feat: complete nginx migration from caddy
- Replace Caddy reverse proxy with Nginx (nginx:alpine) - Add nginx.conf with HTTP/HTTPS, gzip, and proxy settings - Add nginx-custom-domains.conf template for custom domains - Update docker-compose.yml to use Nginx service - Add ProxyFix middleware to Flask app for proper header handling - Create nginx_config_reader.py utility to read Nginx configuration - Update admin blueprint to display Nginx status in https_config page - Add Nginx configuration display to https_config.html template - Generate self-signed SSL certificates for localhost - Add utility scripts: generate_nginx_certs.sh - Add documentation: NGINX_SETUP_QUICK.md, PROXY_FIX_SETUP.md - All containers now running, HTTPS working, HTTP redirects to HTTPS - Session cookies marked as Secure - Security headers properly configured
This commit is contained in:
root
56
PROXY_FIX_SETUP.md
Normal file
56
PROXY_FIX_SETUP.md
Normal file
@@ -0,0 +1,56 @@
|
||||
# ProxyFix Middleware Setup - DigiServer v2
|
||||
|
||||
## Overview
|
||||
ProxyFix middleware is now properly configured in the Flask app to handle reverse proxy headers from Nginx (or Caddy). This ensures correct handling of:
|
||||
- **X-Real-IP**: Client's real IP address
|
||||
- **X-Forwarded-For**: List of IPs in the proxy chain
|
||||
- **X-Forwarded-Proto**: Original protocol (http/https)
|
||||
- **X-Forwarded-Host**: Original hostname
|
||||
|
||||
## Configuration Details
|
||||
|
||||
### Flask App (app/app.py)
|
||||
```python
|
||||
from werkzeug.middleware.proxy_fix import ProxyFix
|
||||
|
||||
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)
|
||||
```
|
||||
|
||||
**Parameters:**
|
||||
- `x_for=1`: Trust one proxy for X-Forwarded-For header
|
||||
- `x_proto=1`: Trust proxy for X-Forwarded-Proto header
|
||||
- `x_host=1`: Trust proxy for X-Forwarded-Host header
|
||||
- `x_port=1`: Trust proxy for X-Forwarded-Port header
|
||||
|
||||
### Config Settings (app/config.py)
|
||||
|
||||
```python
|
||||
# Reverse proxy trust (for Nginx/Caddy with ProxyFix middleware)
|
||||
TRUSTED_PROXIES = os.getenv('TRUSTED_PROXIES', '127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16')
|
||||
PREFERRED_URL_SCHEME = os.getenv('PREFERRED_URL_SCHEME', 'https')
|
||||
```
|
||||
|
||||
## Testing ProxyFix
|
||||
|
||||
### 1. Test Real Client IP
|
||||
```bash
|
||||
docker exec digiserver-app flask shell
|
||||
>>> from flask import request
|
||||
>>> request.remote_addr # Should show client IP
|
||||
```
|
||||
|
||||
### 2. Test URL Scheme
|
||||
```bash
|
||||
docker exec digiserver-app flask shell
|
||||
>>> from flask import url_for
|
||||
>>> url_for('auth.login', _external=True) # Should use https://
|
||||
```
|
||||
|
||||
## Verification Checklist
|
||||
|
||||
- [x] ProxyFix imported in app.py
|
||||
- [x] app.wsgi_app wrapped with ProxyFix
|
||||
- [x] TRUSTED_PROXIES configured
|
||||
- [x] PREFERRED_URL_SCHEME set to 'https'
|
||||
- [x] SESSION_COOKIE_SECURE=True in ProductionConfig
|
||||
- [x] Nginx headers configured correctly
|
||||
Reference in New Issue
Block a user