skip to Main Content

The problem I’m having:

I get a mixed content error when adding a reverse proxy before the Docker container running a Caddy server, PHP, MySQL and myPhpAdmin in another container.

Here is my setup and an quick drawing of what I want to do:

It’s running on a virtual server on AlmaLinux 9, the domain vanill.at is connected to the servers IP using DNS A records, there is no issues with that.

Caddy in Docker used as a reverse proxy for other Docker containers

/srv/docker-compose.yml

_

version: "3.9"
services:
  caddy:
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=caddy
    networks:
      - caddy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy_data:/data
    restart: unless-stopped

networks:
  caddy:
    external: true

volumes:
  caddy_data: {}

The docker-compose.yml for the upstream containers

/srv/lcmp/docker-compose.yml

_

version: '3.9'
networks:
  caddy:
    external: true
  internal: {}
services:
  php:
    build: ./php_docker/
    volumes:
      - './www/:/var/www/html/'
    networks:
      - internal
      - caddy
  caddy:
    build: ./caddy_docker/
    depends_on:
      - php
    restart: unless-stopped
    volumes:
      - './www/:/var/www/html/'
      - './caddy_docker/Caddyfile:/etc/caddy/Caddyfile'
      - 'caddy_data:/data'
      - 'caddy_config:/config'
    labels:
      caddy: vanill.at
      caddy.reverse_proxy: "{{upstreams}}"
    networks:
      - internal
      - caddy
  mysql:
    image: 'mysql:8.0'
    environment:
      MYSQL_ROOT_PASSWORD: <redacted>
    volumes:
      - 'mysqldata:/var/lib/mysql'
    networks:
      - internal
  phpmyadmin:
    image: 'phpmyadmin/phpmyadmin:latest'
    ports:
      - '8080:80'
    environment:
      PMA_HOST: mysql
    networks:
      - internal
    depends_on:
      - mysql
volumes:
  mysqldata: null
  caddy_data: null
  caddy_config: null

The Caddyfile

/srv/lcmp/caddy_docker/Caddyfile

_

:80 {
        encode gzip zstd
        root * /var/www/html/public
        php_fastcgi php:9000
        file_server
        header {
                -server
                -Link
                -X-Powered-By

                # disable FLoC tracking
                #Permissions-Policy interest-cohort=()

                # enable HSTS
                Strict-Transport-Security max-age=31536000;

                # disable clients from sniffing the media type
                X-Content-Type-Options nosniff

                # clickjacking protection
                X-Frame-Options DENY

                # keep referrer data off of HTTP connections
                Referrer-Policy no-referrer-when-downgrade
        }
}

The .env file for Shopware 6

/srv/lcmp/www/.env

_

###> symfony/messenger ###
# Choose one of the transports below
# MESSENGER_TRANSPORT_DSN=amqp://guest:guest@localhost:5672/%2f/messages
# MESSENGER_TRANSPORT_DSN=redis://localhost:6379/messages
# doctrine://default?auto_setup=0
###< symfony/messenger ###

###> symfony/mailer ###
# MAILER_DSN=null://null
###< symfony/mailer ###

###> symfony/lock ###
# Choose one of the stores below
# postgresql+advisory://db_user:db_password@localhost/db_name
LOCK_DSN=flock
###< symfony/lock ###

#TRUSTED_PROXIES=127.0.0.1,127.0.0.2,192.168.112.5,192.168.112.6,192.168.112.3
#TRUSTED_HOSTS=vanill.at,www.vanill.at

###> shopware/core ###
APP_ENV=prod
APP_URL=http://127.0.0.1:8000
APP_SECRET=<redacted>
INSTANCE_ID=<redacted>
BLUE_GREEN_DEPLOYMENT=0
DATABASE_URL=mysql://root:root@localhost/shopware
# With Shopware 6.4.17.0 the MAILER_DSN variable will be used in this template instead of MAILER_URL
MAILER_URL=null://null
###< shopware/core ###

###> shopware/elasticsearch ###
OPENSEARCH_URL=http://localhost:9200
SHOPWARE_ES_ENABLED=0
SHOPWARE_ES_INDEXING_ENABLED=0
SHOPWARE_ES_INDEX_PREFIX=sw
SHOPWARE_ES_THROW_EXCEPTION=1
###< shopware/elasticsearch ###

###> shopware/storefront ###
STOREFRONT_PROXY_URL=http://localhost
SHOPWARE_HTTP_CACHE_ENABLED=1
SHOPWARE_HTTP_DEFAULT_TTL=7200
###< shopware/storefront ###

