Freshmark replication server

freshmark-canonical

Markdown document

Freshmark Canonical Reverse Proxy

reverse-proxy.md

Freshmark Canonical Reverse Proxy

Last updated: 2026-03-30 UTC

Live mapping

  • Public URL: https://freshmark-canonical.reverse-proxy.co.za
  • Public reverse proxy host: reverse-proxy-capetownmarket
  • RPCTM public IP: 154.65.108.7
  • RPCTM nginx upstream: http://10.99.0.140:8400
  • WireGuard server address: 10.99.0.1/24
  • WireGuard client address: 10.99.0.140/32
  • Peer name on RPCTM: freshmark-canonical

RPCTM-side state

  • Active nginx site: /etc/nginx/sites-available/freshmark-canonical.reverse-proxy.co.za
  • Enabled nginx site: /etc/nginx/sites-enabled/freshmark-canonical.reverse-proxy.co.za
  • Reference config: /home/ubuntu/rpctm/configs/freshmark-canonical.reverse-proxy.co.za.conf
  • Peer config: /etc/wireguard/peers/freshmark-canonical.conf
  • Peer env notes: /home/ubuntu/rpctm/scripts/envs/freshmark-canonical.env
  • Deployment notes: /home/ubuntu/rpctm/docs/FRESHMARK_CANONICAL_DEPLOYMENT.md

Local host state

  • Hostname: freshmark-replication
  • Local docs app bind: 0.0.0.0:8400
  • App service: freshmark-canonical.service
  • WireGuard client config: /etc/wireguard/wg0.conf
  • WireGuard unit: wg-quick@wg0

Why the client install was manual

The standard RPCTM internal-bootstrap.sh path enables UFW with default deny incoming. That is a good baseline for a clean internal app host, but it was too risky for the replication server because that machine already carries SSH and MariaDB-related traffic.

The deployment therefore kept the same RPCTM peer pattern but used the safer manual client path:

sudo apt-get update -y
sudo apt-get install -y wireguard wireguard-tools
sudo install -m 600 "$HOME/rpctm/freshmark-canonical-client.conf" /etc/wireguard/wg0.conf
sudo systemctl enable --now wg-quick@wg0

Validation notes

  • rpctm can reach http://10.99.0.140:8400/ with HTTP 200
  • https://freshmark-canonical.reverse-proxy.co.za/ returns HTTP 200
  • https://freshmark-canonical.reverse-proxy.co.za/api/server-inventory returns live JSON
  • The Let's Encrypt certificate is valid until 2026-06-28 19:35:58+00:00

Important note: The Freshmark app rejects HEAD / with 405 Method Not Allowed, so GET-based checks are more useful than curl -I for this service.

Follow-up

The site is working through RPCTM, but the local service is still directly reachable on 0.0.0.0:8400. Restricting that to the WireGuard path is still outstanding.