feat: add https with let's encrypt for devcontainer proxy (#391)

* feat: add https with let's encrypt for devcontainer proxy

- Add Let's Encrypt certificate resolver to Traefik configuration
- Add HTTP to HTTPS redirect for all services
- Update devcontainer routers to use websecure entrypoint with TLS
- Add persistent volume for Let's Encrypt certificates
- Fix code-server startup by unsetting VSCODE_IPC_HOOK_CLI
- Update post-start.sh to show HTTPS URLs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: use per-router https redirect to preserve local domain http access

- Remove blanket HTTP→HTTPS redirect from Traefik entrypoint
- Add redirect middleware per-router for nip.io domains only
- Local domain routes (*.dev.simpleaccounts.local) remain HTTP-only
- Fixes issue where local domain routes became unreachable

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Mohsin Hashmi <mhashmi@wiser.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: 3 people

.devcontainer/docker-compose.yml

@@ -70,22 +70,46 @@ services:
     labels:
       - 'traefik.enable=true'
       - 'traefik.docker.network=dev-proxy-network'
-      # Frontend routing (port 3000)
+      # ============= HTTPS redirect middleware (for nip.io domains only) =============
+      - 'traefik.http.middlewares.${USER:-devuser}-https-redirect.redirectscheme.scheme=https'
+      - 'traefik.http.middlewares.${USER:-devuser}-https-redirect.redirectscheme.permanent=true'
+      # ============= Frontend routing (port 3000) =============
+      # HTTP router (redirects to HTTPS)
+      - 'traefik.http.routers.${USER:-devuser}-frontend-http.rule=HostRegexp(`${USER:-devuser}.{ip:[0-9-]+}.nip.io`)'
+      - 'traefik.http.routers.${USER:-devuser}-frontend-http.entrypoints=web'
+      - 'traefik.http.routers.${USER:-devuser}-frontend-http.middlewares=${USER:-devuser}-https-redirect'
+      # HTTPS router with Let's Encrypt
       - 'traefik.http.routers.${USER:-devuser}-frontend.rule=HostRegexp(`${USER:-devuser}.{ip:[0-9-]+}.nip.io`)'
-      - 'traefik.http.routers.${USER:-devuser}-frontend.entrypoints=web'
+      - 'traefik.http.routers.${USER:-devuser}-frontend.entrypoints=websecure'
+      - 'traefik.http.routers.${USER:-devuser}-frontend.tls=true'
+      - 'traefik.http.routers.${USER:-devuser}-frontend.tls.certresolver=letsencrypt'
       - 'traefik.http.routers.${USER:-devuser}-frontend.service=${USER:-devuser}-frontend'
       - 'traefik.http.services.${USER:-devuser}-frontend.loadbalancer.server.port=3000'
-      # Backend API routing (port 8080)
+      # ============= Backend API routing (port 8080) =============
+      # HTTP router (redirects to HTTPS)
+      - 'traefik.http.routers.${USER:-devuser}-api-http.rule=HostRegexp(`${USER:-devuser}-api.{ip:[0-9-]+}.nip.io`)'
+      - 'traefik.http.routers.${USER:-devuser}-api-http.entrypoints=web'
+      - 'traefik.http.routers.${USER:-devuser}-api-http.middlewares=${USER:-devuser}-https-redirect'
+      # HTTPS router with Let's Encrypt
       - 'traefik.http.routers.${USER:-devuser}-api.rule=HostRegexp(`${USER:-devuser}-api.{ip:[0-9-]+}.nip.io`)'
-      - 'traefik.http.routers.${USER:-devuser}-api.entrypoints=web'
+      - 'traefik.http.routers.${USER:-devuser}-api.entrypoints=websecure'
+      - 'traefik.http.routers.${USER:-devuser}-api.tls=true'
+      - 'traefik.http.routers.${USER:-devuser}-api.tls.certresolver=letsencrypt'
       - 'traefik.http.routers.${USER:-devuser}-api.service=${USER:-devuser}-api'
       - 'traefik.http.services.${USER:-devuser}-api.loadbalancer.server.port=8080'
-      # Code-server / Web IDE routing (port 8443)
+      # ============= Code-server / Web IDE routing (port 8443) =============
+      # HTTP router (redirects to HTTPS)
+      - 'traefik.http.routers.${USER:-devuser}-ide-http.rule=HostRegexp(`${USER:-devuser}-ide.{ip:[0-9-]+}.nip.io`)'
+      - 'traefik.http.routers.${USER:-devuser}-ide-http.entrypoints=web'
+      - 'traefik.http.routers.${USER:-devuser}-ide-http.middlewares=${USER:-devuser}-https-redirect'
+      # HTTPS router with Let's Encrypt
       - 'traefik.http.routers.${USER:-devuser}-ide.rule=HostRegexp(`${USER:-devuser}-ide.{ip:[0-9-]+}.nip.io`)'
-      - 'traefik.http.routers.${USER:-devuser}-ide.entrypoints=web'
+      - 'traefik.http.routers.${USER:-devuser}-ide.entrypoints=websecure'
+      - 'traefik.http.routers.${USER:-devuser}-ide.tls=true'
+      - 'traefik.http.routers.${USER:-devuser}-ide.tls.certresolver=letsencrypt'
       - 'traefik.http.routers.${USER:-devuser}-ide.service=${USER:-devuser}-ide'
       - 'traefik.http.services.${USER:-devuser}-ide.loadbalancer.server.port=8443'
-      # Local domain routing
+      # ============= Local domain routing (HTTP only, no redirect) =============
       - 'traefik.http.routers.${USER:-devuser}-frontend-local.rule=Host(`${USER:-devuser}.dev.simpleaccounts.local`)'
       - 'traefik.http.routers.${USER:-devuser}-frontend-local.entrypoints=web'
       - 'traefik.http.routers.${USER:-devuser}-frontend-local.service=${USER:-devuser}-frontend'

