Cleaned up Caddy dev-gateway noise#28983
Conversation
WalkthroughThe Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx run @tryghost/admin:build |
✅ Succeeded | 7s | View ↗ |
nx run ghost:build:assets |
✅ Succeeded | 2s | View ↗ |
nx run ghost:build:tsc |
✅ Succeeded | 6s | View ↗ |
nx run-many --target=build --projects=tag:publi... |
✅ Succeeded | 3s | View ↗ |
nx run-many -t lint -p ghost-monorepo |
✅ Succeeded | <1s | View ↗ |
💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗
☁️ Nx Cloud last updated this comment at 2026-06-30 14:40:50 UTC
no ref Removed redundant header_up X-Forwarded-Host / X-Forwarded-For directives — Caddy's reverse_proxy passes these to upstreams by default, and the explicit copies produce ~21 'Unnecessary header_up' warnings on every gateway boot. X-Real-IP is kept (not auto-set) and X-Forwarded-Proto is kept (we want HTTPS upstream even from :80 dev). Skipped access logging for /__admin-dev__* and /ghost/auth-frame/*. The admin Vite dev server fans out hundreds of per-module fetches on every page load; the auth-frame is internal. Skipping these keeps the access log readable in dev without losing visibility on real traffic.
ac3188a to
ee6c28c
Compare
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docker/dev-gateway/Caddyfile (1)
45-48: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winRestore
X-Forwarded-Proto httpsfor Analytics.Line 45 proxies Analytics traffic, but this block no longer preserves the HTTPS forwarded-proto header promised by the PR objective. Add it back to keep redirect-prevention behavior consistent with the other backend/service proxies.
Proposed fix
reverse_proxy {env.ANALYTICS_PROXY_TARGET} { header_up Host {host} header_up X-Real-IP {remote_host} + header_up X-Forwarded-Proto https }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker/dev-gateway/Caddyfile` around lines 45 - 48, The Analytics reverse_proxy block is missing the forwarded protocol header needed for HTTPS-aware behavior. Update the reverse_proxy configuration that uses {env.ANALYTICS_PROXY_TARGET} to also set X-Forwarded-Proto to https, keeping it consistent with the other backend/service proxy blocks and preserving redirect-prevention behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@docker/dev-gateway/Caddyfile`:
- Around line 45-48: The Analytics reverse_proxy block is missing the forwarded
protocol header needed for HTTPS-aware behavior. Update the reverse_proxy
configuration that uses {env.ANALYTICS_PROXY_TARGET} to also set
X-Forwarded-Proto to https, keeping it consistent with the other backend/service
proxy blocks and preserving redirect-prevention behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: d2cce994-d563-473a-b1c0-1f0efd6eff32
📒 Files selected for processing (1)
docker/dev-gateway/Caddyfile

Summary
Two distinct sources of noise out of
pnpm dev:daemongateway logs:header_up X-Forwarded-Host/X-Forwarded-Fordirectives from everyreverse_proxyblock. Caddy'sreverse_proxypasses these to upstreams by default, so the explicit copies just produce ~21Unnecessary header_upwarnings on every gateway boot.X-Real-IP(not auto-set) andX-Forwarded-Proto https(we want HTTPS upstream from:80dev) are kept. WebSocketConnection/Upgradeupgrades and per-blockHostoverrides are kept.log_skip /__admin-dev__*andlog_skip /ghost/auth-frame/*at the site level. The admin Vite dev server fans out hundreds of per-module ESM fetches on every page load; the auth-frame is internal. Skipping these keeps the access log readable in dev without losing visibility on the real Ghost backend / API / asset traffic that's worth seeing.Test plan
pnpm dev:daemon, gateway boots with 0Unnecessary header_upwarnings (was ~21)./,/ghost/api/admin/site/,/ghost/,/sitemap.xmlstill log as expected./ghost/api/admin/site/still proxies to Ghost backend;/ghost/auth-frame/still returns 204;/__admin-dev__/still proxies to Vite.