERSE_PROXY.md is incorrect (shows GRAPHQL_PORT:-20212) and
conflicts with the .env.server example and the actual internal GraphQL server
which uses 20219; update the default value to 20219 in the env example so
GRAPHQL_PORT, BACKEND_API_URL and any references to the internal GraphQL service
consistently use 20219 (ensure the variable assignment syntax stays
${GRAPHQL_PORT:-20219} and adjust any explanatory text if present).
| # Local built Image including latest Changes | ||
| Image=localhost/netalertx-dev:dev-20260109-232454 | ||
| Pull=missing |
There was a problem hiding this comment.
Replace development image in Quadlet configuration.
Same issue as the Compose example—replace the local development image with the official image.
📝 Suggested fix
# Local built Image including latest Changes
-Image=localhost/netalertx-dev:dev-20260109-232454
+# Replace with the official image
+Image=docker.io/jokobsk/netalertx:latest📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Local built Image including latest Changes | |
| Image=localhost/netalertx-dev:dev-20260109-232454 | |
| Pull=missing | |
| # Local built Image including latest Changes | |
| # Replace with the official image | |
| Image=docker.io/jokobsk/netalertx:latest | |
| Pull=missing |
🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 948 - 950, Quadlet configuration
currently references a local dev image
(Image=localhost/netalertx-dev:dev-20260109-232454) and uses Pull=missing;
replace the local image reference with the official published image name (e.g.,
Image=ghcr.io/netalertx/netalertx:latest or your release tag) and set Pull to a
value that ensures the official image is fetched (e.g., Pull=always or
Pull=if-not-present per your deployment policy) so the quadlet uses the official
build instead of the local dev image.
|
|
||
| # GraphQL API port | ||
| Environment=GRAPHQL_PORT=20212 | ||
|
|
||
| # Set to true to reset your config and database on each container start | ||
| Environment=ALWAYS_FRESH_INSTALL=false | ||
|
|
||
| # 0=kill all services and restart if any dies. 1 keeps running dead services. | ||
| Environment=NETALERTX_DEBUG=0 | ||
|
|
||
| # Set the GraphQL URL for external Access (via Caddy Reverse Proxy) | ||
| Environment=BACKEND_API_URL=https://netalertx-fedora.MYDOMAIN.TLD:20212 | ||
|
|
There was a problem hiding this comment.
Port and hostname inconsistencies in Quadlet configuration.
-
GRAPHQL_PORT=20212here contradicts line 542 which statesGRAPHQL_PORT=20219. The Caddyfile (line 1360) proxies to port 20219, confirming that 20219 is the internal port. -
BACKEND_API_URLusesnetalertx-fedora.MYDOMAIN.TLDbut all other examples usenetalertx.MYDOMAIN.TLD.
📝 Suggested fix
# GraphQL API port
-Environment=GRAPHQL_PORT=20212
+Environment=GRAPHQL_PORT=20219
# Set to true to reset your config and database on each container start
Environment=ALWAYS_FRESH_INSTALL=false
# 0=kill all services and restart if any dies. 1 keeps running dead services.
Environment=NETALERTX_DEBUG=0
# Set the GraphQL URL for external Access (via Caddy Reverse Proxy)
-Environment=BACKEND_API_URL=https://netalertx-fedora.MYDOMAIN.TLD:20212
+Environment=BACKEND_API_URL=https://netalertx.MYDOMAIN.TLD:20212📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # GraphQL API port | |
| Environment=GRAPHQL_PORT=20212 | |
| # Set to true to reset your config and database on each container start | |
| Environment=ALWAYS_FRESH_INSTALL=false | |
| # 0=kill all services and restart if any dies. 1 keeps running dead services. | |
| Environment=NETALERTX_DEBUG=0 | |
| # Set the GraphQL URL for external Access (via Caddy Reverse Proxy) | |
| Environment=BACKEND_API_URL=https://netalertx-fedora.MYDOMAIN.TLD:20212 | |
| # GraphQL API port | |
| Environment=GRAPHQL_PORT=20219 | |
| # Set to true to reset your config and database on each container start | |
| Environment=ALWAYS_FRESH_INSTALL=false | |
| # 0=kill all services and restart if any dies. 1 keeps running dead services. | |
| Environment=NETALERTX_DEBUG=0 | |
| # Set the GraphQL URL for external Access (via Caddy Reverse Proxy) | |
| Environment=BACKEND_API_URL=https://netalertx.MYDOMAIN.TLD:20212 | |
🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 1015 - 1027, The Quadlet has inconsistent
GraphQL port and hostname: update the Environment entries so GRAPHQL_PORT
matches the internal port used by the Caddy proxy (change GRAPHQL_PORT value to
20219 to match Caddyfile proxying) and normalize BACKEND_API_URL hostname to
netalertx.MYDOMAIN.TLD (replace netalertx-fedora.MYDOMAIN.TLD with
netalertx.MYDOMAIN.TLD) so examples and configuration are consistent; verify the
Caddyfile proxy target and any other occurrences of GRAPHQL_PORT and
BACKEND_API_URL to keep them synchronized.
|
|
||
| # Network Configuration | ||
| Network=container:supermicro-ikvm-pve031-caddy | ||
|
|
There was a problem hiding this comment.
