Support multiple domains with Traefik and automatic HTTPS

[konard]

Summary

This PR implements support for multiple domains with automatic HTTPS/TLS certificate generation using Traefik reverse proxy and Let's Encrypt.

Fixes #1

Changes

🚀 New Files

1. docker-compose.prod.yml - Production Docker Compose configuration

   • Traefik v2.11 reverse proxy
   • Automatic Let's Encrypt SSL certificate generation and renewal
   • Support for 5 domains simultaneously
   • HTTP to HTTPS automatic redirects
   • Traefik dashboard with basic authentication

2. .env.example - Environment variable template

   • Domain configuration for all 5 domains
   • Let's Encrypt email configuration
   • API keys for all LLM providers
   • Server configuration options

3. README-deployment.md - Comprehensive deployment guide

   • Step-by-step deployment instructions
   • Configuration details and explanations
   • Troubleshooting guide
   • Maintenance procedures
   • Security best practices

🔧 Modified Files

1. .gitignore - Updated to allow docker-compose.prod.yml while protecting sensitive data

Supported Domains

All the following domains are configured with automatic HTTPS and point to the same API Gateway service:

Domain	DNS Provider
api.deep.assistant.run.place	Custom DNS
api-deep-assistant.mooo.com	FreeDNS (mooo.com)
api-deep-assistant.yee.pw	FreeDNS (yee.pw)
assistant.yee.pw	FreeDNS (yee.pw)
api-deep-assistant.duckdns.org	DuckDNS

All domains resolve to: 173.212.230.201

Technical Details

Architecture

                                    ┌─────────────────────────┐
                                    │   Let's Encrypt CA      │
                                    │  (SSL Certificates)     │
                                    └───────────┬─────────────┘
                                                │ TLS Challenge
                                                ▼
                                    ┌─────────────────────────┐
Internet ──────────────────────────>│   Traefik Proxy v2.11   │
(Port 80/443)                       │  - Auto SSL Certs       │
                                    │  - HTTP → HTTPS         │
                                    │  - Dashboard            │
                                    └───────────┬─────────────┘
                                                │
                        ┌───────────────────────┼───────────────────────┐
                        │                       │                       │
                    domain1                 domain2                 domain3-5
                        │                       │                       │
                        └───────────────────────┴───────────────────────┘
                                                │
                                                ▼
                                    ┌─────────────────────────┐
                                    │   API Gateway Service   │
                                    │   (Node.js/Express)     │
                                    │   Port: 8088 (internal) │
                                    └─────────────────────────┘

Key Features

✅ Automatic SSL Certificates

• Let's Encrypt TLS-ALPN-01 challenge
• Automatic certificate renewal (30 days before expiration)
• Secure storage in ./letsencrypt/acme.json

✅ Multiple Domain Support

• 5 independent routers, one per domain
• Shared backend service
• Consistent SSL configuration across all domains

✅ HTTP to HTTPS Redirects

• Automatic redirects for all domains
• Permanent redirect (301) configuration
• No plain HTTP access

✅ Traefik Dashboard

• Accessible at https://traefik.api.deep.assistant.run.place
• Basic authentication (username: admin, password: change_this_password)
• Real-time monitoring of routes, services, and certificates

✅ Environment-Based Configuration

• All sensitive data in .env file (not committed to Git)
• Easy domain management
• Template provided in .env.example

Deployment

Quick Start

1. Clone the repository and checkout this branch:

   git clone https://github.com/deep-assistant/api-gateway.git
   cd api-gateway
   git checkout issue-1-9255701be424

2. Create .env file from template:

   cp .env.example .env

3. Edit .env with your configuration:

   nano .env

   At minimum, configure:

   • LETSENCRYPT_EMAIL - Your email for Let's Encrypt notifications
   • ADMIN_FIRST - Your master token for admin operations
   • At least one LLM provider API key (e.g., OPENAI_API_KEY)

4. Deploy the stack:

   docker-compose -f docker-compose.prod.yml up -d

5. Verify deployment:

   docker-compose -f docker-compose.prod.yml ps
   docker-compose -f docker-compose.prod.yml logs -f

6. Test the API:

   curl https://api.deep.assistant.run.place/v1/chat/completions \
     -H "Authorization: Bearer YOUR_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"model":"gpt-4o","messages":[{"role":"user","content":"Hello!"}]}'

For detailed deployment instructions, see README-deployment.md.

Configuration Validation

The configuration has been validated:

✓ Docker Compose YAML syntax is valid
✓ Found 2 services: api-gateway, traefik
✓ Found 5 HTTPS domain routers configured
✓ Found 5 HTTP→HTTPS redirect routers configured
✓ Found 5 TLS/SSL certificate configurations
✓ Total labels on api-gateway: 37
✓ Total labels on traefik: 9
✓ Traefik dashboard configuration validated
✓ Network configuration validated

Security Considerations

🔒 Default Security Measures:

• Traefik dashboard requires basic authentication
• All HTTP traffic redirected to HTTPS
• SSL/TLS certificates from trusted CA (Let's Encrypt)
• .env file excluded from Git

⚠️ Important: Change Default Passwords

Before production deployment, you MUST:

1. Change the Traefik dashboard password (default: admin:change_this_password)
2. Set a secure ADMIN_FIRST master token
3. Configure all required API keys

See README-deployment.md for detailed security instructions.

Testing Checklist

• YAML syntax validation passed
• 5 domain routers configured correctly
• HTTP to HTTPS redirects for all domains
• SSL certificate resolver configured (Let's Encrypt)
• Traefik dashboard configuration
• Environment variable template created
• Comprehensive documentation provided
• Manual deployment test (requires actual server)
• SSL certificate generation test (requires DNS propagation)
• All domains accessibility test (requires deployment)

Documentation

• 📖 Deployment Guide: README-deployment.md

  • Quick start guide
  • Detailed configuration reference
  • Troubleshooting section
  • Maintenance procedures
  • Security best practices

• 📋 Environment Template: .env.example

  • All required variables
  • Descriptions for each setting
  • Secure defaults

• 🏗️ Architecture: ARCHITECTURE.md

  • System architecture overview
  • Component descriptions
  • API endpoints documentation

Next Steps

After merging this PR:

1. Deploy to production server:

   • Ensure all 5 domains are properly configured in DNS
   • Create .env file with production values
   • Run docker-compose -f docker-compose.prod.yml up -d

2. Verify SSL certificates:

   • Wait for Let's Encrypt certificate generation (may take a few minutes)
   • Check Traefik logs: docker-compose -f docker-compose.prod.yml logs traefik | grep -i certificate
   • Verify HTTPS access for all 5 domains

3. Security hardening:

   • Change Traefik dashboard password
   • Configure firewall rules (allow only ports 80, 443)
   • Set up monitoring and alerting

4. Optional enhancements:

   • Add Prometheus metrics
   • Configure log aggregation
   • Set up automated backups

Related Issues

• Closes Support multiple domains #1 - Support multiple domains

---

🤖 Generated with Claude Code

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $1.386040 USD
• Calculated by Anthropic: $1.013818 USD
• Difference: $-0.372222 (-26.86%)
  📎 Log file uploaded as GitHub Gist (265KB)
  🔗 View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.