5aad7fd48f80d46cc156ed73ccd7fd18e7a73537
Site was loading under https but Starlette built logo/static URLs as
http, tripping CSP `img-src 'self'`. Root cause: Dockerfile hardcoded
`--forwarded-allow-ips 127.0.0.1`, but with Caddy on a separate host
(10.10.99.10) reverse-proxying to this VM, the container sees the
request's source IP as the Docker bridge gateway (~172.17.0.1), not
Caddy's real IP — uvicorn discarded X-Forwarded-Proto and fell back
to scheme=http.
Fixes both now and later:
- Dockerfile CMD switched to `sh -c exec uvicorn ... --forwarded-allow-ips
"${FORWARDED_ALLOW_IPS:-127.0.0.1}"`. PID-1 / signal behaviour preserved
via exec. Default stays 127.0.0.1 so host-uvicorn dev is unchanged;
prod sets FORWARDED_ALLOW_IPS=* via .env or compose `command:`.
- docker-compose.prod.yml gets an explicit `command:` override so the
currently-deployed image (with the hardcoded 127.0.0.1 flag) can be
fixed without waiting for a rebuild. Also corrected the port binding
comment + default: Caddy is off-host, so the port must be reachable
over the LAN — restrict with host firewall / OPNsense instead.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The file is empty.
Description
Languages
Python
83.8%
HTML
8.7%
CSS
3.5%
JavaScript
1.7%
Shell
1.2%
Other
1.1%