fix: pkg: the og tags did not have proper http schema - they should have https #4

.env.dist

@@ -6,6 +6,9 @@
 APP_ENV=dev
 APP_SECRET=changethis
 APP_NAME=mineseeker
+# TRUSTED_PROXIES: Only needed for bare-metal dev behind a reverse proxy
+# For Docker development, this is set in compose.override.yaml
+# For production, set in PROD_ENV_FILE Gitea secret (use 172.18.0.0/16 initially)
 #TRUSTED_PROXIES=127.0.0.1,127.0.0.2
 #TRUSTED_HOSTS=localhost,example.com
 ###< symfony/framework-bundle ###

Caddyfile

@@ -13,6 +13,10 @@
 
 	encode zstd br gzip
 
+	# Forward scheme information to the PHP application
+	header X-Forwarded-Proto {scheme}
+	header X-Forwarded-Host {host}
+
 	mercure {
 		transport_url    {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
 		publisher_jwt    {$MERCURE_JWT_SECRET} HS256

README.md

@@ -151,6 +151,7 @@ services:
   app:
     environment:
       MAILER_DSN: smtp://mail:1025?verify_peer=0
+      TRUSTED_PROXIES: "0.0.0.0/0"
   mail:
     image: mailhog/mailhog:latest
     ports:
@@ -233,8 +234,13 @@ MERCURE_SUBSCRIBER_JWT="<generated by make mercure-jwt>"
 APP_PUBLIC_HOSTNAME=mineseeker.hu
 WEBAUTHN_RP_ID=mineseeker.hu
 WEBAUTHN_ORIGIN=https://mineseeker.hu
-```
 
+# OG Tags & Social Media Sharing (IMPORTANT for Docker deployments)
+# TRUSTED_PROXIES: IP address (or range) of your reverse proxy (Caddy/Nginx)
+# This ensures OG image tags use HTTPS URLs instead of HTTP
+TRUSTED_PROXIES="172.18.0.0/16"
+TRUSTED_HOSTS="mineseeker.hu,www.mineseeker.hu"
+```
 ### Production server: one-time setup
 
 The server needs Docker, Git, and a self-hosted `act_runner` registered against the Gitea repository. Bun and Composer run inside the multi-stage Dockerfile, so they are not needed on the server.
@@ -254,7 +260,7 @@ make mercure-jwt
 
 Copy the three printed values into the `PROD_ENV_FILE` secret.
 
-#### 5. First deploy
+#### 3. First deploy
 
 Trigger it by pushing the first tag:
 
@@ -265,7 +271,7 @@ git push origin v2026.01
 
 This writes `.env`, builds the Docker image, starts all services, runs migrations, and initialises the MinIO buckets automatically via `minio_init`.
 
-#### 6. Verify
+#### 4. Verify
 
 ```bash
 docker compose ps        # all services should be healthy/running

compose.yaml

@@ -31,6 +31,7 @@ services:
       MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
       MINIO_ENDPOINT: http://minio:9000
       MINIO_PUBLIC_URL: ${MINIO_PUBLIC_URL:-http://localhost:9000}
+      TRUSTED_PROXIES: ${TRUSTED_PROXIES}
     volumes:
       - app_var:/app/var
       - caddy_data:/data
@@ -88,6 +89,8 @@ services:
       RELAYHOST_PASSWORD: ${MAIL_RELAYHOST_PASSWORD:-}
     volumes:
       - postfix_spool:/var/spool/postfix
+      - ./docker/aliases:/tmp/aliases:ro
+    entrypoint: sh -c 'newaliases 2>/dev/null || true; /init'
   db:
     image: postgres:${POSTGRES_VERSION:-18}-alpine
     restart: unless-stopped
@@ -113,3 +116,5 @@ volumes:
   caddy_config:
   postfix_spool:
   minio_data:
+
+

docker/aliases

@@ -0,0 +1,5 @@
+# Postfix aliases file
+# Mail addressed to system users are redirected to this address
+postmaster: root
+root: root
+

public/index.php

@@ -25,7 +25,7 @@ if ($debug) {
 }
 
 if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? false) {
-    Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST);
+    Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PROTO);
 }
 
 if ($trustedHosts = $_SERVER['TRUSTED_HOSTS'] ?? false) {