From af8cebd97eba3034d4850dd0db74e26056e39eb8 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Wed, 25 Mar 2026 22:03:46 -0700 Subject: [PATCH] Add MCR routes to rift mc-proxy config SNI-multiplexed routes for mcr.svc.mcp.metacircular.net on all three listeners: L7 web on :443, L4 API on :8443, L4 gRPC on :9443. Co-Authored-By: Claude Opus 4.6 (1M context) --- deploy/mc-proxy-rift.toml | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/deploy/mc-proxy-rift.toml b/deploy/mc-proxy-rift.toml index 0a3084d..bd81d26 100644 --- a/deploy/mc-proxy-rift.toml +++ b/deploy/mc-proxy-rift.toml @@ -1,16 +1,16 @@ # mc-proxy configuration for rift. # -# Fronts metacrypt containers: -# :443 → metacrypt-web (L7, TLS termination + re-encrypt) -# :8443 → metacrypt API (L4 passthrough) -# :9443 → metacrypt gRPC (L4 passthrough) +# Fronts metacrypt, mcr, and sgard containers: +# :443 → metacrypt-web, mcr-web (L7, TLS termination + re-encrypt) +# :8443 → metacrypt API, mcr API (L4 passthrough, SNI-multiplexed) +# :9443 → metacrypt gRPC, mcr gRPC, sgardd (L4 passthrough, SNI-multiplexed) # # Copy to /srv/mc-proxy/mc-proxy.toml on rift before starting. [database] path = "/srv/mc-proxy/mc-proxy.db" -# :443 — L7 TLS-terminating route to metacrypt web UI. +# :443 — L7 TLS-terminating routes to web UIs. [[listeners]] addr = ":443" @@ -22,7 +22,15 @@ addr = ":443" tls_key = "/srv/mc-proxy/certs/metacrypt-svc.key" backend_tls = true -# :8443 — L4 passthrough to metacrypt API (already serves TLS). + [[listeners.routes]] + hostname = "mcr.svc.mcp.metacircular.net" + backend = "127.0.0.1:28080" + mode = "l7" + tls_cert = "/srv/mc-proxy/certs/mcr-svc.pem" + tls_key = "/srv/mc-proxy/certs/mcr-svc.key" + backend_tls = true + +# :8443 — L4 passthrough, SNI-multiplexed: metacrypt API + mcr API. [[listeners]] addr = ":8443" @@ -30,7 +38,11 @@ addr = ":8443" hostname = "metacrypt.svc.mcp.metacircular.net" backend = "127.0.0.1:18443" -# :9443 — L4 passthrough to metacrypt gRPC (already serves TLS). + [[listeners.routes]] + hostname = "mcr.svc.mcp.metacircular.net" + backend = "127.0.0.1:28443" + +# :9443 — L4 passthrough, SNI-multiplexed: metacrypt gRPC + mcr gRPC + sgardd. [[listeners]] addr = ":9443" @@ -38,6 +50,14 @@ addr = ":9443" hostname = "metacrypt.svc.mcp.metacircular.net" backend = "127.0.0.1:19443" + [[listeners.routes]] + hostname = "mcr.svc.mcp.metacircular.net" + backend = "127.0.0.1:29443" + + [[listeners.routes]] + hostname = "sgard.svc.mcp.metacircular.net" + backend = "127.0.0.1:19473" + # gRPC admin API — Unix socket, secured by file permissions. [grpc] addr = "/srv/mc-proxy/mc-proxy.sock"