feat: support ssl on local with self signed url

[liorzam]

Summary by CodeRabbit

• New Features

  • Introduced multiple local domains with reverse proxy settings for enhanced routing capabilities.
  • Added a new Caddy service configuration for improved local development setup.
  • Enabled Cross-Origin Resource Sharing (CORS) in the Vite configuration for the development server.

• Chores

  • Updated Docker Compose configuration to include new volumes and network for the Caddy service.
  • Adjusted cookie handling parameters for improved security across different environments.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 371b73f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The pull request introduces a new Caddy server configuration for local development environments. It includes a Caddyfile defining multiple local domains (myapp.local, backoffice.local, workflow.local, kyb.local, and kyc.local) with reverse proxy settings that route traffic to specific internal services on different ports of the Docker host. Additionally, a Docker Compose configuration is added to set up the Caddy service, including port exposures, volume mounts, and network settings. Changes to the Vite configuration and cookie session middleware in the main application enhance CORS handling and cookie security.

Changes

File	Change Summary
services/workflows-service/Caddyfile	Added reverse proxy configurations for 5 local domains: - myapp.local → port 3000 - backoffice.local → port 5137 (with root and file server enabled) - workflow.local → port 5200 - kyb.local → port 5201 - kyc.local → port 5202
services/workflows-service/docker-compose.yml	Added new caddy service with: - caddy:latest image - Ports 443 and 80 exposed - Caddyfile mount - New volumes caddy_data and caddy_config - External network configuration
apps/backoffice-v2/vite.config.ts	Added cors: true in the server configuration for Vite.
services/workflows-service/src/main.ts	Modified cookieSession middleware configuration for httpOnly, secure, and sameSite attributes based on environment.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Caddy
    participant Service
    
    Client->>Caddy: Request to myapp.local
    Caddy->>Service: Reverse proxy to host.docker.internal:3000
    Service-->>Caddy: Response
    Caddy-->>Client: Forward response

Loading

Poem

🐰 A Caddy Rabbit's Local Delight

Domains dancing, ports so bright,
Reverse proxy with TLS might,
Local services, a docker dream,
Routing traffic with a gleam!

Hop hop hooray! 🚀

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ffb1857 and 0d52d86.

📒 Files selected for processing (1)

• services/workflows-service/src/main.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• services/workflows-service/src/main.ts

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (4)

services/workflows-service/Caddyfile (2)

13-14: Remove unnecessary empty lines.

The workflow.local block contains extra empty lines that should be removed for consistency.

---

1-27: Add health checks and timeouts to reverse proxy configurations.

Consider adding health checks and timeouts to make the local development environment more resilient.

Example configuration:

 myapp.local {
     reverse_proxy http://host.docker.internal:3000 {
+        health_uri /health
+        health_interval 30s
+        health_timeout 10s
+        health_status 200
+        timeout 60s
     }
     tls internal
 }

services/workflows-service/docker-compose.yml (2)

9-12: Define volume permissions explicitly.

The volume mounts should have explicit permissions defined for better security.

     volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - caddy_data:/data
-      - caddy_config:/config
+      - type: bind
+        source: ./Caddyfile
+        target: /etc/caddy/Caddyfile
+        read_only: true
+      - type: volume
+        source: caddy_data
+        target: /data
+        volume:
+          nocopy: true
+      - type: volume
+        source: caddy_config
+        target: /config
+        volume:
+          nocopy: true

---

86-86: Add newline at end of file.

Add a newline character at the end of the file to comply with POSIX standards.

🧰 Tools

🪛 yamllint (1.35.1)

[error] 86-86: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f77bf3 and 935a373.

📒 Files selected for processing (2)

• services/workflows-service/Caddyfile (1 hunks)
• services/workflows-service/docker-compose.yml (2 hunks)

🧰 Additional context used

🪛 yamllint (1.35.1)

services/workflows-service/docker-compose.yml

[error] 86-86: no new line character at the end of file

(new-line-at-end-of-file)

[coderabbitai]

🛠️ Refactor suggestion

Add security headers and CORS configuration.

While the basic reverse proxy setup works, consider enhancing security by adding standard security headers and CORS configurations for local development. This will better mirror production security requirements.

Add these configurations to each domain block:

 myapp.local {
     reverse_proxy http://host.docker.internal:3000
     tls internal
+    header {
+        # Security headers
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        # CORS headers for local development
+        Access-Control-Allow-Origin "*"
+        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+        Access-Control-Allow-Headers "*"
+    }
 }

Also applies to: 7-10, 12-17, 19-22, 24-27

[coderabbitai]

⚠️ Potential issue

Avoid using 'latest' tag for Caddy image.

Using the latest tag can lead to unexpected behavior when the image is updated. Specify a fixed version for better reproducibility and stability.

-    image: caddy:latest
+    image: caddy:2.7.6

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	image: caddy:latest
	image: caddy:2.7.6

[coderabbitai]

🛠️ Refactor suggestion

Add restart policy and health check for Caddy service.

