fix(deploy-epoch): un-spoofable smoke gates + honest docs (deploy-epoch-fix) (#29)
Some checks failed
CI / fmt (push) Successful in 1m1s
CI / clippy (push) Successful in 1m52s
CI / deny (push) Has been cancelled
CI / test (1.85) (push) Has started running
CI / test (stable) (push) Has been cancelled
CI / sim-bench (stable) (push) Has been cancelled
CI / twilio-live (manual only) (push) Has been cancelled
CI / image-build (4 images) (push) Has been cancelled
CI / smoke (all-in-one TLS sim call) (push) Has been cancelled
CI / smoke (T2 compose four-service) (push) Has been cancelled
CI / smoke (caddy reload during live call, zero drops) (push) Has been cancelled

Co-authored-by: Aaron D. Lee <himself@adlee.work>
Co-committed-by: Aaron D. Lee <himself@adlee.work>
This commit was merged in pull request #29.
This commit is contained in:
2026-07-09 23:54:57 +00:00
committed by A.D.Lee
parent cc25e80310
commit 754614bd56
26 changed files with 704 additions and 112 deletions

View File

@@ -30,6 +30,7 @@ docker run -d --name rutster --restart unless-stopped \
-e RUTSTER_ACME_EMAIL=you@example.com \
-e RUTSTER_MEDIA_ADVERTISED_IP=203.0.113.7 \
-e RUTSTER_MEDIA_PORT_RANGE=49152-49407 \
-e RUTSTER_TRUSTED_PROXIES=127.0.0.1/32 \
-e RUTSTER_TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
-e RUTSTER_TWILIO_AUTH_TOKEN=your_auth_token \
-e RUTSTER_TWILIO_MEDIA_BIND=0.0.0.0:8081 \
@@ -98,7 +99,7 @@ Operational notes:
| Symptom | Cause / fix |
|---|---|
| Twilio error **31910** on calls | Your cert isn't publicly trusted or expired — check `/data` volume survived, see [certificates.md](certificates.md) ([twilio.com/docs/api/errors/31910](https://www.twilio.com/docs/api/errors/31910)) |
| Webhook signature validation fails | The edge isn't forwarding `X-Forwarded-Proto/Host` honestly, or `RUTSTER_TRUSTED_PROXIES` doesn't include your proxy — the engine ignores forwarded headers from unlisted sources |
| Webhook signature validation fails | The edge isn't forwarding `X-Forwarded-Proto/Host` honestly, or `RUTSTER_TRUSTED_PROXIES` doesn't include your proxy — the engine ignores forwarded headers from unlisted sources. Note: signature enforcement is **planned, NOT yet enforced** — the webhook surface is currently unauthenticated |
| Browser call connects, no audio | Media UDP blocked or `RUTSTER_MEDIA_ADVERTISED_IP` wrong — the SDP advertises that IP; callers send UDP straight to it |
| `curl /readyz` returns 503 | Node is draining or at the admission cap (`RUTSTER_MAX_SESSIONS`) — liveness (`/healthz`) stays 200 |
| Let's Encrypt rate-limit errors in Caddy logs | You recreated the container without the `/data` volume — [certificates.md](certificates.md) |