From 76dfaf5d9391e16e7d1a18e07665266949502b2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Fastr=C3=A9?= <julien.fastre@champs-libres.coop>
Date: Fri, 10 Jan 2025 12:49:43 +0100
Subject: [PATCH] Update configs for trusted proxies, HTTPS, and log paths

Revised proxy settings to dynamically include trusted IPs and ensured HTTPS redirections. Adjusted log mount path in Docker compose to align with application structure. Removed unused Traefik certificate volume for cleanup.
---
 templates/compose.yaml               | 2 +-
 templates/config/prod/framework.yaml | 8 ++++++--
 templates/traefik-compose.yaml       | 5 ++++-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/templates/compose.yaml b/templates/compose.yaml
index aafe356..d2fc9df 100644
--- a/templates/compose.yaml
+++ b/templates/compose.yaml
@@ -30,7 +30,7 @@ services:
         volumes:
             - './config/prod:/var/www/app/config/packages/prod:ro'
             - './var:/var/www/app/var:rw'
-            - '/var/logs/chill:/var/www/app/logs'
+            - '/var/logs/chill:/var/www/app/var/logs'
             - '{{ doc_storage_dir }}/{{ item['chill_environment'] }}:/var/storage'
         links:
             - redis
diff --git a/templates/config/prod/framework.yaml b/templates/config/prod/framework.yaml
index 2c8855e..4827806 100644
--- a/templates/config/prod/framework.yaml
+++ b/templates/config/prod/framework.yaml
@@ -1,3 +1,7 @@
 framework:
-    trusted_proxies: '172.0.0.0/8'
-    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
\ No newline at end of file
+    trusted_proxies: '127.0.0.1,REMOTE_ADDR{% for ip in traefik_trusted_ips|default([]) %},{{ ip }}{% endfor %}'
+    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
+
+parameters:
+    router.request_context.scheme: 'https'
+    asset.request_context.secure: true
\ No newline at end of file
diff --git a/templates/traefik-compose.yaml b/templates/traefik-compose.yaml
index e896468..4f603c3 100644
--- a/templates/traefik-compose.yaml
+++ b/templates/traefik-compose.yaml
@@ -13,7 +13,11 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedByDefault=false"
       - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
       - "--entryPoints.websecure.address=:443"
+      {%+ for ip in traefik_trusted_ips|default([]) +%}
+      - "--entryPoints.websecure.forwardedHeaders.trustedIPs={{ ip }}"
+      {%+ endfor +%}
       {%+ for c in chills +%}
       {%+ if c.expose_port is not false +%}
       - "--entryPoints.chill{{ c.chill_environment }}.address=:{{ c.expose_port }}"
@@ -35,7 +39,6 @@ services:
     volumes:
       # So that Traefik can listen to the Docker events
       - /var/run/docker.sock:/var/run/docker.sock
-      - /var/traefik/certs:/var/traefik/certs
     networks:
       - traefik