# ProxyFix Middleware Setup - DigiServer v2

## Overview
ProxyFix middleware is now properly configured in the Flask app to handle reverse proxy headers from Nginx (or Caddy). This ensures correct handling of:
- **X-Real-IP**: Client's real IP address
- **X-Forwarded-For**: List of IPs in the proxy chain
- **X-Forwarded-Proto**: Original protocol (http/https)
- **X-Forwarded-Host**: Original hostname

## Configuration Details

### Flask App (app/app.py)
```python
from werkzeug.middleware.proxy_fix import ProxyFix

app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)
```

**Parameters:**
- `x_for=1`: Trust one proxy for X-Forwarded-For header
- `x_proto=1`: Trust proxy for X-Forwarded-Proto header
- `x_host=1`: Trust proxy for X-Forwarded-Host header
- `x_port=1`: Trust proxy for X-Forwarded-Port header

### Config Settings (app/config.py)

```python
# Reverse proxy trust (for Nginx/Caddy with ProxyFix middleware)
TRUSTED_PROXIES = os.getenv('TRUSTED_PROXIES', '127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16')
PREFERRED_URL_SCHEME = os.getenv('PREFERRED_URL_SCHEME', 'https')
```

## Testing ProxyFix

### 1. Test Real Client IP
```bash
docker exec digiserver-app flask shell
>>> from flask import request
>>> request.remote_addr  # Should show client IP
```

### 2. Test URL Scheme
```bash
docker exec digiserver-app flask shell
>>> from flask import url_for
>>> url_for('auth.login', _external=True)  # Should use https://
```

## Verification Checklist

- [x] ProxyFix imported in app.py
- [x] app.wsgi_app wrapped with ProxyFix
- [x] TRUSTED_PROXIES configured
- [x] PREFERRED_URL_SCHEME set to 'https'
- [x] SESSION_COOKIE_SECURE=True in ProductionConfig
- [x] Nginx headers configured correctly