neo/ai/deploy/Caddyfile at dev · neomjs/neo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# ------------------------------------------------------------------------------
# Neo.mjs Agent OS — reference ingress (Sub C #11724, Epic #11720).
# ------------------------------------------------------------------------------
# Caddy reverse proxy for the cloud Agent OS deployment: TLS termination, public
# path routing to the Knowledge Base / Memory Core MCP servers, and identity-
# header spoofing defense.
#
# Wired into ai/deploy/docker-compose.yml as the `ingress` profile service:
#   docker compose --profile cloud --profile ingress up
#
# Copy-paste-runnable as-is: NEO_DEPLOY_HOSTNAME defaults to localhost, giving
# `tls internal` a concrete identifier for self-signed certificate issuance. For
# production, set NEO_DEPLOY_HOSTNAME to your real hostname — Caddy then
# auto-provisions a publicly-trusted certificate — or mount certs and swap
# `tls internal` for `tls /cert.pem /key.pem`.
#
# Security threat model: the MCP servers run with trustProxyIdentity, trusting the
# X-PREFERRED-USERNAME header for authorization. Any client-supplied value for that
# header MUST be stripped before a trusted auth layer injects its own — see
# learn/agentos/SharedDeployment.md#authentication.
#
# The request-handling directives are wrapped in a `route` block so Caddy honors
# their written order: header-stripping MUST run before the (optional) auth layer,
# but Caddy's default directive order would otherwise sort `forward_auth` ahead of
# `request_header`. `route` pins literal order — see ai/mcp/deploy/proxy/Caddyfile.
# ------------------------------------------------------------------------------

{$NEO_DEPLOY_HOSTNAME:localhost}:443 {
	tls internal

	route {
		# 1. SECURITY — strip client-supplied identity headers before anything trusts them.
		request_header -X-Preferred-Username
		request_header -X-Auth-Request-Preferred-Username

		# 2. OPTIONAL auth layer. Uncomment and provision an oauth2-proxy (operator-owned
		#    OIDC) for enforced identity. Without it the stack still stands up, but identity
		#    is unenforced — reference/demo posture only; never run multi-tenant unauthed.
		# forward_auth oauth2-proxy:4180 {
		#     uri /oauth2/auth
		#     copy_headers X-Auth-Request-Preferred-Username
		# }

		# 3. Knowledge Base MCP server — compose service DNS, internal port 3000.
		#    With the optional auth layer enabled, inject the trusted identity header
		#    inside this block, e.g.:
		#    `header_up X-Preferred-Username {http.request.header.X-Auth-Request-Preferred-Username}`
		handle_path /kb/* {
			reverse_proxy kb-server:3000
		}

		# 4. Memory Core MCP server — compose service DNS, internal port 3001.
		handle_path /mc/* {
			reverse_proxy mc-server:3001
		}
	}
}