Environment-specific container name in network configuration.
Network=container:supermicro-ikvm-pve031-caddy appears to be a personal environment reference. For a pod-based setup, this should either be removed (since the pod already defines Network=host) or corrected to reference the Caddy container from this setup.
📝 Suggested fix
# Network Configuration
-Network=container:supermicro-ikvm-pve031-caddy
+# Network is inherited from the pod (host mode)
+# If running standalone, use: Network=host📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Network Configuration | |
| Network=container:supermicro-ikvm-pve031-caddy | |
| # Network Configuration | |
| # Network is inherited from the pod (host mode) | |
| # If running standalone, use: Network=host | |
🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 1085 - 1088, The Network setting uses a
personal container name ("Network=container:supermicro-ikvm-pve031-caddy") which
is environment-specific; remove this line or replace it with the correct Caddy
container reference for the pod (e.g., "Network=container:caddy") — or simply
delete the Network line if the pod/service already sets "Network=host" so
networking is defined at the pod level.
| # IPv4 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host) | ||
| reverse_proxy http://0.0.0.0:20211 | ||
|
|
||
| # IPv6 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host) | ||
| # reverse_proxy http://[::1]:20211 | ||
| } |
There was a problem hiding this comment.
Incorrect reverse proxy target address.
0.0.0.0 is a bind address (meaning "all interfaces"), not a valid connection target. For proxying to local services, use 127.0.0.1 or localhost.
🔧 Suggested fix
# IPv4 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host)
- reverse_proxy http://0.0.0.0:20211
+ reverse_proxy http://127.0.0.1:20211
# IPv6 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host)
# reverse_proxy http://[::1]:20211📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # IPv4 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host) | |
| reverse_proxy http://0.0.0.0:20211 | |
| # IPv6 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host) | |
| # reverse_proxy http://[::1]:20211 | |
| } | |
| # IPv4 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host) | |
| reverse_proxy http://127.0.0.1:20211 | |
| # IPv6 Reverse Proxy to NetAlertX Web GUI (internal unencrypted Host) | |
| # reverse_proxy http://[::1]:20211 | |
| } |
🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 1336 - 1341, The reverse proxy target
uses the bind address "0.0.0.0" which is invalid as a connection target; update
the "reverse_proxy http://0.0.0.0:20211" entry to use a loopback address such as
"127.0.0.1" or "localhost" and, if un-commenting the IPv6 example, replace
"[::1]" with the proper loopback "[::1]" (ensure the IPv6 example remains
commented or matches the same loopback convention) so the reverse_proxy
directive points to a valid local service endpoint.
| # IPv4 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host) | ||
| reverse_proxy http://0.0.0.0:20219 | ||
|
|
||
| # IPv6 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host) | ||
| # reverse_proxy http://[::1]:6000 | ||
| } |
There was a problem hiding this comment.
Same issue: incorrect proxy target for GraphQL endpoint.
🔧 Suggested fix
# IPv4 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host)
- reverse_proxy http://0.0.0.0:20219
+ reverse_proxy http://127.0.0.1:20219
# IPv6 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host)
- # reverse_proxy http://[::1]:6000
+ # reverse_proxy http://[::1]:20219Note: The commented IPv6 line also had port 6000 instead of 20219.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # IPv4 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host) | |
| reverse_proxy http://0.0.0.0:20219 | |
| # IPv6 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host) | |
| # reverse_proxy http://[::1]:6000 | |
| } | |
| # IPv4 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host) | |
| reverse_proxy http://127.0.0.1:20219 | |
| # IPv6 Reverse Proxy to NetAlertX GraphQL Endpoint (internal unencrypted Host) | |
| # reverse_proxy http://[::1]:20219 | |
| } |
🤖 Prompt for AI Agents
In `@docs/REVERSE_PROXY.md` around lines 1359 - 1364, Update the reverse_proxy
targets to point to the internal GraphQL host on the correct port 20219: replace
the incorrect IPv6 target "reverse_proxy http://[::1]:6000" with "reverse_proxy
http://[::1]:20219" and verify the IPv4 proxy line "reverse_proxy
http://0.0.0.0:20219" is the intended GraphQL endpoint (or change it to the
correct host like http://127.0.0.1:20219 if required).
|
Thanks a lot @luckylinux ! |
2 participants
As Discussed in #1403 (comment)
Just added a Picture showing the Traffic Flow with Reverse Proxy and Authentik SSO.
GraphQL TLS Termination is implemented (Reverse Proxy works).
Authentik SSO Authentication ONLY works with WebUI. GraphQL SSO Authentication needs to be documented and tested and will likely require a means to disable the internal Token Authentication you currently use @jokob-sk (to avoid double Authentication).
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.