From 8780800dffc4c823345733b8ebdbf2e62e59e23a Mon Sep 17 00:00:00 2001 From: Lang <7system7@gmail.com> Date: Wed, 15 Apr 2026 14:33:53 +0200 Subject: [PATCH] fix: pkg: the og tags did not have proper http schema - they should have https #4 --- .env.dist | 3 +++ Caddyfile | 4 ++++ README.md | 12 +++++++++--- compose.yaml | 5 +++++ docker/aliases | 5 +++++ public/index.php | 2 +- 6 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 docker/aliases diff --git a/.env.dist b/.env.dist index f4dccff..e71888f 100644 --- a/.env.dist +++ b/.env.dist @@ -6,6 +6,9 @@ APP_ENV=dev APP_SECRET=changethis APP_NAME=mineseeker +# TRUSTED_PROXIES: Only needed for bare-metal dev behind a reverse proxy +# For Docker development, this is set in compose.override.yaml +# For production, set in PROD_ENV_FILE Gitea secret (use 172.18.0.0/16 initially) #TRUSTED_PROXIES=127.0.0.1,127.0.0.2 #TRUSTED_HOSTS=localhost,example.com ###< symfony/framework-bundle ### diff --git a/Caddyfile b/Caddyfile index 34cab8f..fd0b22d 100644 --- a/Caddyfile +++ b/Caddyfile @@ -13,6 +13,10 @@ encode zstd br gzip + # Forward scheme information to the PHP application + header X-Forwarded-Proto {scheme} + header X-Forwarded-Host {host} + mercure { transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db} publisher_jwt {$MERCURE_JWT_SECRET} HS256 diff --git a/README.md b/README.md index effc164..c9f66a3 100644 --- a/README.md +++ b/README.md @@ -151,6 +151,7 @@ services: app: environment: MAILER_DSN: smtp://mail:1025?verify_peer=0 + TRUSTED_PROXIES: "0.0.0.0/0" mail: image: mailhog/mailhog:latest ports: @@ -233,8 +234,13 @@ MERCURE_SUBSCRIBER_JWT="" APP_PUBLIC_HOSTNAME=mineseeker.hu WEBAUTHN_RP_ID=mineseeker.hu WEBAUTHN_ORIGIN=https://mineseeker.hu -``` +# OG Tags & Social Media Sharing (IMPORTANT for Docker deployments) +# TRUSTED_PROXIES: IP address (or range) of your reverse proxy (Caddy/Nginx) +# This ensures OG image tags use HTTPS URLs instead of HTTP +TRUSTED_PROXIES="172.18.0.0/16" +TRUSTED_HOSTS="mineseeker.hu,www.mineseeker.hu" +``` ### Production server: one-time setup The server needs Docker, Git, and a self-hosted `act_runner` registered against the Gitea repository. Bun and Composer run inside the multi-stage Dockerfile, so they are not needed on the server. @@ -254,7 +260,7 @@ make mercure-jwt Copy the three printed values into the `PROD_ENV_FILE` secret. -#### 5. First deploy +#### 3. First deploy Trigger it by pushing the first tag: @@ -265,7 +271,7 @@ git push origin v2026.01 This writes `.env`, builds the Docker image, starts all services, runs migrations, and initialises the MinIO buckets automatically via `minio_init`. -#### 6. Verify +#### 4. Verify ```bash docker compose ps # all services should be healthy/running diff --git a/compose.yaml b/compose.yaml index 036d86c..e740c25 100644 --- a/compose.yaml +++ b/compose.yaml @@ -31,6 +31,7 @@ services: MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD} MINIO_ENDPOINT: http://minio:9000 MINIO_PUBLIC_URL: ${MINIO_PUBLIC_URL:-http://localhost:9000} + TRUSTED_PROXIES: ${TRUSTED_PROXIES} volumes: - app_var:/app/var - caddy_data:/data @@ -88,6 +89,8 @@ services: RELAYHOST_PASSWORD: ${MAIL_RELAYHOST_PASSWORD:-} volumes: - postfix_spool:/var/spool/postfix + - ./docker/aliases:/tmp/aliases:ro + entrypoint: sh -c 'newaliases 2>/dev/null || true; /init' db: image: postgres:${POSTGRES_VERSION:-18}-alpine restart: unless-stopped @@ -113,3 +116,5 @@ volumes: caddy_config: postfix_spool: minio_data: + + diff --git a/docker/aliases b/docker/aliases new file mode 100644 index 0000000..169b2cd --- /dev/null +++ b/docker/aliases @@ -0,0 +1,5 @@ +# Postfix aliases file +# Mail addressed to system users are redirected to this address +postmaster: root +root: root + diff --git a/public/index.php b/public/index.php index 9934623..78600eb 100644 --- a/public/index.php +++ b/public/index.php @@ -25,7 +25,7 @@ if ($debug) { } if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? false) { - Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST); + Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PROTO); } if ($trustedHosts = $_SERVER['TRUSTED_HOSTS'] ?? false) {