The problem I’m having:
I get a mixed content error when adding a reverse proxy before the Docker container running a Caddy server, PHP, MySQL and myPhpAdmin in another container.
Here is my setup and an quick drawing of what I want to do:
It’s running on a virtual server on AlmaLinux 9, the domain vanill.at is connected to the servers IP using DNS A records, there is no issues with that.
/srv/docker-compose.yml
_
version: "3.9"
services:
caddy:
image: lucaslorentz/caddy-docker-proxy:ci-alpine
ports:
- 80:80
- 443:443
environment:
- CADDY_INGRESS_NETWORKS=caddy
networks:
- caddy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- caddy_data:/data
restart: unless-stopped
networks:
caddy:
external: true
volumes:
caddy_data: {}
The docker-compose.yml for the upstream containers
/srv/lcmp/docker-compose.yml
_
version: '3.9'
networks:
caddy:
external: true
internal: {}
services:
php:
build: ./php_docker/
volumes:
- './www/:/var/www/html/'
networks:
- internal
- caddy
caddy:
build: ./caddy_docker/
depends_on:
- php
restart: unless-stopped
volumes:
- './www/:/var/www/html/'
- './caddy_docker/Caddyfile:/etc/caddy/Caddyfile'
- 'caddy_data:/data'
- 'caddy_config:/config'
labels:
caddy: vanill.at
caddy.reverse_proxy: "{{upstreams}}"
networks:
- internal
- caddy
mysql:
image: 'mysql:8.0'
environment:
MYSQL_ROOT_PASSWORD: <redacted>
volumes:
- 'mysqldata:/var/lib/mysql'
networks:
- internal
phpmyadmin:
image: 'phpmyadmin/phpmyadmin:latest'
ports:
- '8080:80'
environment:
PMA_HOST: mysql
networks:
- internal
depends_on:
- mysql
volumes:
mysqldata: null
caddy_data: null
caddy_config: null
The Caddyfile
/srv/lcmp/caddy_docker/Caddyfile
_
:80 {
encode gzip zstd
root * /var/www/html/public
php_fastcgi php:9000
file_server
header {
-server
-Link
-X-Powered-By
# disable FLoC tracking
#Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
}
The .env file for Shopware 6
/srv/lcmp/www/.env
_
###> symfony/messenger ###
# Choose one of the transports below
# MESSENGER_TRANSPORT_DSN=amqp://guest:guest@localhost:5672/%2f/messages
# MESSENGER_TRANSPORT_DSN=redis://localhost:6379/messages
# doctrine://default?auto_setup=0
###< symfony/messenger ###
###> symfony/mailer ###
# MAILER_DSN=null://null
###< symfony/mailer ###
###> symfony/lock ###
# Choose one of the stores below
# postgresql+advisory://db_user:db_password@localhost/db_name
LOCK_DSN=flock
###< symfony/lock ###
#TRUSTED_PROXIES=127.0.0.1,127.0.0.2,192.168.112.5,192.168.112.6,192.168.112.3
#TRUSTED_HOSTS=vanill.at,www.vanill.at
###> shopware/core ###
APP_ENV=prod
APP_URL=http://127.0.0.1:8000
APP_SECRET=<redacted>
INSTANCE_ID=<redacted>
BLUE_GREEN_DEPLOYMENT=0
DATABASE_URL=mysql://root:root@localhost/shopware
# With Shopware 6.4.17.0 the MAILER_DSN variable will be used in this template instead of MAILER_URL
MAILER_URL=null://null
###< shopware/core ###
###> shopware/elasticsearch ###
OPENSEARCH_URL=http://localhost:9200
SHOPWARE_ES_ENABLED=0
SHOPWARE_ES_INDEXING_ENABLED=0
SHOPWARE_ES_INDEX_PREFIX=sw
SHOPWARE_ES_THROW_EXCEPTION=1
###< shopware/elasticsearch ###
###> shopware/storefront ###
STOREFRONT_PROXY_URL=http://localhost
SHOPWARE_HTTP_CACHE_ENABLED=1
SHOPWARE_HTTP_DEFAULT_TTL=7200
###< shopware/storefront ###
The .env.local file for Shopware 6
/srv/lcmp/www/.env.local
_
APP_SECRET=<redacted>
APP_URL=https://vanill.at
