ske087/digiserver-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
024430754ce9e62a4e0f7a016eeb47afbd140f8b
digiserver-v2/PROXY_FIX_SETUP.md
root 21eb63659a feat: complete nginx migration from caddy 
- Replace Caddy reverse proxy with Nginx (nginx:alpine)
- Add nginx.conf with HTTP/HTTPS, gzip, and proxy settings
- Add nginx-custom-domains.conf template for custom domains
- Update docker-compose.yml to use Nginx service
- Add ProxyFix middleware to Flask app for proper header handling
- Create nginx_config_reader.py utility to read Nginx configuration
- Update admin blueprint to display Nginx status in https_config page
- Add Nginx configuration display to https_config.html template
- Generate self-signed SSL certificates for localhost
- Add utility scripts: generate_nginx_certs.sh
- Add documentation: NGINX_SETUP_QUICK.md, PROXY_FIX_SETUP.md
- All containers now running, HTTPS working, HTTP redirects to HTTPS
- Session cookies marked as Secure
- Security headers properly configured
2026-01-15 22:15:11 +02:00

1.7 KiB
Raw Blame History

ProxyFix Middleware Setup - DigiServer v2

Overview

ProxyFix middleware is now properly configured in the Flask app to handle reverse proxy headers from Nginx (or Caddy). This ensures correct handling of:

  • X-Real-IP: Client's real IP address
  • X-Forwarded-For: List of IPs in the proxy chain
  • X-Forwarded-Proto: Original protocol (http/https)
  • X-Forwarded-Host: Original hostname

Configuration Details

Flask App (app/app.py)

from werkzeug.middleware.proxy_fix import ProxyFix

app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)

Parameters:

  • x_for=1: Trust one proxy for X-Forwarded-For header
  • x_proto=1: Trust proxy for X-Forwarded-Proto header
  • x_host=1: Trust proxy for X-Forwarded-Host header
  • x_port=1: Trust proxy for X-Forwarded-Port header

Config Settings (app/config.py)

# Reverse proxy trust (for Nginx/Caddy with ProxyFix middleware)
TRUSTED_PROXIES = os.getenv('TRUSTED_PROXIES', '127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16')
PREFERRED_URL_SCHEME = os.getenv('PREFERRED_URL_SCHEME', 'https')

Testing ProxyFix

1. Test Real Client IP

docker exec digiserver-app flask shell
>>> from flask import request
>>> request.remote_addr  # Should show client IP

2. Test URL Scheme

docker exec digiserver-app flask shell
>>> from flask import url_for
>>> url_for('auth.login', _external=True)  # Should use https://

Verification Checklist

  • ProxyFix imported in app.py
  • app.wsgi_app wrapped with ProxyFix
  • TRUSTED_PROXIES configured
  • PREFERRED_URL_SCHEME set to 'https'
  • SESSION_COOKIE_SECURE=True in ProductionConfig
  • Nginx headers configured correctly
Reference in New Issue View Git Blame Copy Permalink