Accès Services

Référence complète de tous les services et leurs URLs d'accès.

Services exposés via Traefik HTTPS

Les services suivants sont accessibles de l'extérieur via HTTPS (Let's Encrypt TLS).

Service	URL	Port	Credentials	Notes
API Swagger	https://api-rgz.duckdns.org/docs	443	Aucun	Documentation interactive API
API ReDoc	https://api-rgz.duckdns.org/redoc	443	Aucun	Documentation alternative
API Health	https://api-rgz.duckdns.org/health	443	Aucun	Status endpoint JSON
Dashboard Admin	https://admin-rgz.duckdns.org	443	TBD	Management interface
Portail Captif	https://access-rgz.duckdns.org	443	Aucun	Accès WiFi abonnés
Grafana Dashboards	https://grafana-rgz.duckdns.org	443	admin / GRAFANA_ADMIN_PASSWORD	Monitoring visualisations
Documentation	https://docs-rgz.duckdns.org	443	Aucun	Site MkDocs (ce site)
Recensement Site	https://registre-rgz.duckdns.org	443	TBD	Formulaire inscription revendeurs

Credentials par défaut

Service	User	Password	Où trouver
Grafana	admin	GRAFANA_ADMIN_PASSWORD	Fichier .env
Dashboard Admin	TBD	TBD	Configuration API
Recensement	TBD	TBD	Configuration site #81

Tester accès HTTPS

# Vérifier certificat TLS
curl -vI https://api-rgz.duckdns.org/docs
# Doit retourner: HTTP/2 200 + certificat valide

# Tester endpoints
curl -s https://api-rgz.duckdns.org/health | jq .
# Doit retourner: {"status": "ok", ...}

Services internes (réseau local uniquement)

Accessibles UNIQUEMENT depuis le serveur ou via VPN/WireGuard.

Service	URL	Port	Credentials	Utilisé par	Notes
Prometheus	http://[server_ip]:9090	9090	Aucun	Grafana scrape	Monitoring metrics
AlertManager	http://[server_ip]:9093	9093	Aucun	Prometheus rules	Alerting engine
Elasticsearch API	http://[server_ip]:9200	9200	elastic / ELASTIC_PASSWORD	Logstash, Kibana	Logs database
Kibana	http://[server_ip]:5601	5601	elastic / KIBANA_PASSWORD	Team NOC	Logs visualization
Portainer	http://[server_ip]:9000	9000	admin / password	DevOps	Docker UI management

Accéder aux services internes

Via tunnel SSH:

# SSH tunnel vers Kibana
ssh -L 5601:127.0.0.1:5601 user@server-ip
# Puis ouvrir: http://localhost:5601

# SSH tunnel vers Prometheus
ssh -L 9090:127.0.0.1:9090 user@server-ip
# Puis ouvrir: http://localhost:9090

# SSH tunnel vers Elasticsearch
ssh -L 9200:127.0.0.1:9200 user@server-ip
# Puis ouvrir curl http://localhost:9200 (API)

Via WireGuard VPN:

# Ajouter gateway VPN
wg-quick up /etc/wireguard/rgz.conf

# Accéder aux services
curl http://172.23.0.9:5601  # Kibana via Docker network

Ports réseau complets

Tableau de TOUS les ports utilisés par la stack.

Ports TCP

Service	Port	Protocole	Exposé host	Via Traefik	Direction	Description
Traefik HTTP	80	TCP	✅	-	ingress	Redirect HTTP → HTTPS
Traefik HTTPS	443	TCP	✅	-	ingress	TLS reverse proxy
API FastAPI	8000	TCP	❌	✅ (443)	internal	FastAPI app
Dashboard React	3000	TCP	❌	✅ (443)	internal	Admin UI
Portail Captif	80	TCP	❌	✅ (443)	internal	Portal proxy
PostgreSQL	5432	TCP	❌	❌	internal	Database
Redis	6379	TCP	❌	❌	internal	Cache
Prometheus	9090	TCP	✅	❌	internal	Metrics scraper
AlertManager	9093	TCP	✅	❌	internal	Alert engine
Grafana	3000	TCP	✅	✅ (443)	internal	Dashboards
Elasticsearch	9200	TCP	✅	❌	internal	Logs database
Kibana	5601	TCP	✅	❌	internal	Logs UI
Logstash	5000	TCP	❌	❌	internal	Log pipeline
Portainer	9000	TCP	✅	❌	internal	Docker UI

Ports UDP

Service	Port	Protocole	Exposé host	Direction	Description
RADIUS Auth	1812	UDP	✅	ingress	Client auth (CPE)
RADIUS Acct	1813	UDP	✅	ingress	Accounting (CPE)
RADIUS CoA	3799	UDP	✅	internal	Change-of-Auth (gateway)
DHCP	67	UDP	✅	ingress	Kea DHCP server
DNS	53	UDP	✅	ingress	Unbound DNS (public)
NetFlow v5	2055	UDP	✅	ingress	Flow collector
WireGuard VPN	51820	UDP	✅	ingress	Inter-site tunnel

Résumé ports firewall

À OUVRIR dans le firewall/routeur:

# TCP
80/tcp    # HTTP redirect
443/tcp   # HTTPS (Traefik)

# UDP
1812/udp  # RADIUS auth
1813/udp  # RADIUS acct
2055/udp  # NetFlow
51820/udp # WireGuard
67/udp    # DHCP (optionnel, interne)
53/udp    # DNS (optionnel, peut être exposé)

API Endpoints principaux

Authentication & OTP

# Générer OTP (SMS)
POST /api/v1/otp/request
Content-Type: application/json
{
  "phone": "+22901234567"
}
Response: {"otp_id": "uuid", "expires_at": "2026-02-21T14:30:00Z"}

