a4262da7c9
- Changed ownership of all files to scheianu:scheianu - Set directories to 755 permissions (rwxr-xr-x) - Set files to 644 permissions (rw-r--r--) - Made shell scripts executable (755) - Allows development without requiring sudo for file modifications - Improves development workflow and security
1.7 KiB
1.7 KiB
ProxyFix Middleware Setup - DigiServer v2
Overview
ProxyFix middleware is now properly configured in the Flask app to handle reverse proxy headers from Nginx (or Caddy). This ensures correct handling of:
- X-Real-IP: Client's real IP address
- X-Forwarded-For: List of IPs in the proxy chain
- X-Forwarded-Proto: Original protocol (http/https)
- X-Forwarded-Host: Original hostname
Configuration Details
Flask App (app/app.py)
from werkzeug.middleware.proxy_fix import ProxyFix
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)
Parameters:
x_for=1: Trust one proxy for X-Forwarded-For headerx_proto=1: Trust proxy for X-Forwarded-Proto headerx_host=1: Trust proxy for X-Forwarded-Host headerx_port=1: Trust proxy for X-Forwarded-Port header
Config Settings (app/config.py)
# Reverse proxy trust (for Nginx/Caddy with ProxyFix middleware)
TRUSTED_PROXIES = os.getenv('TRUSTED_PROXIES', '127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16')
PREFERRED_URL_SCHEME = os.getenv('PREFERRED_URL_SCHEME', 'https')
Testing ProxyFix
1. Test Real Client IP
docker exec digiserver-app flask shell
>>> from flask import request
>>> request.remote_addr # Should show client IP
2. Test URL Scheme
docker exec digiserver-app flask shell
>>> from flask import url_for
>>> url_for('auth.login', _external=True) # Should use https://
Verification Checklist
- ProxyFix imported in app.py
- app.wsgi_app wrapped with ProxyFix
- TRUSTED_PROXIES configured
- PREFERRED_URL_SCHEME set to 'https'
- SESSION_COOKIE_SECURE=True in ProductionConfig
- Nginx headers configured correctly