hotfix: Block generate signature endpoint

[gocanto]

Summary by CodeRabbit

• New Features

  • Internal mTLS-only endpoint added for the protected API path; public listener now blocked.
  • New CLI targets to generate mTLS certificates and validate server configuration (exposed in make help).

• Chores

  • Read-only mount of the CA certificate into the server container.
  • Refined ignore rules for mTLS and storage folders while preserving placeholder files.
  • Consolidated Caddy make tasks and removed deprecated variables/targets.

[coderabbitai]

Pre-merge checks (3 passed)

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "hotfix: Block generate signature endpoint" is concise and directly reflects the primary change in the PR—restricting access to the /api/generate-signature path and moving it to an internal mTLS-only channel as shown in caddy/Caddyfile.prod and supporting changes. It is specific, focused, and clear enough for a reviewer scanning history to understand the main intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81b258c and 2fd4f04.

📒 Files selected for processing (1)

• metal/makefile/caddy.mk (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• metal/makefile/caddy.mk

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hotfix/secure-generate-signature-endpoint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (7)

.gitignore (2)

8-11: Broaden ignore to catch files without extensions.

Patterns *.* miss files like README, index, or extension-less certs. Prefer directory-scoped ignores while keeping .gitkeep.

Apply:

-# --- [Caddy]: mtls
-caddy/mtls/*.*
-!caddy/mtls/.gitkeep
+# --- [Caddy]: mtls
+caddy/mtls/**
+!caddy/mtls/.gitkeep

---

19-26: Same for storage: avoid *.* to ensure all artifacts are ignored.

s torage/logs/caddy/*.* and related rules can leak files without extensions.

Apply:

-storage/logs/*.*
-storage/media/*.*
-storage/logs/caddy/*.*
-storage/media/posts/*.*
-storage/media/users/*.*
+storage/logs/**
+storage/media/**
+!storage/logs/.gitkeep
+!storage/logs/caddy/.gitkeep
+!storage/media/.gitkeep
+!storage/media/posts/.gitkeep
+!storage/media/users/.gitkeep

metal/makefile/app.mk (1)

1-1: Stale PHONY entry for validate-caddy.

You removed/relocated the old target but .PHONY still lists validate-caddy. Either drop it or create an alias to the new target.

Apply one of:

-.PHONY: fresh destroy audit watch format run-cli validate-caddy test-all run-cli-local
+.PHONY: fresh destroy audit watch format run-cli test-all run-cli-local

or

+.PHONY: validate-caddy
+validate-caddy: caddy-validate

Makefile (1)

100-103: Helpful help entries; minor wording/consistency.

Consider consistent naming (“Caddy mTLS certificates”) and aligning with any alias validate-caddy if you add it.

Apply:

-  $(BOLD)$(GREEN)caddy-gen-cert$(NC)   : Generate the caddy's mtls certificates.
-  $(BOLD)$(GREEN)caddy-validate$(NC)   : Validates caddy's files syntax.
+  $(BOLD)$(GREEN)caddy-gen-cert$(NC)   : Generate Caddy mTLS CA (ca.key/ca.pem).
+  $(BOLD)$(GREEN)caddy-validate$(NC)   : Validate Caddyfile syntax (prod/local).

caddy/Caddyfile.prod (1)

28-33: Public listener block rule: good placement and intent.

Matcher sits before /api/* handler; 403 is returned early. Consider 404 to reduce endpoint discoverability if that matters.

Possible tweak:

-respond 403
+respond 404

metal/makefile/caddy.mk (2)

13-19: Developer ergonomics: add a Docker-based validator to avoid local Caddy dependency.

Keep the current target; add a dockerized variant to work anywhere.

Add:

.PHONY: caddy-validate-docker
caddy-validate-docker:
	docker run --rm -v "$(ROOT_PATH)/caddy:/etc/caddy" caddy:2.10.0 \
	  sh -lc 'caddy fmt --overwrite /etc/caddy/Caddyfile.prod && caddy validate --config /etc/caddy/Caddyfile.prod && caddy fmt --overwrite /etc/caddy/Caddyfile.local && caddy validate --config /etc/caddy/Caddyfile.local'

---

1-6: Optional: provide a client cert generator.

You require-and-verify client certs; a helper target reduces footguns (sets EKU=clientAuth, SAN, validity).

Add:

.PHONY: caddy-gen-client-cert
caddy-gen-client-cert:
	@[ -f $(CADDY_MTLS_DIR)/ca.key ] || (echo "Missing CA; run make caddy-gen-cert" && exit 1)
	openssl genrsa -out $(CADDY_MTLS_DIR)/client.key 2048
	openssl req -new -key $(CADDY_MTLS_DIR)/client.key -subj "/CN=oullin-mtls-client" -out $(CADDY_MTLS_DIR)/client.csr
	openssl x509 -req -in $(CADDY_MTLS_DIR)/client.csr -CA $(CADDY_MTLS_DIR)/ca.pem -CAkey $(CADDY_MTLS_DIR)/ca.key -CAcreateserial \
	  -out $(CADDY_MTLS_DIR)/client.crt -days 825 -sha256 \
	  -extfile <(printf "basicConstraints=CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=clientAuth\nsubjectAltName=DNS:client")
	rm -f $(CADDY_MTLS_DIR)/client.csr
	chmod 600 $(CADDY_MTLS_DIR)/client.key
	chmod 644 $(CADDY_MTLS_DIR)/client.crt

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9c43d92 and 81b258c.

📒 Files selected for processing (6)

• .gitignore (1 hunks)
• Makefile (2 hunks)
• caddy/Caddyfile.prod (2 hunks)
• docker-compose.yml (1 hunks)
• metal/makefile/app.mk (1 hunks)
• metal/makefile/caddy.mk (1 hunks)

🔇 Additional comments (3)

metal/makefile/app.mk (1)

58-58: No actionable change in this hunk.

Nothing to address in this specific line.

Makefile (1)

43-43: Including caddy.mk: LGTM.

Centralizing Caddy targets/vars is cleaner.

caddy/Caddyfile.prod (1)

90-112: Internal mTLS block: path stripping and TLS syntax.

• handle_path /api/generate-signature* strips the entire matched prefix (/api/generate-signature) before proxying; if the upstream expects /generate-signature, strip only /api (use a named matcher + uri strip_prefix /api or handle /api/* with uri strip_prefix /api). (caddyserver.com)
• TLS syntax: tls internal { client_auth { ... } } is valid in Caddy 2.10.0; use tls { issuer internal { ... } } only when you need to configure internal-CA options (e.g., custom CA name/lifetime). No mandatory rewrite of the TLS form is required just to nest client_auth. (caddyserver.com)
• reverse_proxy: add transport timeouts (e.g., dial_timeout, response_header_timeout) to protect against slow/unresponsive upstreams. (scwy.net)

Validation step not completed here (docker not available: /bin/bash: line 3: docker: command not found). Run locally and paste output:
docker run --rm -v "$PWD/caddy:/etc/caddy" caddy:2.10.0 caddy validate --config /etc/caddy/Caddyfile.prod