fix(deploy): rewrite traefik routers and add public route for sitemap to bypass gatekeeper

.gitea/workflows/deploy.yml

@@ -254,7 +254,6 @@ jobs:
       - name: 📝 Generate Environment
         shell: bash
         env:
-          TRAEFIK_RULE:     ${{ needs.prepare.outputs.traefik_rule }}
           TRAEFIK_HOST:     ${{ needs.prepare.outputs.traefik_host }}
           ENV_FILE:         ${{ needs.prepare.outputs.env_file }}
         run: |
@@ -266,8 +265,6 @@ jobs:
             AUTH_MIDDLEWARE="$STD_MW"
             COMPOSE_PROFILES=""
           else
-            # Exclude Gatekeeper from the main app router to prevent redirect loops
-            TRAEFIK_RULE="Host(\`${TRAEFIK_HOST}\`) && !PathPrefix(\`/gatekeeper\`)"
             # Order: Forward (Proto) -> Auth -> Compression
             AUTH_MIDDLEWARE="${PROJECT_NAME}-forward,${PROJECT_NAME}-auth,compress"
             COMPOSE_PROFILES="gatekeeper"
@@ -316,7 +313,6 @@ jobs:
           SENTRY_ENVIRONMENT=$TARGET
           PROJECT_NAME=$PROJECT_NAME
           ENV_FILE=$ENV_FILE
-          TRAEFIK_RULE="${TRAEFIK_RULE}"
           TRAEFIK_HOST="${TRAEFIK_HOST}"
           COMPOSE_PROFILES=$COMPOSE_PROFILES
           TRAEFIK_MIDDLEWARES=$AUTH_MIDDLEWARE

docker-compose.yaml

@@ -9,7 +9,7 @@ services:
       - ${ENV_FILE:-.env}
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.mb-grid.rule=${TRAEFIK_RULE:-Host(`${TRAEFIK_HOST:-mb-grid-solutions.localhost}`)}"
+      - "traefik.http.routers.mb-grid.rule=Host(`${TRAEFIK_HOST:-mb-grid-solutions.localhost}`)"
       - "traefik.http.routers.mb-grid.entrypoints=websecure"
       - "traefik.http.routers.mb-grid.tls.certresolver=le"
       - "traefik.http.routers.mb-grid.tls=true"
@@ -18,25 +18,18 @@ services:
       - "traefik.http.services.mb-grid-app-svc.loadbalancer.server.port=3000"
       - "traefik.http.routers.mb-grid.middlewares=${TRAEFIK_MIDDLEWARES:-mb-grid-auth,mb-grid-forward,compress}"
       - "traefik.docker.network=infra"
-      - "caddy=http://${TRAEFIK_HOST:-mb-grid-solutions.localhost}"
+
-      - "caddy.reverse_proxy={{upstreams 3000}}"
+      # Public Router – paths that bypass Gatekeeper auth
+      - "traefik.http.routers.mb-grid-public.rule=Host(`${TRAEFIK_HOST:-mb-grid-solutions.localhost}`) && PathRegexp(`^/([a-z]{2}/)?(health|login|gatekeeper|uploads|media|robots\\.txt|manifest\\.webmanifest|sitemap(-[0-9]+)?\\.xml|(.*/)?api/og(/.*)?|(.*/)?opengraph-image.*)`)"
+      - "traefik.http.routers.mb-grid-public.entrypoints=websecure"
+      - "traefik.http.routers.mb-grid-public.tls.certresolver=le"
+      - "traefik.http.routers.mb-grid-public.tls=true"
+      - "traefik.http.routers.mb-grid-public.service=mb-grid-app-svc"
+      - "traefik.http.routers.mb-grid-public.priority=2000"
 
       # Forwarded Headers (Protocol Normalization)
       - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
       - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
-
-      # Gatekeeper Router (Path-based)
-      - "traefik.http.routers.mb-grid-gatekeeper.rule=(Host(`${TRAEFIK_HOST}`) && PathPrefix(`/gatekeeper`))"
-      - "traefik.http.routers.mb-grid-gatekeeper.entrypoints=websecure"
-      - "traefik.http.routers.mb-grid-gatekeeper.tls.certresolver=le"
-      - "traefik.http.routers.mb-grid-gatekeeper.tls=true"
-      - "traefik.http.routers.mb-grid-gatekeeper.priority=2000"
-      - "traefik.http.routers.mb-grid-gatekeeper.service=mb-grid-gatekeeper-svc"
-
-      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.address=http://mb-grid-gatekeeper:3000/gatekeeper/api/verify"
-      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.trustForwardHeader=true"
-      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.authRequestHeaders=X-Forwarded-Host,X-Forwarded-Proto,X-Forwarded-For,Cookie"
-      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.authResponseHeaders=X-Auth-User"
     healthcheck:
       test: [ "CMD", "node", "-e", "fetch('http://127.0.0.1:3000/api/health').then(r => r.ok ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))" ]
       interval: 10s
@@ -71,6 +64,20 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.mb-grid-gatekeeper-svc.loadbalancer.server.port=3000"
+
+      # Gatekeeper Verification Middleware
+      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.address=http://mb-grid-gatekeeper:3000/gatekeeper/api/verify"
+      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.authRequestHeaders=X-Forwarded-Host,X-Forwarded-Proto,X-Forwarded-For,Cookie"
+      - "traefik.http.middlewares.${PROJECT_NAME:-mb-grid}-auth.forwardauth.authResponseHeaders=X-Auth-User"
+
+      # Gatekeeper Public Router (Login/Auth UI)
+      - "traefik.http.routers.mb-grid-gatekeeper.rule=(Host(`${TRAEFIK_HOST:-mb-grid-solutions.localhost}`) && PathPrefix(`/gatekeeper`))"
+      - "traefik.http.routers.mb-grid-gatekeeper.entrypoints=websecure"
+      - "traefik.http.routers.mb-grid-gatekeeper.tls.certresolver=le"
+      - "traefik.http.routers.mb-grid-gatekeeper.tls=true"
+      - "traefik.http.routers.mb-grid-gatekeeper.priority=2000"
+      - "traefik.http.routers.mb-grid-gatekeeper.service=mb-grid-gatekeeper-svc"
       - "traefik.docker.network=infra"
 
   mb-grid-db: