Update configs for trusted proxies, HTTPS, and log paths

Revised proxy settings to dynamically include trusted IPs and ensured HTTPS redirections. Adjusted log mount path in Docker compose to align with application structure. Removed unused Traefik certificate volume for cleanup.
2025-01-10 12:49:43 +01:00
parent e09224754f
commit 76dfaf5d93
3 changed files with 11 additions and 4 deletions
--- a/templates/compose.yaml
+++ b/templates/compose.yaml
@@ -30,7 +30,7 @@ services:
        volumes:
            - './config/prod:/var/www/app/config/packages/prod:ro'
            - './var:/var/www/app/var:rw'
-            - '/var/logs/chill:/var/www/app/logs'
+            - '/var/logs/chill:/var/www/app/var/logs'
            - '{{ doc_storage_dir }}/{{ item['chill_environment'] }}:/var/storage'
        links:
            - redis
--- a/templates/config/prod/framework.yaml
+++ b/templates/config/prod/framework.yaml
@@ -1,3 +1,7 @@
 framework:
-    trusted_proxies: '172.0.0.0/8'
-    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
+    trusted_proxies: '127.0.0.1,REMOTE_ADDR{% for ip in traefik_trusted_ips|default([]) %},{{ ip }}{% endfor %}'
+    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
+
+parameters:
+    router.request_context.scheme: 'https'
+    asset.request_context.secure: true
--- a/templates/traefik-compose.yaml
+++ b/templates/traefik-compose.yaml
@@ -13,7 +13,11 @@ services:
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
      - "--entryPoints.websecure.address=:443"
+      {%+ for ip in traefik_trusted_ips|default([]) +%}
+      - "--entryPoints.websecure.forwardedHeaders.trustedIPs={{ ip }}"
+      {%+ endfor +%}
      {%+ for c in chills +%}
      {%+ if c.expose_port is not false +%}
      - "--entryPoints.chill{{ c.chill_environment }}.address=:{{ c.expose_port }}"
@@ -35,7 +39,6 @@ services:
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
-      - /var/traefik/certs:/var/traefik/certs
    networks:
      - traefik