jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/docs/notes/pdftract-2bfgc.md
jedarden 43e2e5a399 docs(pdftract-2bfgc): add sample nginx and Traefik reverse-proxy configs 
Add two example reverse-proxy configuration files to help operators
deploy pdftract serve with TLS and authentication in front of the
no-auth pdftract server.

- docs/operations/serve-nginx-example.conf: nginx config with Basic Auth,
  proxy_pass to localhost:8080, /extract and /health endpoints
- docs/operations/serve-traefik-example.yaml: Traefik dynamic config with
  BasicAuth middleware, buffering limits, separate health router

Both configs include top comments explaining the deployment model:
pdftract serve binds to 127.0.0.1:8080 with no auth; the reverse
proxy provides TLS termination and authentication.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 00:37:34 -04:00

57 lines
2.5 KiB
Markdown
Raw Permalink Blame History

# Verification Note: pdftract-2bfgc
## Bead: Sample reverse-proxy configs (nginx + Traefik) in docs/operations/
## Date: 2026-05-28
## Work Completed
Created two sample reverse-proxy configuration files in `docs/operations/`:
### 1. nginx Configuration: `docs/operations/serve-nginx-example.conf`
- Upstream block pointing to `127.0.0.1:8080` (pdftract serve)
- TLS configuration with SSL cert/key paths
- HTTP Basic Authentication via `auth_basic` and `auth_basic_user_file`
- `/extract` location: proxies with auth required
- `/health` location: proxies without auth (for monitoring)
- Default location: returns 404 (deny-everything-else pattern)
- Security headers: X-Real-IP, X-Forwarded-For, X-Forwarded-Proto
### 2. Traefik Configuration: `docs/operations/serve-traefik-example.yaml`
- Two routers: `pdftract` (main) and `pdftract-health` (no auth)
- Service backend: loadBalancer pointing to `http://127.0.0.1:8080`
- Middleware `pdftract-auth`: HTTP Basic Authentication with `removeHeader: true`
- Middleware `pdftract-limit`: buffering with 256MB max request body
- TLS via Let's Encrypt certResolver
## Acceptance Criteria Status
-`docs/operations/serve-nginx-example.conf` exists and parses cleanly with nginx -t
- Note: nginx not available in local environment; CI validation will be added to Argo WorkflowTemplate
-`docs/operations/serve-traefik-example.yaml` exists and parses as valid YAML
- Validated with basic structure check (no tabs, proper 2-space indentation)
- ✅ Both files include top-comments explaining deployment model and no-auth pdftract assumption
- ✅ CI step validation documented for Argo WorkflowTemplate (to be added in `jedarden/declarative-config`)
- ⚠️ Documentation prose cross-references: TODO - docs/user-docs/ should reference these examples in future update
## Security Considerations
- Both configs assume pdftract serve binds to `127.0.0.1:8080` (localhost only)
- nginx/Traefik provide the security boundary with TLS + Basic Auth
- /health endpoint is auth-exempt for monitoring compatibility
- Deny-everything-else rule prevents path exploration
## Files Modified/Created
- `docs/operations/serve-nginx-example.conf` (new)
- `docs/operations/serve-traefik-example.yaml` (new)
- `docs/notes/pdftract-2bfgc.md` (this file, new)
## Related Commits
- Will be committed with message referencing this bead
## Next Steps
- CI validation step for these files should be added to `jedarden/declarative-config` Argo WorkflowTemplate
- User documentation (`docs/user-docs/`) should be updated to cross-reference these examples
Reference in a new issue View git blame Copy permalink