Summary
Add a managed Caddy mode for remote access to agentsview, with explicit trusted public origin support and optional client CIDR allowlists.
I already have a local implementation for this and am opening the issue first so the follow-up branch and PR can reference an issue number.
Motivation
Today, agentsview's host/origin protections work well for local-only access, but they make hostname- or proxy-based access awkward unless the user hand-configures both the app and an external reverse proxy.
A built-in managed Caddy mode makes the common setup much simpler:
- keep the agentsview backend bound to loopback only
- expose a public URL via a managed Caddy sidecar
- explicitly trust the external browser origin
- optionally restrict access to one or more client CIDRs
Proposed scope
public_url / --public-url for the external browser-facing URL- explicit trusted public origin support derived from that URL
- optional managed
caddy proxy mode
- explicit proxy bind host and public port
- repeated
allowed_subnets / --allowed-subnet CIDR allowlists
- docs/examples for direct hostname access and managed Caddy usage
Non-goals for the first pass
- automatic Caddy installation
- ACME/certificate automation
- system service management
Platform notes
The feature should be usable anywhere the caddy CLI itself is available. That includes Linux, macOS, and Windows in principle, but the first pass should keep installation/packaging of Caddy out of scope.
Summary
Add a managed Caddy mode for remote access to agentsview, with explicit trusted public origin support and optional client CIDR allowlists.
I already have a local implementation for this and am opening the issue first so the follow-up branch and PR can reference an issue number.
Motivation
Today, agentsview's host/origin protections work well for local-only access, but they make hostname- or proxy-based access awkward unless the user hand-configures both the app and an external reverse proxy.
A built-in managed Caddy mode makes the common setup much simpler:
Proposed scope
public_url/--public-urlfor the external browser-facing URLcaddyproxy modeallowed_subnets/--allowed-subnetCIDR allowlistsNon-goals for the first pass
Platform notes
The feature should be usable anywhere the
caddyCLI itself is available. That includes Linux, macOS, and Windows in principle, but the first pass should keep installation/packaging of Caddy out of scope.