fix(app): add configuration and docs for ssl proxies

docs: add documentation for trusted proxies
m-thalmann · Aug 11, 2024 · 437c271 · 437c271
1 parent 86d5c94
commit 437c271
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 12 deletions.
diff --git a/.env.example b/.env.example
@@ -5,7 +5,7 @@ APP_DEBUG=true
 APP_URL=http://localhost
 APP_DEFAULT_TIMEZONE=UTC
 
-# APP_FORCE_HTTPS=true
+# APP_TRUSTED_PROXIES=localhost
 
 # APP_REGISTRATION_ENABLED=true
 # APP_EMAIL_VERIFICATION_ENABLED=true

diff --git a/app/Http/Middleware/TrustProxies.php b/app/Http/Middleware/TrustProxies.php
@@ -24,4 +24,8 @@ class TrustProxies extends Middleware {
         Request::HEADER_X_FORWARDED_PORT |
         Request::HEADER_X_FORWARDED_PROTO |
         Request::HEADER_X_FORWARDED_AWS_ELB;
+
+    public function __construct() {
+        $this->proxies = [...config('app.trusted_proxies')];
+    }
 }
diff --git a/config/app.php b/config/app.php
@@ -70,7 +70,10 @@
 
     'asset_url' => env('ASSET_URL'),
 
-    'force_https' => env('APP_FORCE_HTTPS', false),
+    'trusted_proxies' => explode(
+        ',',
+        env('APP_TRUSTED_PROXIES', 'localhost,127.0.0.1,::1')
+    ),
 
     /*
     |--------------------------------------------------------------------------

diff --git a/docker/.env.docker b/docker/.env.docker
@@ -4,7 +4,7 @@ APP_DEBUG=false
 APP_URL=http://localhost
 APP_DEFAULT_TIMEZONE=UTC
 
-# APP_FORCE_HTTPS=true
+# APP_TRUSTED_PROXIES=localhost
 
 APP_REGISTRATION_ENABLED=false
 APP_EMAIL_VERIFICATION_ENABLED=true

diff --git a/docs/configuration.md b/docs/configuration.md
@@ -50,14 +50,14 @@ php artisan queue:restart
 
 ## General
 
-| Key                    | Type     | Description                                                                | :exclamation: |
-| ---------------------- | -------- | -------------------------------------------------------------------------- | :-----------: |
-| `APP_NAME`             | `string` | The name of the application (used in the title e.g.)                       |               |
-| `APP_ENV`              | `string` | The environment of the application (e.g. `local`, `production`)            |               |
-| `APP_DEBUG`            | `bool`   | Whether the application is in debug mode                                   |               |
-| `APP_URL`              | `string` | The URL of the application where it is deployed (used for static links)    | :exclamation: |
-| `APP_DEFAULT_TIMEZONE` | `string` | The default timezone of the application (e.g. `UTC`)                       |               |
-| `APP_FORCE_HTTPS`      | `bool`   | Whether to force using HTTPS for assets and absolute routes within the app |               |
+| Key                    | Type     | Description                                                             | :exclamation: |
+| ---------------------- | -------- | ----------------------------------------------------------------------- | :-----------: |
+| `APP_NAME`             | `string` | The name of the application (used in the title e.g.)                    |               |
+| `APP_ENV`              | `string` | The environment of the application (e.g. `local`, `production`)         |               |
+| `APP_DEBUG`            | `bool`   | Whether the application is in debug mode                                |               |
+| `APP_URL`              | `string` | The URL of the application where it is deployed (used for static links) | :exclamation: |
+| `APP_DEFAULT_TIMEZONE` | `string` | The default timezone of the application (e.g. `UTC`)                    |               |
+| `APP_TRUSTED_PROXIES`  | `string` | The proxies that should be trusted by the application (comma-separated) |               |
 
 ## Security
 

diff --git a/docs/installation/docker.md b/docs/installation/docker.md
@@ -104,11 +104,16 @@ You can use a reverse proxy in front of the SecureDAV application to handle SSL
     AllowEncodedSlashes NoDecode
     ProxyPass / http://localhost:8080/ nocanon
     ProxyPassReverse / http://localhost:8080/
+
+    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
 </VirtualHost>
 ```
 
 ::: tip IMPORTANT
-When using a proxy with SSL in front of the SecureDAV application, you have to adjust the `APP_FORCE_HTTPS` environment variable in the `.env` file to `true`
+When using a proxy with SSL in front of the SecureDAV application, make sure to set the `APP_TRUSTED_PROXIES` environment variable in the `.env` file accordingly (comma separated)!
+It must include the host or ip address of the proxied server (see `ProxyPass` and `ProxyPassReverse`)!
+
+Example for the virtual host configuration above: `APP_TRUSTED_PROXIES=localhost`
 :::
 
 ## First run