security: proxy /api and /healthz to backend via Next.js rewrites#327
Open
davenicoll wants to merge 1 commit into
Open
security: proxy /api and /healthz to backend via Next.js rewrites#327davenicoll wants to merge 1 commit into
davenicoll wants to merge 1 commit into
Conversation
When deployed behind a single ingress (e.g. Cloudflare Tunnel) pointing only at the frontend, browser requests to /api/* have no route to the backend. Adding Next.js rewrites lets the frontend forward these requests to the backend over the internal Docker network, so the API never needs to be exposed externally.
davenicoll
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Next.js rewrites so the frontend proxies
/api/*and/healthzrequests to the backend over the internal Docker network.Why
When the frontend is the only service exposed externally (e.g. behind a Cloudflare Tunnel or a single reverse proxy on port 3000), browser requests to
/api/*have no route to the backend. The current options are to expose the backend port publicly or set up a second ingress, both of which leak internal services onto the network unnecessarily.With these rewrites the frontend forwards API traffic to
http://backend:8000inside the compose network, so the backend never needs to be reachable from outside.Changes
frontend/next.config.ts: addedrewrites()mapping/api/:path*and/healthzto the backend service.Test plan
docker compose up --buildwithNEXT_PUBLIC_API_URLset to the frontend origin/api/v1/users/mereturns JSON, not the frontend HTML/healthzproxies correctly