Skip to content

Caddy reverse-proxy configuration

Source-of-truth for the Caddyfiles running on the two reverse proxies in the estate.

Files

File Host Status
E1.Caddyfile E1 — EIDOSDev1 Caddy proxy VPS (140.238.97.163) in Git as of 2026-05-08
O1.Caddyfile O1 — ORA448Global all-in-one VPS (140.238.90.91) ⏳ still on host only — capture under RM-007

This directory closes part of KI-001 — the highest-priority known issue, and the root cause of the April 2026 outage when the host was rebuilt during scheduled OCI maintenance and the Caddyfile didn't survive.

Rebuild path after host loss

If E1 (or eventually O1) needs to be rebuilt from scratch:

  1. Provision a fresh OCI compute instance (Ampere A1, Always Free, same compartment).
  2. Install Caddy: sudo apt update && sudo apt install -y caddy
  3. Replace the default Caddyfile with the one from this directory: 
    cd /tmp
git clone --depth=1 https://<creds>@git.projecteidos.com/internal/engineering.git
sudo cp engineering/infra/caddy/E1.Caddyfile /etc/caddy/Caddyfile
sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl restart caddy
  4. Caddy will request fresh Let's Encrypt certs for every site block on first request.
  5. Watch the journal for any cert-issuance issues: 
    sudo journalctl -u caddy -f

See also: RB-001 — the runbook for "Caddy is down".

Updating the Caddyfile

The Caddyfile in Git is the canonical version. To change Caddy config:

  1. Edit the file in this repo, push, get review (merge request).
  2. SSH to E1, pull the change, replace /etc/caddy/Caddyfile.
  3. sudo caddy validate then sudo systemctl reload caddy.

(Until automated deploy is set up, this is manual. A future improvement is a small CI job on this repo that SSHes to E1 on a successful merge to main and applies the new Caddyfile.)

Layout notes

E1 currently fronts:

  • Pure redirects (8 entries): fourway.tneconnect.app → APEX2 ADB; eidos-global.tneconnect.app → EIDOSDev ADB; workforce.*, oci., fourway.apex., fourway.workforce. → assorted ADB / Oracle Cloud sign-in pages.
  • Multi-host plain reverse_proxy to E2 Dokploy (10 entries — one block, comma-separated host list): bot., git., platform., crm.eidos-global.com, crm.tneconnect.app, in.crm.eidos-global.com, comingsoon.tneconnect.app, test.tneconnect.app, docs.eidos-global.com. These all expect HTTPS / TLS to be disabled in Dokploy for the corresponding apps — Caddy on E1 is the TLS terminator. If a Dokploy app for one of these is created with Force-HTTPS / Let's Encrypt enabled, Traefik on E2 will redirect-loop with E1 Caddy.
  • APEX vanity URLs with full header rewrites and path whitelisting (5 entries): apex-ur., parallax., parallax-dev., apex1., apex2.. These proxy directly to the relevant ADB ORDS endpoints with detailed Host / Origin / Referer rewriting so Oracle's APEX session handling works under the vanity domain.

The pattern is established: any new subdomain you add follows one of these three styles.

Known concerns surfaced by this capture

  • The apex1.projecteidos.com block has its X-Forwarded-Host / X-Real-IP / X-Forwarded-Proto headers commented out where the others have them active. Inconsistency worth investigating — likely a workaround for an older issue. If the block works in production today, no action needed.
  • The Parallax / Parallax-Dev path-whitelisting blocks have inline comments suggesting "update APP Alias and ID along with workspace name" / "update base ADB url" — a sign that the file has been hand-edited per environment in the past. Future improvement: parameterise these via env vars or a Caddy import to reduce the chance of a typo when promoting changes.