github/openproject-deploy
1
0
Fork 0
mirror of https://github.com/opf/openproject-deploy.git synced 2026-02-14 16:59:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[chore] added documentation to the Caddyfile (#73)

Browse Source 
* [chore] added documentation to the Caddyfile

- additional information for usage with reverse proxies

* forward X-Forwarded headers in default config
This commit is contained in:
Eric Schubert
2024-06-05 15:38:30 +02:00
committed by GitHub
parent 7c00ebe2df
commit 9a9b458a2f
2 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
compose/Caddyfile.template
View File

@@ -1,7 +1,17 @@
:80 {
root * /public
reverse_proxy * http://${APP_HOST}:8080
reverse_proxy * http://${APP_HOST}:8080 {
# The following directives are needed to make the proxy forward explicitly the X-Forwarded-* headers. If unset,
# Caddy will reset them. See: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#defaults
# This is needed, if you are using a reverse proxy in front of the compose stack and Caddy is NOT your first
# point of contact.
# When using Caddy is reachable as a first point of contact, it is highly recommended to configure the server's
# global `trusted_proxies` directive. See: https://caddyserver.com/docs/caddyfile/options#trusted-proxies
header_up X-Forwarded-Proto {header.X-Forwarded-Proto}
header_up X-Forwarded-For {header.X-Forwarded-For}
}
file_server

15
compose/README.md
View File

@@ -30,7 +30,7 @@ docker compose up -d
After a while, OpenProject should be up and running on <http://localhost:8080>.
**HTTPS/SSL**
### HTTPS/SSL
By default OpenProject starts with the HTTPS option **enabled**, but it **does not** handle SSL termination itself. This
is usually done separately via a [reverse proxy
@@ -39,7 +39,13 @@ Without this you will run into an `ERR_SSL_PROTOCOL_ERROR` when accessing OpenPr
See below how to disable HTTPS.
**PORT**
Be aware that if you want to use the integrated Caddy proxy as a proxy with outbound connections, you need to rewrite the
`Caddyfile`. In the default state, it is configured to forward the `X-Forwarded-*` headers from the reverse proxy in
front of it and not setting them itself. This is considered a security flaw and should instead be solved by configuring
`trusted_proxies` inside the `Caddyfile`. For more information read
the [Caddy documentation](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy).
### PORT
By default the port is bound to `0.0.0.0` means access to OpenProject will be public.
See below how to change that.
@@ -128,7 +134,6 @@ If you're running into weird network issues and timeouts such as the one describ
frontend and backend networks. This might be connected to using podman for orchestration, although we haven't been able
to confirm this.
### SMTP setup fails: Network is unreachable.
Make sure your container has DNS resolution to access external SMTP server when set up as described in
@@ -136,6 +141,6 @@ Make sure your container has DNS resolution to access external SMTP server when
```yml
worker:
dns:
- "Your DNS IP" # OR add a public DNS resolver like 8.8.8.8
dns:
- "Your DNS IP" # OR add a public DNS resolver like 8.8.8.8
```