feat: add environment variable to trust the reverse proxy

2024-11-15 03:50:11 +01:00 · 2024-09-18 23:01:50 +02:00 · 2024-09-18 23:01:50 +02:00 · b13a81a88c
commit b13a81a88c
parent 97dc3ecfdd
9 changed files with 40 additions and 19 deletions
--- a/15
+++ b/15
@ -1,15 +0,0 @@
-:3000 {
-    # Reverse proxy for /api
-    reverse_proxy /api/* http://localhost:8080 {
-        header_up X-Forwarded-Host {host}:{server_port}
-        header_up X-Forwarded-For {remote_host}
-        header_up X-Forwarded-Proto {scheme}
-    }
-
-    # Reverse proxy for all other requests
-    reverse_proxy http://localhost:3333 {
-        header_up X-Forwarded-Host {host}:{server_port}
-        header_up X-Forwarded-For {remote_host}
-        header_up X-Forwarded-Proto {scheme}
-    }
-}
--- a/2
+++ b/2
@ -46,7 +46,7 @@ COPY --from=backend-builder /opt/app/dist ./dist
 COPY --from=backend-builder /opt/app/prisma ./prisma
 COPY --from=backend-builder /opt/app/package.json ./

-COPY ./Caddyfile /etc/caddy/Caddyfile
+COPY ./reverse-proxy /etc/caddy
 COPY ./scripts/docker-entrypoint.sh /opt/app/docker-entrypoint.sh

 WORKDIR /opt/app
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -4,6 +4,8 @@ services:
    restart: unless-stopped
    ports:
      - 3000:3000
+    environment:
+      - TRUST_PROXY=false # Set to true if a reverse proxy is in front of the container
    volumes:
      - "./data:/opt/app/backend/data"
      - "./data/images:/opt/app/frontend/public/img"
--- a/docs/docs/setup/configuration.md
+++ b/docs/docs/setup/configuration.md
@ -48,3 +48,9 @@ For installation specific configuration, you can use environment variables. The
 | --------- | ----------------------- | ---------------------------------------- |
 | `PORT`    | `3000`                  | The port on which the frontend listens.  |
 | `API_URL` | `http://localhost:8080` | The URL of the backend for the frontend. |
+
+#### Reverse Proxy (inside the Docker container)
+
+| Variable      | Default Value | Description                                                                                                 |
+| ------------- | ------------- | ----------------------------------------------------------------------------------------------------------- |
+| `TRUST_PROXY` | `false`       | Whether Pingvin Share is behind a reverse proxy. If set to `true`, the `X-Forwarded-For` header is trusted. |
--- a/docs/docs/setup/installation.md
+++ b/docs/docs/setup/installation.md
@ -40,6 +40,6 @@ API_URL=http://localhost:8080 # Set the URL of the backend, default: http://loca
 pm2 start --name="pingvin-share-frontend" .next/standalone/server.js
 ```

-**Uploading Large Files**: By default, Pingvin Share uses a built-in reverse proxy to reduce the installation steps. However, this reverse proxy is not optimized for uploading large files. If you wish to upload larger files, you can either use the Docker installation or set up your own reverse proxy. An example configuration for Caddy can be found in `./Caddyfile`.
+**Uploading Large Files**: By default, Pingvin Share uses a built-in reverse proxy to reduce the installation steps. However, this reverse proxy is not optimized for uploading large files. If you wish to upload larger files, you can either use the Docker installation or set up your own reverse proxy. An example configuration for Caddy can be found in `./reverse-proxy/Caddyfile`.

 The website is now listening on `http://localhost:3000`, have fun with Pingvin Share 🐧!
--- a/docs/package.json
+++ b/docs/package.json
@ -7,7 +7,7 @@
    "start": "docusaurus start",
    "build": "docusaurus build",
    "swizzle": "docusaurus swizzle",
-    "deploy": "docusaurus deploy",
+    "deploy": "GIT_USER=stonith404 docusaurus deploy",
    "clear": "docusaurus clear",
    "serve": "docusaurus serve",
    "write-translations": "docusaurus write-translations",
--- a/reverse-proxy/Caddyfile
+++ b/reverse-proxy/Caddyfile
@ -0,0 +1,7 @@
+:3000 {
+    # Reverse proxy for /api
+    reverse_proxy /api/* http://localhost:8080
+
+    # Reverse proxy for all other requests
+    reverse_proxy http://localhost:3333
+}
--- a/reverse-proxy/Caddyfile.trust-proxy
+++ b/reverse-proxy/Caddyfile.trust-proxy
@ -0,0 +1,14 @@
+:3000 {
+    reverse_proxy /* http://localhost:3333  {
+            trusted_proxies 0.0.0.0/0
+    }
+
+    reverse_proxy /api/* http://localhost:8080  {
+            trusted_proxies 0.0.0.0/0
+    }
+
+    log {
+        output file /var/log/caddy/access.log
+        level WARN
+    }
+}
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
@ -4,10 +4,17 @@
 cp -rn /tmp/img/* /opt/app/frontend/public/img

 # Start Caddy
-caddy start --config /etc/caddy/Caddyfile &
+if [ "$TRUST_PROXY" = "true" ]; then
+  caddy start --config /etc/caddy/Caddyfile.trust-proxy &
+else
+  caddy start --config /etc/caddy/Caddyfile &
+fi
+
 # Run the frontend server
 PORT=3333 HOSTNAME=0.0.0.0 node frontend/server.js &
+
 # Run the backend server
 cd backend && npm run prod
+
 # Wait for all processes to finish
 wait -n