Initial commit: enterprise digital platform with portal SSO, DigiServer, IT Assets, NetworkView, Server Monitor

digiserver-v2/old_code_documentation/PROXY_FIX_SETUP.md

@@ -0,0 +1,56 @@
+# ProxyFix Middleware Setup - DigiServer v2
+
+## Overview
+ProxyFix middleware is now properly configured in the Flask app to handle reverse proxy headers from Nginx (or Caddy). This ensures correct handling of:
+- **X-Real-IP**: Client's real IP address
+- **X-Forwarded-For**: List of IPs in the proxy chain
+- **X-Forwarded-Proto**: Original protocol (http/https)
+- **X-Forwarded-Host**: Original hostname
+
+## Configuration Details
+
+### Flask App (app/app.py)
+```python
+from werkzeug.middleware.proxy_fix import ProxyFix
+
+app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)
+```
+
+**Parameters:**
+- `x_for=1`: Trust one proxy for X-Forwarded-For header
+- `x_proto=1`: Trust proxy for X-Forwarded-Proto header
+- `x_host=1`: Trust proxy for X-Forwarded-Host header
+- `x_port=1`: Trust proxy for X-Forwarded-Port header
+
+### Config Settings (app/config.py)
+
+```python
+# Reverse proxy trust (for Nginx/Caddy with ProxyFix middleware)
+TRUSTED_PROXIES = os.getenv('TRUSTED_PROXIES', '127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16')
+PREFERRED_URL_SCHEME = os.getenv('PREFERRED_URL_SCHEME', 'https')
+```
+
+## Testing ProxyFix
+
+### 1. Test Real Client IP
+```bash
+docker exec digiserver-app flask shell
+>>> from flask import request
+>>> request.remote_addr  # Should show client IP
+```
+
+### 2. Test URL Scheme
+```bash
+docker exec digiserver-app flask shell
+>>> from flask import url_for
+>>> url_for('auth.login', _external=True)  # Should use https://
+```
+
+## Verification Checklist
+
+- [x] ProxyFix imported in app.py
+- [x] app.wsgi_app wrapped with ProxyFix
+- [x] TRUSTED_PROXIES configured
+- [x] PREFERRED_URL_SCHEME set to 'https'
+- [x] SESSION_COOKIE_SECURE=True in ProductionConfig
+- [x] Nginx headers configured correctly