fix(app): fix problem when using SSL proxy

When using a reverse proxy with SSL the links for assets and absolute urls use the http scheme. This is fixed by introducing a `APP_FORCE_HTTPS` env variable
m-thalmann · Apr 28, 2024 · 466b4f4 · 466b4f4
1 parent 613d4f2
commit 466b4f4
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 11 deletions.
diff --git a/.env.example b/.env.example
@@ -4,9 +4,14 @@ APP_KEY=
 APP_DEBUG=true
 APP_URL=http://localhost
 APP_DEFAULT_TIMEZONE=UTC
-#APP_REGISTRATION_ENABLED=true
 
-#WEBDAV_CORS_ENABLED=true
+# APP_FORCE_HTTPS=true
+
+# APP_REGISTRATION_ENABLED=true
+# APP_EMAIL_VERIFICATION_ENABLED=true
+
+WEBDAV_CORS_ENABLED=false
+# WEBDAV_CORS_ALLOWED_ORIGINS=host1,host2
 
 DB_CONNECTION=mysql
 DB_HOST=127.0.0.1

diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
@@ -2,10 +2,9 @@
 
 namespace App\Providers;
 
-use Illuminate\Auth\AuthManager;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Pagination\Paginator;
-use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\URL;
 use Illuminate\Support\ServiceProvider;
 use Illuminate\Validation\Rules\Password;
 
@@ -25,6 +24,10 @@ public function boot(): void {
         Model::preventSilentlyDiscardingAttributes(!app()->isProduction());
 
         Paginator::defaultView('components.pagination');
+
+        if (config('app.force_https', false)) {
+            URL::forceScheme('https');
+        }
     }
 
     protected function definePasswordRules(): void {

diff --git a/config/app.php b/config/app.php
@@ -70,6 +70,8 @@
 
     'asset_url' => env('ASSET_URL'),
 
+    'force_https' => env('APP_FORCE_HTTPS', false),
+
     /*
     |--------------------------------------------------------------------------
     | Application Timezone

diff --git a/docker/.env.docker b/docker/.env.docker
@@ -4,6 +4,8 @@ APP_DEBUG=false
 APP_URL=http://localhost
 APP_DEFAULT_TIMEZONE=UTC
 
+# APP_FORCE_HTTPS=true
+
 APP_REGISTRATION_ENABLED=false
 APP_EMAIL_VERIFICATION_ENABLED=true
 

diff --git a/docs/configuration.md b/docs/configuration.md
@@ -31,13 +31,14 @@ php artisan config:cache
 
 ## General
 
-| Key                    | Type     | Description                                                             | :exclamation: |
-| ---------------------- | -------- | ----------------------------------------------------------------------- | :-----------: |
-| `APP_NAME`             | `string` | The name of the application (used in the title e.g.)                    |               |
-| `APP_ENV`              | `string` | The environment of the application (e.g. `local`, `production`)         |               |
-| `APP_DEBUG`            | `bool`   | Whether the application is in debug mode                                |               |
-| `APP_URL`              | `string` | The URL of the application where it is deployed (used for static links) | :exclamation: |
-| `APP_DEFAULT_TIMEZONE` | `string` | The default timezone of the application (e.g. `UTC`)                    |               |
+| Key                    | Type     | Description                                                                | :exclamation: |
+| ---------------------- | -------- | -------------------------------------------------------------------------- | :-----------: |
+| `APP_NAME`             | `string` | The name of the application (used in the title e.g.)                       |               |
+| `APP_ENV`              | `string` | The environment of the application (e.g. `local`, `production`)            |               |
+| `APP_DEBUG`            | `bool`   | Whether the application is in debug mode                                   |               |
+| `APP_URL`              | `string` | The URL of the application where it is deployed (used for static links)    | :exclamation: |
+| `APP_DEFAULT_TIMEZONE` | `string` | The default timezone of the application (e.g. `UTC`)                       |               |
+| `APP_FORCE_HTTPS`      | `bool`   | Whether to force using HTTPS for assets and absolute routes within the app |               |
 
 ## Security
 

diff --git a/docs/installation/docker.md b/docs/installation/docker.md
@@ -87,6 +87,30 @@ docker run -d --name securedav \
 If you don't want a Redis container, you can remove the environment variables and the `-e CACHE_DRIVER=redis -e QUEUE_CONNECTION=redis` part from the `docker run` command.
 :::
 
+## Using a proxy
+
+You can use a reverse proxy in front of the SecureDAV application to handle SSL termination, load balancing, etc. The following example shows how to use a reverse proxy through Apache2:
+
+```apache
+<VirtualHost *:443>
+    ServerName securedav.example.com
+
+    SSLEngine on
+    SSLCertificateFile /path/to/cert.pem
+    SSLCertificateKeyFile /path/to/key.pem
+
+    ProxyPreserveHost On
+    ProxyRequests off
+    AllowEncodedSlashes NoDecode
+    ProxyPass / http://localhost:8080/ nocanon
+    ProxyPassReverse / http://localhost:8080/
+</VirtualHost>
+```
+
+::: tip IMPORTANT
+When using a proxy with SSL in front of the SecureDAV application, you have to adjust the `APP_FORCE_HTTPS` environment variable in the `.env` file to `true`
+:::
+
 ## First run
 
 Check the [Quick start after installation](../introduction.md#quick-start-after-installation) section to get started with the SecureDAV application.