From e8793271a09f5445adca81e743bd35a132f0fd19 Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Fri, 13 Sep 2024 15:36:09 +0200 Subject: [PATCH] enhancement(caddy): expose :8080 by default, trust private proxies This commit changes the caddyfile to not directly rely on the HD_BASE_URL environment variable, but instead default to port 8080 as used in our package.json scripts and docs. The caddy domain can optionally be overridden using the CADDY_HOST env variable. Furthermore, this change adds a section to trust reverse-proxies in front of Caddy if they are in a private range IP address network. Both these changes are required to be able to expose a local development setup with another domain than localhost to a co-developer. With this change it works without having Caddy trying to generate TLS certificates for that domain nor HedgeDoc erroring about a origin mismatch, that occurs as Caddy doesn't forward specific headers otherwise. Signed-off-by: Erik Michelson --- dev-reverse-proxy/Caddyfile | 37 ++++++++++++++++--------- docs/content/how-to/develop/frontend.md | 2 +- docs/content/how-to/develop/setup.md | 5 ++++ 3 files changed, 30 insertions(+), 14 deletions(-) diff --git a/dev-reverse-proxy/Caddyfile b/dev-reverse-proxy/Caddyfile index fe21c9e3a..c5342f90e 100644 --- a/dev-reverse-proxy/Caddyfile +++ b/dev-reverse-proxy/Caddyfile @@ -1,20 +1,31 @@ # -# SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file) +# SPDX-FileCopyrightText: 2024 The HedgeDoc developers (see AUTHORS file) # # SPDX-License-Identifier: AGPL-3.0-only # -{$HD_BASE_URL} - -log { - output stdout - level WARN - format console +# Allow private ranges as proxies, for example when running Caddy behind another reverse proxy +# Otherwise Caddy strips the required X-Forwarded-Proto and X-Forwarded-Host headers +# This is a common scenario when exposing a local dev setup to someone else +{ + servers { + trusted_proxies static private_ranges + } } -reverse_proxy /realtime http://localhost:{$HD_BACKEND_PORT:3000} -reverse_proxy /api/* http://localhost:{$HD_BACKEND_PORT:3000} -reverse_proxy /public/* http://localhost:{$HD_BACKEND_PORT:3000} -reverse_proxy /uploads/* http://localhost:{$HD_BACKEND_PORT:3000} -reverse_proxy /media/* http://localhost:{$HD_BACKEND_PORT:3000} -reverse_proxy /* http://localhost:{$HD_FRONTEND_PORT:3001} +# Use port 8080 by default, but allow overriding using CADDY_HOST env variable +{$CADDY_HOST::8080} { + + log { + output stdout + level WARN + format console + } + + reverse_proxy /realtime http://localhost:{$HD_BACKEND_PORT:3000} + reverse_proxy /api/* http://localhost:{$HD_BACKEND_PORT:3000} + reverse_proxy /public/* http://localhost:{$HD_BACKEND_PORT:3000} + reverse_proxy /uploads/* http://localhost:{$HD_BACKEND_PORT:3000} + reverse_proxy /media/* http://localhost:{$HD_BACKEND_PORT:3000} + reverse_proxy /* http://localhost:{$HD_FRONTEND_PORT:3001} +} diff --git a/docs/content/how-to/develop/frontend.md b/docs/content/how-to/develop/frontend.md index 020f1a6a0..ce72cdf38 100644 --- a/docs/content/how-to/develop/frontend.md +++ b/docs/content/how-to/develop/frontend.md @@ -5,7 +5,7 @@ The following environment variables are recognized by the frontend process. | Name | Possible Values | Description | -| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|--------------------------|----------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | HD_BASE_URL | Any URL with protocol, domain and optionally directory and port. Must end with a trailing slash. (e.g. `http://localhost:3001/`) | The URL under which the frontend is expected. Setting this is mandatory so the server side rendering can generate assets URLs. You only need to set this yourself if you use the production mode. | | HD_RENDERER_BASE_URL | Same as `HD_BASE_URL` | You can provide this variable if the renderer should use another domain than the editor. This is recommended for security reasons but not mandatory. This variable is optional and will fallback to `HD_BASE_URL` | | NEXT_PUBLIC_USE_MOCK_API | `true`, `false` | Will activate the mocked backend | diff --git a/docs/content/how-to/develop/setup.md b/docs/content/how-to/develop/setup.md index 365940d43..63b3e4b37 100644 --- a/docs/content/how-to/develop/setup.md +++ b/docs/content/how-to/develop/setup.md @@ -155,6 +155,11 @@ We recommend to use our pre-configured [Caddy][caddy] configuration. (if you installed Caddy via a package manager). 3. Open your browser on +It is also possible to use another domain and port other than `localhost:8080`. +To do so, you need to set the `HD_BASE_URL` environment variable accordingly. +Furthermore, for Caddy to work with a domain name (possibly creating TLS certificates), +set `CADDY_HOST` to your domain (for example `CADDY_HOST=http://my-hedgedoc.home:9000`). + [hedgedoc-repo]: https://github.com/hedgedoc/hedgedoc [yarn]: https://yarnpkg.com/getting-started/install [caddy]: https://caddyserver.com/