From 7c8f128eaf37f68a053c78c4d3a3873c908e849e Mon Sep 17 00:00:00 2001 From: Kelin Date: Sun, 8 Feb 2026 15:19:48 -0500 Subject: [PATCH] Update architecture diagram to show public internet routing and HTTP vs HTTPS traffic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: - Added public internet layer showing HTTPS traffic flow - Clarified that internal network uses HTTP (no SSL/TLS) - Added traffic flow summary section - Updated 'How It Works' section to explicitly mention HTTPS externally, HTTP internally - Added 'Key Points' section explaining no double encryption The diagram now clearly shows: 1. 🌐 Public Internet → HTTPS (ports 80/443) 2. Core Server (SSL termination) 3. Internal Network → HTTP (no encryption needed) 4. Additional Servers (direct port access) --- docs/multi-server-deployment.md | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/docs/multi-server-deployment.md b/docs/multi-server-deployment.md index a23bf7e..5e546e9 100644 --- a/docs/multi-server-deployment.md +++ b/docs/multi-server-deployment.md @@ -14,6 +14,12 @@ This guide explains the **current multi-server architecture** where: ``` ┌─────────────────────────────────────────────────────────────────┐ +│ 🌐 PUBLIC INTERNET │ +│ HTTPS Traffic (Ports 80/443 forwarded from router) │ +└─────────────────────┬───────────────────────────────────────────┘ + │ + ▼ HTTPS (SSL/TLS) +┌─────────────────────────────────────────────────────────────────┐ │ CORE SERVER │ │ ┌────────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │ │ DuckDNS │ │ Traefik │ │ Authelia │ │ Core Services │ │ @@ -27,8 +33,8 @@ This guide explains the **current multi-server architecture** where: │ │ • Remote │ (YAML files)│ │ └──────────┼──────────────┼──────────────┼────────────────────────┘ │ │ │ - Ports │ HTTP/HTTPS │ │ - 80/443 │ │ │ + │ HTTP (internal network) │ + │ No SSL/TLS encryption │ ▼ ▼ ▼ ┌─────────────────────────────────────────┐ │ ADDITIONAL SERVER (e.g., Pi) │ @@ -43,6 +49,12 @@ This guide explains the **current multi-server architecture** where: (no local reverse proxy) ``` +### Traffic Flow Summary + +1. **Internet → Core**: HTTPS (ports 80/443 forwarded from router) +2. **Core → Additional**: HTTP (internal network, no encryption needed) +3. **Additional → Core**: HTTP (direct response to core Traefik) + # Deployment Process ## Step 1: Deploy Core Server @@ -71,21 +83,26 @@ From Dockge you can start/stop any of the stacks or containers. **No Port Forwarding Required**: - Services are accessed through core server -- Additional servers are "headless" - no external ports needed ## How It Works ### Traffic Flow -1. **User accesses** `https://sonarr.yourdomain.duckdns.org` -2. **Core Traefik** receives request: +1. **User accesses** `https://sonarr.yourdomain.duckdns.org` (HTTPS from internet) +2. **Core Traefik** receives HTTPS request: - Checks Authelia for authentication (SSO) - - Routes to additional server: `http://192.168.1.100:8989` (via YAML config) + - Routes to additional server: `http://192.168.1.100:8989` (HTTP internally) 3. **Additional server** receives direct HTTP request: - Service container receives request on exposed port - If stopped, Sablier starts the container - Shows loading page while container starts -4. **Service responds** directly back to core Traefik, then to user +4. **Service responds** directly back to core Traefik via HTTP, then HTTPS to user + +### Key Points + +- **External Traffic**: Always HTTPS (SSL/TLS encrypted) +- **Internal Traffic**: Always HTTP (no encryption needed on local network) +- **No Double Encryption**: Core Traefik terminates SSL, forwards plain HTTP internally ### Service Registration