The Caddy service should be configured to restart automatically and include health checks for better reliability.

   caddy:
     image: caddy:latest
     container_name: caddy_server
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "caddy", "version"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     ports:
       - "443:443"
       - "80:80"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	caddy:
	image: caddy:latest
	container_name: caddy_server
	ports:
	- "443:443" # Expose HTTPS
	- "80:80" # Expose HTTP (optional, redirects to HTTPS)
	volumes:
	- ./Caddyfile:/etc/caddy/Caddyfile:ro # Mount the Caddyfile
	- caddy_data:/data # Persist Caddy data
	- caddy_config:/config
	extra_hosts:
	- myapp.local:host-gateway
	- backoffice.local:host-gateway
	- host.docker.internal:host-gateway
	caddy:
	image: caddy:latest
	container_name: caddy_server
	restart: unless-stopped
	healthcheck:
	test: ["CMD", "caddy", "version"]
	interval: 30s
	timeout: 10s
	retries: 3
	ports:
	- "443:443" # Expose HTTPS
	- "80:80" # Expose HTTP (optional, redirects to HTTPS)
	volumes:
	- ./Caddyfile:/etc/caddy/Caddyfile:ro # Mount the Caddyfile
	- caddy_data:/data # Persist Caddy data
	- caddy_config:/config
	extra_hosts:
	- myapp.local:host-gateway
	- backoffice.local:host-gateway
	- host.docker.internal:host-gateway

[coderabbitai]

💡 Codebase verification

Network configuration needs to be removed

The mynetwork configuration in services/workflows-service/docker-compose.yml is unnecessary and potentially problematic:

• None of the services in the file explicitly use this network
• Other docker-compose files in the project don't define or use this network
• Using the host network name is not recommended as it could conflict with Docker's built-in host network

- networks:
-   mynetwork:
-     external: true
-     name: host

🔗 Analysis chain

Clarify network configuration.

The network configuration uses an external network named 'host' which might be confusing. Consider renaming it to better reflect its purpose or add comments explaining the setup.

Let's check if this network is used by other services:

 networks:
   mynetwork:
     external: true
-    name: host
+    name: local-dev-network  # More descriptive name

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for network configuration references
rg -l 'networks:.*host' --type yaml

Length of output: 37

---

Script:

#!/bin/bash
# Let's try a broader search for network configurations in docker-compose files
fd docker-compose.yml --exec rg -l "networks:"

# Also search for any references to 'mynetwork'
rg -l "mynetwork"

# And search for any network configurations with 'host'
rg "network.*host" --type yaml

Length of output: 191

---

Script:

#!/bin/bash
# Let's examine the full docker-compose.yml to understand the network usage context
cat services/workflows-service/docker-compose.yml

# Also check if there are any other docker-compose files in the repository
fd docker-compose

Length of output: 2542

---

Script:

#!/bin/bash
# Let's check the other docker-compose files for network configurations
cat deploy/docker-compose-build-https.yml deploy/docker-compose-build.yml deploy/docker-compose-dev.yml services/workflows-service/docker-compose.db.yml

Length of output: 9550

🧰 Tools

🪛 yamllint (1.35.1)

[error] 86-86: no new line character at the end of file

(new-line-at-end-of-file)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

apps/backoffice-v2/vite.config.ts (1)

15-15: Enable or configure CORS based on environment as needed.
Currently, cors: true enables CORS unconditionally. For security best practices, consider using environment-based conditions or a whitelist for allowed origins, especially for production deployments.

services/workflows-service/src/main.ts (1)

101-103: Simplify boolean assignment.
Instead of using a ternary operator to set secure, you can directly use env.ENVIRONMENT_NAME !== 'local'. This matches the static analysis recommendation and makes the code more concise.

- secure: env.ENVIRONMENT_NAME !== 'local' ? true : false,
+ secure: env.ENVIRONMENT_NAME !== 'local',

🧰 Tools

🪛 Biome (1.9.4)

[error] 102-102: Unnecessary use of boolean literals in conditional expression.

Simplify your code by directly assigning the result without using a ternary operator.
If your goal is negation, you may use the logical NOT (!) or double NOT (!!) operator for clearer and concise code.
Check for more details about NOT operator.
Unsafe fix: Remove the conditional expression with

(lint/complexity/noUselessTernary)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 935a373 and ffb1857.

📒 Files selected for processing (4)

• apps/backoffice-v2/vite.config.ts (1 hunks)
• services/workflows-service/Caddyfile (1 hunks)
• services/workflows-service/docker-compose.yml (2 hunks)
• services/workflows-service/src/main.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• services/workflows-service/Caddyfile

🧰 Additional context used

🪛 Biome (1.9.4)

services/workflows-service/src/main.ts

[error] 102-102: Unnecessary use of boolean literals in conditional expression.

Simplify your code by directly assigning the result without using a ternary operator.
If your goal is negation, you may use the logical NOT (!) or double NOT (!!) operator for clearer and concise code.
Check for more details about NOT operator.
Unsafe fix: Remove the conditional expression with

(lint/complexity/noUselessTernary)

🔇 Additional comments (2)

services/workflows-service/docker-compose.yml (2)

4-4: Avoid using the 'latest' tag for the Caddy image.
Using caddy:latest can cause unexpected behavior when a new image version is released. Pin to a specific version for better reproducibility.

---

84-86: Reevaluate external network usage.
As previously noted, using an external network named host can be confusing and may conflict with Docker’s built-in host network. Consider removing or renaming this external network to avoid issues.