fix: exclude Postiz API from SSO protection

API endpoints at /api/* on social.ai-impress.com no longer require Authentik authentication. Frontend routes remain protected. This allows external integrations and webhooks to function properly without SSO. - Added postiz-api router in dynamic.yml for /api path without Authentik - Updated postiz frontend router to exclude /api routes - Simplified docker-compose.yml labels to avoid routing conflicts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-02 11:28:08 +00:00 · 2025-12-02 11:28:08 +00:00 · a90ccb8c51
commit a90ccb8c51
parent 8e8f0e6fde
2 changed files with 35 additions and 12 deletions
--- a/opt/00-infrastructure/traefik/config/dynamic.yml
+++ b/opt/00-infrastructure/traefik/config/dynamic.yml
@ -1,5 +1,25 @@
 http:
  routers:
+    # Postiz API (backend) - without SSO protection
+    postiz-api:
+      rule: "Host(`social.ai-impress.com`) && PathPrefix(`/api`)"
+      service: postiz-api
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cloudflare
+
+    # Postiz frontend - with Authentik
+    postiz:
+      rule: "Host(`social.ai-impress.com`) && !PathPrefix(`/api`)"
+      service: postiz
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cloudflare
+      middlewares:
+        - authentik@file
+
    mirotalk:
      rule: "Host(`webinar.ai-impress.com`)"
      service: mirotalk
@ -9,6 +29,16 @@ http:
        certResolver: cloudflare

  services:
+    postiz-api:
+      loadBalancer:
+        servers:
+          - url: "http://postiz:5000"
+
+    postiz:
+      loadBalancer:
+        servers:
+          - url: "http://postiz:5000"
+
    mirotalk:
      loadBalancer:
        servers:
--- a/opt/postiz-config/docker-compose.yml
+++ b/opt/postiz-config/docker-compose.yml
@ -19,21 +19,14 @@ services:
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-public"
-      
-      # Main frontend: social.ai-impress.com (with Authelia)
-      - "traefik.http.routers.postiz.rule=Host(`social.ai-impress.com`)"
-      - "traefik.http.routers.postiz.entrypoints=websecure"
-      - "traefik.http.routers.postiz.tls.certresolver=cloudflare"
-      - "traefik.http.routers.postiz.middlewares=authentik@file"
-      
-      # Uploads subdomain: uploads.ai-impress.com (without Authelia, for social media bots)
-      - "traefik.http.routers.postiz-uploads.rule=Host(`uploads.ai-impress.com`)"
-      - "traefik.http.routers.postiz-uploads.entrypoints=websecure"
-      - "traefik.http.routers.postiz-uploads.tls.certresolver=cloudflare"
-      
+
      # Service port
      - "traefik.http.services.postiz.loadbalancer.server.port=5000"

+      # Routing configured in /opt/00-infrastructure/traefik/config/dynamic.yml
+      # - postiz-api: /api routes (no SSO)
+      # - postiz: frontend routes (with Authentik)
+
  postiz-postgres:
    image: postgres:16-alpine
    container_name: postiz-postgres