.devcontainer/post-start.sh

@@ -71,7 +71,8 @@ CONFIGEOF
 
     if ! pgrep -x "code-server" > /dev/null; then
         echo "🌐 Starting code-server (Web IDE)..."
-        nohup code-server /workspaces/SimpleAccounts-UAE > /tmp/code-server.log 2>&1 &
+        # Unset VSCODE_IPC_HOOK_CLI to prevent code-server from connecting to existing VS Code/Cursor instance
+        (unset VSCODE_IPC_HOOK_CLI; nohup code-server /workspaces/SimpleAccounts-UAE > /tmp/code-server.log 2>&1 &)
         echo "✅ Code-server started on port 8443 (password protected)"
     else
         echo "✅ Code-server already running"
@@ -170,13 +171,15 @@ echo "━━━━━━━━━━━━━━━━━━━━━━━━
 
 if [ "$TRAEFIK_ENABLED" = true ]; then
     echo ""
-    echo "🌐 Shareable URLs (via Traefik):"
+    echo "🌐 Shareable URLs (via Traefik with HTTPS):"
     echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    echo "  Frontend: http://${DEV_USER}.${NIP_IP}.nip.io"
-    echo "  Backend:  http://${DEV_USER}-api.${NIP_IP}.nip.io"
-    echo "  Web IDE:  http://${DEV_USER}-ide.${NIP_IP}.nip.io"
+    echo "  Frontend: https://${DEV_USER}.${NIP_IP}.nip.io"
+    echo "  Backend:  https://${DEV_USER}-api.${NIP_IP}.nip.io"
+    echo "  Web IDE:  https://${DEV_USER}-ide.${NIP_IP}.nip.io"
     echo "  Dashboard: http://proxy.${NIP_IP}.nip.io:8090"
     echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    echo "🔒 SSL certificates are automatically provisioned by Let's Encrypt"
 else
     echo ""
     echo "📡 Local Development (use port forwarding):"

.devcontainer/proxy/docker-compose.proxy.yml

@@ -40,6 +40,13 @@ services:
       # Entrypoints
       - '--entrypoints.web.address=:80'
       - '--entrypoints.websecure.address=:443'
+      # NOTE: No blanket HTTP→HTTPS redirect here to preserve local domain HTTP access
+      # HTTPS redirect is handled per-router via middleware for nip.io domains only
+      # Let's Encrypt Certificate Resolver
+      - '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
+      - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web'
+      - '--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL:-admin@simpleaccounts.io}'
+      - '--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
       # Logs
       - '--log.level=INFO'
       - '--accesslog=true'
@@ -49,6 +56,7 @@ services:
       - '8090:8080' # Traefik dashboard
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - letsencrypt:/letsencrypt
     networks:
       - dev-proxy-network
     labels:
@@ -66,3 +74,7 @@ networks:
   dev-proxy-network:
     name: dev-proxy-network
     driver: bridge
+
+volumes:
+  letsencrypt:
+    name: traefik-letsencrypt