DATABASE_URL=mysql://<redacted>:<redacted>@lcmp-mysql-1:3306/shopwaredb
COMPOSER_HOME=/var/www/html/var/cache/composer
INSTANCE_ID=<redacted>
BLUE_GREEN_DEPLOYMENT=0
OPENSEARCH_URL=http://localhost:9200
ADMIN_OPENSEARCH_URL=http://localhost:9200
TRUSTED_PROXIES=127.0.0.1,127.0.0.2,192.168.112.5,192.168.112.6,192.168.112.3,192.168.160.2
TRUSTED_DOMAINS=vanill.at
TRUSTED_HEADERS='["x-forwarded-for", "x-forwarded-host", "x-forwarded-proto", "x-forwarded-port", "x-forwarded-prefix"]'
Here is the output of docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
NAMES
e0a010df894d phpmyadmin/phpmyadmin:latest "/docker-entrypoint.…" 41 minutes ago Up 41 minutes 0.0.0.0:8080->80/tcp, :::8080->80/tcp lcmp-phpmyadmin-1
cf4f1a7eb653 lcmp-caddy "caddy run --config …" 41 minutes ago Up 41 minutes 80/tcp, 443/tcp, 2019/tcp, 443/udp lcmp-caddy-1
8d4747c0b538 lcmp-php "docker-php-entrypoi…" 41 minutes ago Up 41 minutes 9000/tcp
lcmp-php-1
bash-5.1#
lcmp-mysql-1
92098701bc11 lucaslorentz/caddy-docker-proxy:ci-alpine "/bin/caddy docker-p…" 43 minutes ago Up 42 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 2019/tcp srv-caddy-1
Here is the output of docker network inspect caddy
[
{
"Name": "caddy",
"Id": "51d3eb268905ce067549daae818be0e613f010a7313b89d60813b77c68ac6897",
"Created": "2024-03-24T19:07:33.964517939+01:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.160.0/20",
"Gateway": "192.168.160.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"8d4747c0b53858546c0806e40c64c77530f73d0cac40e28cb08e34a2eb192a1c": {
"Name": "lcmp-php-1",
"EndpointID": "e6c43f11925449c2e963db9f79a7b9f56e5b516afd67765a1e0f4c127ca70e9c",
"MacAddress": "02:42:c0:a8:a0:03",
"IPv4Address": "192.168.160.3/20",
"IPv6Address": ""
},
"92098701bc11792943ba2df1df3d0ffda25ca35aa1d28ca7be24513a1d6f92d2": {
"Name": "srv-caddy-1",
"EndpointID": "73d3d97fe781011072500e930dba901b9c055e2693a2ed4f68d5b5d712b1f296",
"MacAddress": "02:42:c0:a8:a0:02",
"IPv4Address": "192.168.160.2/20",
"IPv6Address": ""
},
"cf4f1a7eb653f5e9910a85ce960a17c53bbf4c3da7f5eb5744b78d85779ddc4c": {
"Name": "lcmp-caddy-1",
"EndpointID": "ccf7db6feb2d5bdf4dfb868dceb1811df9f9f9cef3b00bde7dbd0d006dd5c850",
"MacAddress": "02:42:c0:a8:a0:04",
"IPv4Address": "192.168.160.4/20",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
When I run Shopware in the upstream Caddy, PHP, MySQL, phpMyAdmin Docker container alone without the reverse proxy in front of it (after modifying the docker-compose.yml to add ports in the Caddy service 80:80, 443:443, 443:443/udp, removing networks, modifying the Caddyfile to have vanill.at as the site-url) there is no mixed content error, both the Shopware frontend and backend work flawlessly.
Here I’m reading that I need to configure the .env file, which I did but it did not solve the error.
2
Answers
I've solved this issue by adding
To the
Caddyfile
in/srv/lcmp/caddy_docker
and also settingTRUSTED_PROXIES
to the IP / IP range which the Caddy reverse proxy uses, in/srv/lcmp/www/.env.local
The TRUSTED_PROXIES env entry used to be the answer for this, but since we upgraded to 6.6.0.0, we had to put
Into a file called config/packages/prod/symfony.yml to make it work again.
You can add any IP/Subnet instead of REMOTE_ADDR, but in our case, since our application servers can only be reached from our load balancer, this is fine.