The .env.local file for Shopware 6

/srv/lcmp/www/.env.local

_

APP_SECRET=<redacted>
APP_URL=https://vanill.at
DATABASE_URL=mysql://<redacted>:<redacted>@lcmp-mysql-1:3306/shopwaredb
COMPOSER_HOME=/var/www/html/var/cache/composer
INSTANCE_ID=<redacted>
BLUE_GREEN_DEPLOYMENT=0
OPENSEARCH_URL=http://localhost:9200
ADMIN_OPENSEARCH_URL=http://localhost:9200
TRUSTED_PROXIES=127.0.0.1,127.0.0.2,192.168.112.5,192.168.112.6,192.168.112.3,192.168.160.2
TRUSTED_DOMAINS=vanill.at
TRUSTED_HEADERS='["x-forwarded-for", "x-forwarded-host", "x-forwarded-proto", "x-forwarded-port", "x-forwarded-prefix"]'

Here is the output of docker ps

CONTAINER ID   IMAGE                                       COMMAND                  CREATED          STATUS          PORTS
                                                NAMES
e0a010df894d   phpmyadmin/phpmyadmin:latest                "/docker-entrypoint.…"   41 minutes ago   Up 41 minutes   0.0.0.0:8080->80/tcp, :::8080->80/tcp                                                lcmp-phpmyadmin-1
cf4f1a7eb653   lcmp-caddy                                  "caddy run --config …"   41 minutes ago   Up 41 minutes   80/tcp, 443/tcp, 2019/tcp, 443/udp                                                   lcmp-caddy-1
8d4747c0b538   lcmp-php                                    "docker-php-entrypoi…"   41 minutes ago   Up 41 minutes   9000/tcp
                                                lcmp-php-1
bash-5.1#
                                                lcmp-mysql-1
92098701bc11   lucaslorentz/caddy-docker-proxy:ci-alpine   "/bin/caddy docker-p…"   43 minutes ago   Up 42 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 2019/tcp   srv-caddy-1

Here is the output of docker network inspect caddy

[
    {
        "Name": "caddy",
        "Id": "51d3eb268905ce067549daae818be0e613f010a7313b89d60813b77c68ac6897",
        "Created": "2024-03-24T19:07:33.964517939+01:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "192.168.160.0/20",
                    "Gateway": "192.168.160.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "8d4747c0b53858546c0806e40c64c77530f73d0cac40e28cb08e34a2eb192a1c": {
                "Name": "lcmp-php-1",
                "EndpointID": "e6c43f11925449c2e963db9f79a7b9f56e5b516afd67765a1e0f4c127ca70e9c",
                "MacAddress": "02:42:c0:a8:a0:03",
                "IPv4Address": "192.168.160.3/20",
                "IPv6Address": ""
            },
            "92098701bc11792943ba2df1df3d0ffda25ca35aa1d28ca7be24513a1d6f92d2": {
                "Name": "srv-caddy-1",
                "EndpointID": "73d3d97fe781011072500e930dba901b9c055e2693a2ed4f68d5b5d712b1f296",
                "MacAddress": "02:42:c0:a8:a0:02",
                "IPv4Address": "192.168.160.2/20",
                "IPv6Address": ""
            },
            "cf4f1a7eb653f5e9910a85ce960a17c53bbf4c3da7f5eb5744b78d85779ddc4c": {
                "Name": "lcmp-caddy-1",
                "EndpointID": "ccf7db6feb2d5bdf4dfb868dceb1811df9f9f9cef3b00bde7dbd0d006dd5c850",
                "MacAddress": "02:42:c0:a8:a0:04",
                "IPv4Address": "192.168.160.4/20",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

When I run Shopware in the upstream Caddy, PHP, MySQL, phpMyAdmin Docker container alone without the reverse proxy in front of it (after modifying the docker-compose.yml to add ports in the Caddy service 80:80, 443:443, 443:443/udp, removing networks, modifying the Caddyfile to have vanill.at as the site-url) there is no mixed content error, both the Shopware frontend and backend work flawlessly.

Here I’m reading that I need to configure the .env file, which I did but it did not solve the error.

https://symfony.com/doc/current/deployment/proxies.html

2

Answers


  1. Chosen as BEST ANSWER

    I've solved this issue by adding

    php_fastcgi  php:9000 {
        trusted_proxies private_ranges
    }
    

    To the Caddyfile in /srv/lcmp/caddy_docker and also setting

    TRUSTED_PROXIES to the IP / IP range which the Caddy reverse proxy uses, in /srv/lcmp/www/.env.local

    TRUSTED_PROXIES=192.168.160.0/0
    

  2. The TRUSTED_PROXIES env entry used to be the answer for this, but since we upgraded to 6.6.0.0, we had to put

    framework:
      trusted_proxies: '127.0.0.1,REMOTE_ADDR'
    

    Into a file called config/packages/prod/symfony.yml to make it work again.
    You can add any IP/Subnet instead of REMOTE_ADDR, but in our case, since our application servers can only be reached from our load balancer, this is fine.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search