Fix: Caddy als trusted proxy → generierte URLs nutzen https

Symfony vertraute Caddys X-Forwarded-Proto nicht, daher lauteten QR- und Wallet-Barcode-URLs http:// statt https://. framework.trusted_proxies auf %env(TRUSTED_PROXIES)% gesetzt (Prod: 10.0.0.0/16, Dev: 127.0.0.1). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 19:37:00 +02:00 · 2026-06-08 19:37:00 +02:00 · e792c4d4f5
commit e792c4d4f5
parent 183b7c10b0
2 changed files with 8 additions and 0 deletions
--- a/backend/.env
+++ b/backend/.env
@ -49,6 +49,9 @@ JWT_PASSPHRASE=d75959918d9ccc5c89c62edbd6e6c6af82d6e2a3d303c53a6f3328e94a05b60a
 ###> App ###
 # Portal-Domain (für On-Demand-TLS-Autorisierung). In Prod auf die echte Domain setzen.
 APP_PORTAL_DOMAIN=localhost
+# Reverse-Proxy, dem X-Forwarded-* vertraut wird. Dev: kein echter Proxy → leer.
+# Prod (.env.prod.local): das private Netz von Caddy, z. B. 10.0.0.0/16.
+TRUSTED_PROXIES=127.0.0.1
 ###< App ###

 ###> S3 / Object Storage (Druck-Assets) ###
--- a/backend/config/packages/framework.yaml
+++ b/backend/config/packages/framework.yaml
@ -2,6 +2,11 @@
 framework:
    secret: '%env(APP_SECRET)%'

+    # Hinter Caddy (Reverse-Proxy): dessen X-Forwarded-Proto/Host vertrauen, damit
+    # generierte Absolut-URLs (QR, Wallet-Barcode) https + richtige Domain nutzen.
+    trusted_proxies: '%env(TRUSTED_PROXIES)%'
+    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
+
    # Note that the session will be started ONLY if you read or write from it.
    session: true