From e792c4d4f5b3f4682a0a440b8290101609b61654 Mon Sep 17 00:00:00 2001 From: Thomas Peterson Date: Mon, 8 Jun 2026 19:37:00 +0200 Subject: [PATCH] =?UTF-8?q?Fix:=20Caddy=20als=20trusted=20proxy=20?= =?UTF-8?q?=E2=86=92=20generierte=20URLs=20nutzen=20https?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Symfony vertraute Caddys X-Forwarded-Proto nicht, daher lauteten QR- und Wallet-Barcode-URLs http:// statt https://. framework.trusted_proxies auf %env(TRUSTED_PROXIES)% gesetzt (Prod: 10.0.0.0/16, Dev: 127.0.0.1). Co-Authored-By: Claude Opus 4.8 --- backend/.env | 3 +++ backend/config/packages/framework.yaml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/backend/.env b/backend/.env index 06c87ee..828a504 100644 --- a/backend/.env +++ b/backend/.env @@ -49,6 +49,9 @@ JWT_PASSPHRASE=d75959918d9ccc5c89c62edbd6e6c6af82d6e2a3d303c53a6f3328e94a05b60a ###> App ### # Portal-Domain (für On-Demand-TLS-Autorisierung). In Prod auf die echte Domain setzen. APP_PORTAL_DOMAIN=localhost +# Reverse-Proxy, dem X-Forwarded-* vertraut wird. Dev: kein echter Proxy → leer. +# Prod (.env.prod.local): das private Netz von Caddy, z. B. 10.0.0.0/16. +TRUSTED_PROXIES=127.0.0.1 ###< App ### ###> S3 / Object Storage (Druck-Assets) ### diff --git a/backend/config/packages/framework.yaml b/backend/config/packages/framework.yaml index 7e1ee1f..1ddfe5c 100644 --- a/backend/config/packages/framework.yaml +++ b/backend/config/packages/framework.yaml @@ -2,6 +2,11 @@ framework: secret: '%env(APP_SECRET)%' + # Hinter Caddy (Reverse-Proxy): dessen X-Forwarded-Proto/Host vertrauen, damit + # generierte Absolut-URLs (QR, Wallet-Barcode) https + richtige Domain nutzen. + trusted_proxies: '%env(TRUSTED_PROXIES)%' + trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port'] + # Note that the session will be started ONLY if you read or write from it. session: true