enhancement(caddy): expose :8080 by default, trust private proxies

This commit changes the caddyfile to not directly rely on the HD_BASE_URL environment variable, but instead default to port 8080 as used in our package.json scripts and docs. The caddy domain can optionally be overridden using the CADDY_HOST env variable. Furthermore, this change adds a section to trust reverse-proxies in front of Caddy if they are in a private range IP address network. Both these changes are required to be able to expose a local development setup with another domain than localhost to a co-developer. With this change it works without having Caddy trying to generate TLS certificates for that domain nor HedgeDoc erroring about a origin mismatch, that occurs as Caddy doesn't forward specific headers otherwise. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-18 15:08:47 -04:00 · 2024-09-13 15:36:09 +02:00 · 2024-09-13 15:36:09 +02:00 · 54c7795667
commit 54c7795667
parent 6afdaf1f94
3 changed files with 30 additions and 14 deletions
--- a/dev-reverse-proxy/Caddyfile
+++ b/dev-reverse-proxy/Caddyfile
@ -1,20 +1,31 @@
 #
-# SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+# SPDX-FileCopyrightText: 2024 The HedgeDoc developers (see AUTHORS file)
 #
 # SPDX-License-Identifier: AGPL-3.0-only
 #

-{$HD_BASE_URL}
-
-log {
-	output stdout
-	level WARN
-	format console
+# Allow private ranges as proxies, for example when running Caddy behind another reverse proxy
+# Otherwise Caddy strips the required X-Forwarded-Proto and X-Forwarded-Host headers
+# This is a common scenario when exposing a local dev setup to someone else
+{
+    servers {
+        trusted_proxies static private_ranges
+    }
 }

-reverse_proxy /realtime http://localhost:{$HD_BACKEND_PORT:3000}
-reverse_proxy /api/* http://localhost:{$HD_BACKEND_PORT:3000}
-reverse_proxy /public/* http://localhost:{$HD_BACKEND_PORT:3000}
-reverse_proxy /uploads/* http://localhost:{$HD_BACKEND_PORT:3000}
-reverse_proxy /media/* http://localhost:{$HD_BACKEND_PORT:3000}
-reverse_proxy /* http://localhost:{$HD_FRONTEND_PORT:3001}
+# Use port 8080 by default, but allow overriding using CADDY_HOST env variable
+{$CADDY_HOST::8080} {
+
+    log {
+	    output stdout
+        level WARN
+	    format console
+    }
+
+    reverse_proxy /realtime http://localhost:{$HD_BACKEND_PORT:3000}
+    reverse_proxy /api/* http://localhost:{$HD_BACKEND_PORT:3000}
+    reverse_proxy /public/* http://localhost:{$HD_BACKEND_PORT:3000}
+    reverse_proxy /uploads/* http://localhost:{$HD_BACKEND_PORT:3000}
+    reverse_proxy /media/* http://localhost:{$HD_BACKEND_PORT:3000}
+    reverse_proxy /* http://localhost:{$HD_FRONTEND_PORT:3001}
+}
--- a/docs/content/how-to/develop/frontend.md
+++ b/docs/content/how-to/develop/frontend.md
@ -5,7 +5,7 @@
 The following environment variables are recognized by the frontend process.

 | Name                     | Possible Values                                                                                                                  | Description                                                                                                                                                                                                       |
-| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|--------------------------|----------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | HD_BASE_URL              | Any URL with protocol, domain and optionally directory and port. Must end with a trailing slash. (e.g. `http://localhost:3001/`) | The URL under which the frontend is expected. Setting this is mandatory so the server side rendering can generate assets URLs. You only need to set this yourself if you use the production mode.                 |
 | HD_RENDERER_BASE_URL     | Same as `HD_BASE_URL`                                                                                                            | You can provide this variable if the renderer should use another domain than the editor. This is recommended for security reasons but not mandatory. This variable is optional and will fallback to `HD_BASE_URL` |
 | NEXT_PUBLIC_USE_MOCK_API | `true`, `false`                                                                                                                  | Will activate the mocked backend                                                                                                                                                                                  |
--- a/docs/content/how-to/develop/setup.md
+++ b/docs/content/how-to/develop/setup.md
@ -155,6 +155,11 @@ We recommend to use our pre-configured [Caddy][caddy] configuration.
   (if you installed Caddy via a package manager).
 3. Open your browser on <http://localhost:8080>

+It is also possible to use another domain and port other than `localhost:8080`.
+To do so, you need to set the `HD_BASE_URL` environment variable accordingly.
+Furthermore, for Caddy to work with a domain name (possibly creating TLS certificates),
+set `CADDY_HOST` to your domain (for example `CADDY_HOST=http://my-hedgedoc.home:9000`).
+
 [hedgedoc-repo]: https://github.com/hedgedoc/hedgedoc
 [yarn]: https://yarnpkg.com/getting-started/install
 [caddy]: https://caddyserver.com/