# Vérifier OTP
POST /api/v1/otp/verify
{
  "otp_id": "uuid",
  "code": "123456"
}
Response: {"session_token": "jwt_token", "subscriber_id": "uuid"}

Paiements

# Créer transaction KKiaPay
POST /api/v1/payments/request
{
  "subscriber_id": "uuid",
  "amount_fcfa": 10000,
  "provider": "MTN_MOMO"
}
Response: {"transaction_id": "uuid", "redirect_url": "..."}

# Webhook KKiaPay (entrante)
POST /webhooks/kkiapay
Headers: x-kkiapay-secret: <signature>
{
  "kkiapay_transaction_id": "...",
  "status": "completed",
  "amount": 10000
}

Resellers & Onboarding

# Créer revendeur
POST /api/v1/resellers
{
  "name": "Tech Connect",
  "contact_email": "contact@techconnect.bj",
  "classification": "V1"
}
Response: {"id": "uuid", "nasid": "access_tech_connect", ...}

# Statut onboarding
GET /api/v1/resellers/{id}/onboarding
Response: {"step": 3, "steps": [...]}

Monitoring & Reports

# Santé globale
GET /api/v1/health
Response: {"status": "ok", "timestamp": "...", "version": "1.0.0"}

# Métrique SLA (5 dernières minutes)
GET /api/v1/monitoring/sla?reseller_id=uuid
Response: {"uptime_percent": 99.8, "latency_p95_ms": 45}

# Rapport mensuel
GET /api/v1/reports/monthly?month=2026-02
Response: [PDF stream] (Content-Type: application/pdf)

Tester les services

API health

# Tester endpoint health
curl -s https://api-rgz.duckdns.org/health | jq .

# Tester API Swagger
open https://api-rgz.duckdns.org/docs
# Cliquer sur "/health" → "Try it out" → "Execute"

Database

# Connecter à PostgreSQL
psql -h [server_ip] -U rgz_admin -d rgz_noc
# Mot de passe: POSTGRES_PASSWORD

# Ou via container
docker exec -it rgz-db psql -U rgz_admin -d rgz_noc

Redis

# Test ping
redis-cli -h [server_ip] -a <password> ping
# Response: PONG

# Ou via container
docker exec -it rgz-redis redis-cli ping

RADIUS

# Test access-accept
radtest -c 1 subscriber_ref_test password [server_ip] 1812 <secret>
# Response: Received Access-Accept

# Ou via Docker
docker exec rgz-radius radtest -c 1 test test 127.0.0.1 1812 testing123

DNS

# Tester résolution
nslookup access-rgz.duckdns.org [server_ip]
dig access-rgz.duckdns.org @[server_ip]

# Tester sinkhole (redirect 302 vers portail)
curl -vL http://evil.example.bj  # Via portal DNS

HTTPS/TLS

# Vérifier certificat
openssl s_client -connect api-rgz.duckdns.org:443

# Afficher certificat
curl -vI https://api-rgz.duckdns.org/docs 2>&1 | grep -A 10 "certificate"

Logs & Monitoring

Voir les logs en temps réel

# Logs API
docker logs -f rgz-api

# Logs tous services
docker compose -f docker-compose.core.yml logs -f

# Logs spécifique + filtrer
docker logs rgz-radius | grep "Access-Accept"

Dashboard Grafana

1. Ouvrir https://grafana-rgz.duckdns.org
2. Login: admin / GRAFANA_ADMIN_PASSWORD
3. Dashboards disponibles:
   • Core Metrics: CPU, RAM, Disk, Network
   • Network: VLAN, CPE, traffic
   • RF Monitoring: RSSI heatmap
   • Alerts: Active incidents
   • Billing: Revenues, transactions

Dashboard Kibana

1. Accéder via SSH tunnel: ssh -L 5601:127.0.0.1:5601 user@server
2. Ouvrir http://localhost:5601
3. Login: elastic / KIBANA_PASSWORD
4. Indices disponibles:
   • logstash-api-*: API logs
   • logstash-radius-*: RADIUS auth logs
   • logstash-cpe-*: CPE syslog
   • logstash-netflow-*: NetFlow metrics

Configuration DNS personnalisée

Si vous avez votre propre domaine (ex: rgz.local):

# Dans votre /etc/hosts (local)
192.168.1.100 api-rgz.local
192.168.1.100 admin-rgz.local
192.168.1.100 access-rgz.local

# Ou via DNS record
api-rgz.local.        A    192.168.1.100
admin-rgz.local.      A    192.168.1.100
access-rgz.local.     A    192.168.1.100

Troubleshooting accès

"Connection refused"

# Vérifier service est en cours d'exécution
docker ps | grep rgz-api

# Vérifier port écoute
netstat -tlnp | grep :8000
docker port rgz-api

# Redémarrer service
docker restart rgz-api

"TLS certificate error"

# Vérifier certificat Let's Encrypt
docker logs traefik | grep "Let's Encrypt"
curl -vI https://api-rgz.duckdns.org/docs 2>&1 | head -20

# Relancer Traefik
docker compose -f docker-compose.core.yml restart traefik

"DNS resolution failed"

# Vérifier DuckDNS domain
nslookup api-rgz.duckdns.org

# Vérifier token DuckDNS dans .env
grep DUCKDNS_TOKEN .env

# Mettre à jour DuckDNS IP
curl -X GET "https://www.duckdns.org/update?domains=api-rgz&token=TOKEN&ip=YOUR_IP"

Support

# Vérifier tous les services
./scripts/ops/status.sh

# Logs complètes
docker compose -f docker-compose.core.yml logs --tail 100
docker compose -f docker-compose.monitoring.yml logs --tail 100

# Redémarrer stack
./scripts/ops/stop.sh
./scripts/ops/start.sh