From 211e4ad465b31f7e7f8f2bbdb67b29f61d046217 Mon Sep 17 00:00:00 2001
From: yusing <yusing.wys@gmail.com>
Date: Thu, 5 Feb 2026 22:53:35 +0800
Subject: [PATCH] refactor: update webui rules and docker compose - Docker
 compose   - tmpfs update /app/.next/cache to /app/node_modules/.cache   -
 tmpfs add /tmp - Rules   - Update rules for tanstack start + nitro   -
 Stricter webui rules   - Add webui dev rules

---
 compose.example.yml                        |  4 ++--
 internal/route/rules/presets/webui.yml     | 13 +++++++++---
 internal/route/rules/presets/webui_dev.yml | 24 ++++++++++++++++++++++
 3 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 internal/route/rules/presets/webui_dev.yml

diff --git a/compose.example.yml b/compose.example.yml
index 62f9320b..e4ed368b 100755
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -31,8 +31,8 @@ services:
     user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
     read_only: true
     tmpfs:
-      - /app/.next/cache # next image caching
-
+      - /tmp:rw
+      - /app/node_modules/.cache:rw
       # for lite variant, do not change uid/gid
       # - /var/cache/nginx:uid=101,gid=101
       # - /run:uid=101,gid=101
diff --git a/internal/route/rules/presets/webui.yml b/internal/route/rules/presets/webui.yml
index b8c65431..3c5e4630 100644
--- a/internal/route/rules/presets/webui.yml
+++ b/internal/route/rules/presets/webui.yml
@@ -3,12 +3,19 @@
   do: pass
 - name: protected
   on: |
-    !path regex("(_next/static|_next/image|favicon.ico).*")
     !path glob("/api/v1/auth/*")
     !path glob("/auth/*")
-    !path regex("[A-Za-z0-9_-]+\.(svg|png|jpg|jpeg|gif|ico|webp|woff2?|eot|ttf|otf|txt)(\?.+)?")
+    !path /icon0.svg
+    !path /favicon.ico
+    !path /apple-icon.png
+    !path glob("/web-app-manifest-*x*.png")
+    !path regex("\/assets\/(chunks\/)?[a-zA-Z0-9\-_]+\.(css|js|woff2)")
+    !path regex("\/assets\/workbox-window\.prod\.es5-[a-zA-Z0-9]+\.js")
+    !path regex("/workbox-[a-zA-Z0-9]+\.js")
     !path /api/v1/version
-    !path /manifest.json
+    !path /manifest.webmanifest
+    !path /sw.js
+    !path /registerSW.js
   do: require_auth
 - name: proxy to backend
   on: path glob("/api/v1/*")
diff --git a/internal/route/rules/presets/webui_dev.yml b/internal/route/rules/presets/webui_dev.yml
new file mode 100644
index 00000000..f657cf32
--- /dev/null
+++ b/internal/route/rules/presets/webui_dev.yml
@@ -0,0 +1,24 @@
+- name: login page
+  on: path /login
+  do: pass
+- name: protected
+  on: |
+    !path glob("@tanstack-start/*")
+    !path /@react-refresh
+    !path /@vite/client
+    !path regex("\?token=\w{5}-\w{5}")
+    !path glob("/@id/*")
+    !path glob("/api/v1/auth/*")
+    !path glob("/auth/*")
+    !path regex("[A-Za-z0-9_\-/]+\.(css|ts|js|mjs|svg|png|jpg|jpeg|gif|ico|webp|woff2?|eot|ttf|otf|txt)(\?.+)?")
+    !path /api/v1/version
+    !path /manifest.webmanifest
+  do: require_auth
+- name: proxy to backend
+  on: path glob("/api/v1/*")
+  do: proxy http://${API_ADDR}/
+- name: proxy to auth api
+  on: path glob("/auth/*")
+  do: |
+    rewrite /auth /api/v1/auth
+    proxy http://${API_ADDR}/