Architecture

Caddy Reverse Proxy

Caddy configuration for routing, TLS, and auth gating.

Overview

Caddy serves as the ingress layer:

Wildcard TLS for *.chelar.ai via Cloudflare DNS challenge
Per-tenant routing to container ports
forward_auth for gateway dashboard access
Admin API at :2019 for dynamic route management

Route Management

The Go API dynamically manages Caddy routes via the Admin API:

Tenant provisioning — adds a route t-{id}.chelar.ai → localhost:{port}
Tenant deletion — removes the route (with orphan cleanup)
Port changes — updates the route when Nomad reassigns ports

Key file: api/internal/caddy/client.go

Auth Gating

Tenant gateway dashboards (t-{id}.chelar.ai) are protected by Caddy forward_auth:

Browser → Caddy → forward_auth → Go API /auth/verify → 200 (allow) / 401 (deny)

WebSocket traffic from messaging channels bypasses auth — it goes directly through Caddy to the container.

Configuration

The Caddyfile template is at ansible/roles/caddy/templates/Caddyfile.j2. It defines:

Platform routes (API, dashboard, Netdata, docs)
Wildcard tenant route handler
TLS configuration with Cloudflare DNS challenge
Basic auth for pre-launch protection

On this page

Overview Route Management Auth Gating Configuration