From b13a81a88ca871c5714b2ed52d0e12fb7ceca176 Mon Sep 17 00:00:00 2001 From: Elias Schneider Date: Wed, 18 Sep 2024 23:01:50 +0200 Subject: [PATCH] feat: add environment variable to trust the reverse proxy --- Caddyfile | 15 --------------- Dockerfile | 2 +- docker-compose.yml | 2 ++ docs/docs/setup/configuration.md | 6 ++++++ docs/docs/setup/installation.md | 2 +- docs/package.json | 2 +- reverse-proxy/Caddyfile | 7 +++++++ reverse-proxy/Caddyfile.trust-proxy | 14 ++++++++++++++ scripts/docker-entrypoint.sh | 9 ++++++++- 9 files changed, 40 insertions(+), 19 deletions(-) delete mode 100644 Caddyfile create mode 100644 reverse-proxy/Caddyfile create mode 100644 reverse-proxy/Caddyfile.trust-proxy diff --git a/Caddyfile b/Caddyfile deleted file mode 100644 index e266b80..0000000 --- a/Caddyfile +++ /dev/null @@ -1,15 +0,0 @@ -:3000 { - # Reverse proxy for /api - reverse_proxy /api/* http://localhost:8080 { - header_up X-Forwarded-Host {host}:{server_port} - header_up X-Forwarded-For {remote_host} - header_up X-Forwarded-Proto {scheme} - } - - # Reverse proxy for all other requests - reverse_proxy http://localhost:3333 { - header_up X-Forwarded-Host {host}:{server_port} - header_up X-Forwarded-For {remote_host} - header_up X-Forwarded-Proto {scheme} - } -} diff --git a/Dockerfile b/Dockerfile index 5479c9b..c11e2d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,7 +46,7 @@ COPY --from=backend-builder /opt/app/dist ./dist COPY --from=backend-builder /opt/app/prisma ./prisma COPY --from=backend-builder /opt/app/package.json ./ -COPY ./Caddyfile /etc/caddy/Caddyfile +COPY ./reverse-proxy /etc/caddy COPY ./scripts/docker-entrypoint.sh /opt/app/docker-entrypoint.sh WORKDIR /opt/app diff --git a/docker-compose.yml b/docker-compose.yml index a5189ad..4197cc0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,6 +4,8 @@ services: restart: unless-stopped ports: - 3000:3000 + environment: + - TRUST_PROXY=false # Set to true if a reverse proxy is in front of the container volumes: - "./data:/opt/app/backend/data" - "./data/images:/opt/app/frontend/public/img" diff --git a/docs/docs/setup/configuration.md b/docs/docs/setup/configuration.md index 2b7ac24..f8bc89c 100644 --- a/docs/docs/setup/configuration.md +++ b/docs/docs/setup/configuration.md @@ -48,3 +48,9 @@ For installation specific configuration, you can use environment variables. The | --------- | ----------------------- | ---------------------------------------- | | `PORT` | `3000` | The port on which the frontend listens. | | `API_URL` | `http://localhost:8080` | The URL of the backend for the frontend. | + +#### Reverse Proxy (inside the Docker container) + +| Variable | Default Value | Description | +| ------------- | ------------- | ----------------------------------------------------------------------------------------------------------- | +| `TRUST_PROXY` | `false` | Whether Pingvin Share is behind a reverse proxy. If set to `true`, the `X-Forwarded-For` header is trusted. | diff --git a/docs/docs/setup/installation.md b/docs/docs/setup/installation.md index 3b1e390..4fc1717 100644 --- a/docs/docs/setup/installation.md +++ b/docs/docs/setup/installation.md @@ -40,6 +40,6 @@ API_URL=http://localhost:8080 # Set the URL of the backend, default: http://loca pm2 start --name="pingvin-share-frontend" .next/standalone/server.js ``` -**Uploading Large Files**: By default, Pingvin Share uses a built-in reverse proxy to reduce the installation steps. However, this reverse proxy is not optimized for uploading large files. If you wish to upload larger files, you can either use the Docker installation or set up your own reverse proxy. An example configuration for Caddy can be found in `./Caddyfile`. +**Uploading Large Files**: By default, Pingvin Share uses a built-in reverse proxy to reduce the installation steps. However, this reverse proxy is not optimized for uploading large files. If you wish to upload larger files, you can either use the Docker installation or set up your own reverse proxy. An example configuration for Caddy can be found in `./reverse-proxy/Caddyfile`. The website is now listening on `http://localhost:3000`, have fun with Pingvin Share 🐧! diff --git a/docs/package.json b/docs/package.json index 61773fd..2ddd231 100644 --- a/docs/package.json +++ b/docs/package.json @@ -7,7 +7,7 @@ "start": "docusaurus start", "build": "docusaurus build", "swizzle": "docusaurus swizzle", - "deploy": "docusaurus deploy", + "deploy": "GIT_USER=stonith404 docusaurus deploy", "clear": "docusaurus clear", "serve": "docusaurus serve", "write-translations": "docusaurus write-translations", diff --git a/reverse-proxy/Caddyfile b/reverse-proxy/Caddyfile new file mode 100644 index 0000000..b8ea666 --- /dev/null +++ b/reverse-proxy/Caddyfile @@ -0,0 +1,7 @@ +:3000 { + # Reverse proxy for /api + reverse_proxy /api/* http://localhost:8080 + + # Reverse proxy for all other requests + reverse_proxy http://localhost:3333 +} diff --git a/reverse-proxy/Caddyfile.trust-proxy b/reverse-proxy/Caddyfile.trust-proxy new file mode 100644 index 0000000..cb40581 --- /dev/null +++ b/reverse-proxy/Caddyfile.trust-proxy @@ -0,0 +1,14 @@ +:3000 { + reverse_proxy /* http://localhost:3333 { + trusted_proxies 0.0.0.0/0 + } + + reverse_proxy /api/* http://localhost:8080 { + trusted_proxies 0.0.0.0/0 + } + + log { + output file /var/log/caddy/access.log + level WARN + } +} \ No newline at end of file diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh index 34fd772..e3a2978 100644 --- a/scripts/docker-entrypoint.sh +++ b/scripts/docker-entrypoint.sh @@ -4,10 +4,17 @@ cp -rn /tmp/img/* /opt/app/frontend/public/img # Start Caddy -caddy start --config /etc/caddy/Caddyfile & +if [ "$TRUST_PROXY" = "true" ]; then + caddy start --config /etc/caddy/Caddyfile.trust-proxy & +else + caddy start --config /etc/caddy/Caddyfile & +fi + # Run the frontend server PORT=3333 HOSTNAME=0.0.0.0 node frontend/server.js & + # Run the backend server cd backend && npm run prod + # Wait for all processes to finish wait -n