Merge branch 'fix/proxy-forwarded-ips' into dev: trust X-Forwarded-* from off-host Caddy

This commit is contained in:
2026-04-22 13:08:01 -05:00
2 changed files with 35 additions and 11 deletions

View File

@@ -98,10 +98,14 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
# Run Uvicorn directly. --proxy-headers + --forwarded-allow-ips make
# Starlette's ProxyHeadersMiddleware trust X-Forwarded-* only from the
# listed peer IPs (Caddy on the host). No --reload: this is a prod-shape
# image; local hot-reload is a dev concern and runs outside Docker.
CMD ["uvicorn", "app.main:app", \
"--host", "0.0.0.0", \
"--port", "8080", \
"--proxy-headers", \
"--forwarded-allow-ips", "127.0.0.1"]
# listed peer IPs. The trusted-IP value is env-driven so the image
# can be reused across topologies:
# - local: defaults to 127.0.0.1 (when running uvicorn on the host)
# - docker/compose behind Caddy: set FORWARDED_ALLOW_IPS="*" in .env
# because the container's source IP is the bridge gateway, not
# 127.0.0.1. Safe because the host only binds 127.0.0.1:8080 so
# nothing off-host can reach uvicorn directly.
# `sh -c exec` keeps uvicorn as PID 1 so SIGTERM still triggers a
# graceful shutdown (exec form was fine before, but we need shell
# expansion for ${FORWARDED_ALLOW_IPS}).
CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port 8080 --proxy-headers --forwarded-allow-ips \"${FORWARDED_ALLOW_IPS:-127.0.0.1}\""]

View File

@@ -27,11 +27,31 @@ services:
pull_policy: always
env_file:
- .env
# Override the Dockerfile CMD so uvicorn trusts X-Forwarded-* headers.
# Caddy lives on another server (10.10.99.10) and speaks HTTP to this
# VM on port 8080. Even so, the source IP *inside* the container is
# the Docker bridge gateway (typically 172.17.0.1), NOT 10.10.99.10,
# because Docker NATs the inbound connection. That means allowlisting
# 10.10.99.10 would never match — uvicorn would still drop X-Forwarded-*
# and Starlette would build http:// URLs under an https:// page,
# tripping `img-src 'self'` CSP on the logo, fonts, etc.
#
# "*" is acceptable here because access to port 8080 is controlled
# at the network layer (host firewall / VLAN) — only the Caddy box
# can reach it. If you later move Caddy onto this same host, change
# this back to a specific gateway IP.
command: >
uvicorn app.main:app
--host 0.0.0.0
--port 8080
--proxy-headers
--forwarded-allow-ips *
ports:
# Bind to loopback only. Caddy (on the host) proxies inbound 443 here.
# Exposing on 0.0.0.0 would let anything on the LAN hit uvicorn
# directly and bypass TLS termination + rate limits.
- "127.0.0.1:8080:8080"
# Caddy on 10.10.99.10 reverse-proxies to <this-vm>:8080. Binding
# on all interfaces keeps the compose portable; lock down access
# with the VM's host firewall (nftables / ufw) or upstream
# (OPNsense) to only permit 10.10.99.10 → :8080.
- "8080:8080"
volumes:
# SQLite DB + media uploads live on the host so container rebuilds /
# image rolls don't wipe content. The container runs as uid 10001;