Two-Way Ticket Sync Plattform — Hochverfügbare Infrastruktur mit Reverse Proxy, Self-Registration und automatisierter Provisionierung auf Hetzner Cloud.
The platform consists of a highly available reverse proxy with automatic SSL termination, self-registration of backend servers, and a fully automated provisioning pipeline.
Each component is independently scalable and connected via clearly defined interfaces.
Zwei Caddy v2.11 Instanzen mit Wildcard SSL-Zertifikat (Let's Encrypt). Automatische SSL-Terminierung für alle *.startlobster.de Subdomains. JSON-basierte Admin API für dynamisches Routing.
VRRP-basiertes Failover mit Floating IP. proxy-1 als Master, proxy-2 als Backup. Bei Ausfall automatische IP-Umschaltung via Hetzner API in <5 Sekunden.
REST API (Port 9876) auf dem Private Network. Backends registrieren sich selbst beim Proxy. Unterstützt Simple Routes (Gateway) und Full Routes (Auth + UI + Gateway).
Wildcard-Zertifikat via acme.sh mit Custom DNS Hook für http.net API. Automatisches Renewal. Cert-Sync zwischen beiden Proxy-Instanzen.
Wildcard A-Record *.startlobster.de → Floating IP. Kein individueller DNS-Eintrag pro Server mehr nötig. Verwaltung über http.net Partner API.
Vollautomatisiert: HubSpot-Formular → Hetzner Server → Private Network → Docker + Services → Proxy-Registration. Pool-basiert für Instant-Assignment (<30s).
| Component | Specification | IP / Netzwerk | Location |
|---|---|---|---|
| proxy-1 (Master) | CX23 · Debian 12 · Caddy + Keepalived | proxy-1.example / 10.0.1.x |
Nuremberg (nbg1) |
| proxy-2 (Backup) | CX23 · Debian 12 · Caddy + Keepalived | proxy-2.example / 10.0.1.y |
Nuremberg (nbg1) |
| Floating IP | IPv4 · VRRP-gesteuert | floating-ip.example |
Nuremberg |
| Private Network | startlobster-net · 10.0.0.0/16 | Subnet: 10.0.1.0/24 |
eu-central |
| Backend Server | CX23 · Ubuntu 24.04 · Docker | 10.0.1.x (Private) |
Nuremberg (nbg1) |
Backend servers are only accessible via the Private Network. All services (Gateway :18789, Chat UI :8888, Auth :3000) bind only to the private IP. No public access to backend ports — all traffic runs through the reverse proxy.
How a request from a client is routed to the correct backend.
Client ruft s42.startlobster.de auf → Wildcard DNS löst auf Floating IP floating-ip.example auf.
Caddy auf dem aktiven Proxy terminiert TLS mit dem Wildcard-Zertifikat *.startlobster.de.
Caddy matched den Host-Header gegen registrierte Routen. Für s42.startlobster.de wird die Full Route verwendet (Auth + Chat UI + Gateway).
Caddy prüft via forward_auth beim Auth-Container (10.0.1.x:3000), ob der User authentifiziert ist. Bei Erfolg wird der Gateway-Token als Header injiziert.
Je nach Path wird zum Backend geroutet:
/auth/* → Auth :3000
/api/* + /ws → Gateway :18789
/* → Chat UI :8888
New servers automatically register with the reverse proxy — no manual DNS entry or config change needed.
Registrations are automatically synced to both proxy instances. Only one API call needed — the receiving proxy forwards the route to the peer.
| Method | Path | Description |
|---|---|---|
POST | /register | Register route (simple or full) |
POST | /deregister | Remove route |
GET | /routes | List all active routes |
GET | /health | Health Check |
From HubSpot form to functioning server in under 30 seconds thanks to server pool.
New form submission → Pipeline detects new customer.
Pre-configured server from the pool is assigned. Pool maintains 5 ready servers. Automatically re-provisioned upon assignment.
CX23 server is created in startlobster-net. Automatically receives a private IP (10.0.1.x).
Pipeline registers Full Route + Gateway Route with the reverse proxy. Instantly accessible via sXX.startlobster.de.
Playbook install-docker-proxy.yml: Docker, OpenClaw Gateway, Chat UI, Auth — alle Services nur auf Private Network Interface gebunden.
Gateway reachable? → HubSpot note with credentials → WhatsApp notification to team.
Backend services are only accessible via the Private Network. No public ports on backend servers. All external traffic runs through the reverse proxy.
iptables auf allen Proxies: Port 22/80/443 öffentlich, Admin API (:2019) und Registration API (:9876) nur aus dem Private Network. VRRP-Traffic erlaubt.
Registration API: Bearer Token (Shared Secret). Forward Auth auf dem Proxy für Enduser-Zugang. Gateway Token pro Backend-Instanz. Kein öffentlicher Zugang zu Admin APIs.
The Registration API only accepts requests from the Private Network (10.0.0.0/16). Public requests on ports 9876 and 2019 are dropped via iptables before reaching the service.
Each backend server runs lean without its own reverse proxy — SSL and auth are handled centrally.
| Container | Port (Private IP) | Function |
|---|---|---|
| openclaw-gateway | 10.0.1.x:18789 |
AI Gateway — WebSocket + REST API |
| startlobster-chat | 10.0.1.x:8888 |
Chat UI (nginx + Static Files) |
| startlobster-auth | 10.0.1.x:3000 |
Auth Container (Token-basiert) |
Legacy: Each server had its own Caddy + Let's Encrypt + DNS records → 50 certs/week rate limit, slow provisioning.
Proxy Mode: One wildcard cert, no Caddy on backends, instant registration. Provisioning ~80% faster.
proxy-1 (Master, Priority 101) holds the Floating IP. proxy-2 (Backup, Priority 100) stands ready. Keepalived checks every 5 seconds if Caddy responds.
Keepalived on proxy-2 detects missing VRRP advertisements. After 3 failed health checks (15s), proxy-2 takes over the master role.
Keepalived triggers hetzner-failover.sh → Hetzner API reassigns the Floating IP to proxy-2. DNS remains unchanged. Downtime: <15 seconds.
When proxy-1 comes back online, it automatically takes back the master role (higher priority). Floating IP migrates back.
| Category | Technology | Version / Details |
|---|---|---|
| Reverse Proxy | Caddy | v2.11.1 (Custom Build via xcaddy) |
| HA / Failover | Keepalived | VRRP auf Private Network Interface |
| SSL Certificates | Let's Encrypt + acme.sh | Custom DNS Hook für http.net API |
| DNS | http.net Partner API | Wildcard A-Record |
| Cloud | Hetzner Cloud | CX23, Debian 12 / Ubuntu 24.04 |
| Networking | Hetzner Private Network | 10.0.0.0/16, Floating IP |
| Container Runtime | Docker + Compose | Latest stable |
| Provisioning | Ansible + Python Pipeline | Idempotent, Pool-basiert |
| Registration API | Python (stdlib) | http.server, Port 9876 |
| CRM Integration | HubSpot API | Form Submissions + Contact Notes |
| Notifications | WhatsApp (OpenClaw) | Auto-Notify bei Provisioning |