diff --git a/roles/sys-svc-proxy/templates/location/html.conf.j2 b/roles/sys-svc-proxy/templates/location/html.conf.j2 index d8d283f4..b45470d7 100644 --- a/roles/sys-svc-proxy/templates/location/html.conf.j2 +++ b/roles/sys-svc-proxy/templates/location/html.conf.j2 @@ -15,6 +15,7 @@ location {{location}} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port {{ WEB_PORT }}; + proxy_set_header X-Forwarded-Ssl on; proxy_pass_request_headers on; {% include 'roles/sys-svc-proxy/templates/headers/content_security_policy.conf.j2' %} diff --git a/roles/web-app-shopware/files/framework.yaml b/roles/web-app-shopware/files/framework.yaml new file mode 100644 index 00000000..fddbb744 --- /dev/null +++ b/roles/web-app-shopware/files/framework.yaml @@ -0,0 +1,7 @@ +framework: + trusted_proxies: '%env(TRUSTED_PROXIES)%' + trusted_headers: + - x-forwarded-for + - x-forwarded-proto + - x-forwarded-host + - x-forwarded-port diff --git a/roles/web-app-shopware/files/init.sh b/roles/web-app-shopware/files/init.sh index 8f1640d0..a577756d 100644 --- a/roles/web-app-shopware/files/init.sh +++ b/roles/web-app-shopware/files/init.sh @@ -29,8 +29,14 @@ if [ "$(id -u)" -eq 0 ]; then "$APP_ROOT/var" log "Fixing permissions on shared volumes..." - chown -R www-data:www-data "$APP_ROOT/public" "$APP_ROOT/var" || true - chmod -R 775 "$APP_ROOT/public" "$APP_ROOT/var" || true + chown -R www-data:www-data \ + "$APP_ROOT/public" \ + "$APP_ROOT/var" \ + "$APP_ROOT/.infinito" || true + chmod -R 775 \ + "$APP_ROOT/public" \ + "$APP_ROOT/var" \ + "$APP_ROOT/.infinito" || true # Switch to www-data for all subsequent operations exec su -s /bin/sh www-data "$0" "$@" diff --git a/roles/web-app-shopware/tasks/main.yml b/roles/web-app-shopware/tasks/main.yml index 17a3fb34..3378c70e 100644 --- a/roles/web-app-shopware/tasks/main.yml +++ b/roles/web-app-shopware/tasks/main.yml @@ -14,6 +14,14 @@ - docker compose up - docker compose build +- name: "Render framework.yaml (trusted proxies/headers/hosts)" + copy: + src: "framework.yaml" + dest: "{{ SHOPWARE_FRAMEWORK_HOST }}" + mode: "0644" + notify: + - docker compose up + - name: "Flush docker compose handlers" meta: flush_handlers diff --git a/roles/web-app-shopware/templates/Dockerfile.j2 b/roles/web-app-shopware/templates/Dockerfile.j2 index 69d52b63..b8842ae7 100644 --- a/roles/web-app-shopware/templates/Dockerfile.j2 +++ b/roles/web-app-shopware/templates/Dockerfile.j2 @@ -76,12 +76,5 @@ RUN set -eux; \ /var/www/html/public/theme; \ chown -R www-data:www-data /var/www/html -# Add trusted proxies wiring (Symfony reads env TRUSTED_PROXIES) -RUN set -eux; \ - mkdir -p /var/www/html/config/packages; \ - if [ ! -f /var/www/html/config/packages/framework.yaml ]; then \ - printf "framework:\n trusted_proxies: '%%env(TRUSTED_PROXIES)%%'\n" > /var/www/html/config/packages/framework.yaml; \ - fi - # Drop back to the app user USER www-data diff --git a/roles/web-app-shopware/templates/docker-compose.yml.j2 b/roles/web-app-shopware/templates/docker-compose.yml.j2 index ccc33b64..844c88e5 100644 --- a/roles/web-app-shopware/templates/docker-compose.yml.j2 +++ b/roles/web-app-shopware/templates/docker-compose.yml.j2 @@ -8,6 +8,7 @@ x-environment: &shopware - sitemap:/var/www/html/public/sitemap - "{{ SHOPWARE_INIT_HOST }}:{{ SHOPWARE_INIT_DOCKER }}:ro" - bundles:/var/www/html/public/bundles + - "{{ SHOPWARE_FRAMEWORK_HOST }}:{{ SHOPWARE_FRAMEWORK_DOCKER }}:ro" working_dir: {{ SHOPWARE_ROOT }} {% include 'roles/docker-compose/templates/base.yml.j2' %} diff --git a/roles/web-app-shopware/templates/env.j2 b/roles/web-app-shopware/templates/env.j2 index bc7f773b..e7f96d69 100644 --- a/roles/web-app-shopware/templates/env.j2 +++ b/roles/web-app-shopware/templates/env.j2 @@ -1,13 +1,16 @@ # DOMAIN/URL -DOMAIN={{ domains | get_domain(application_id) }} +DOMAIN={{ SHOPWARE_DOMAIN }} APP_URL="{{ domains | get_url(application_id, WEB_PROTOCOL) }}" APP_DEBUG="{{ MODE_DEBUG | ternary(1, 0) }}" # Shopware APP_ENV={{ 'dev' if (ENVIRONMENT | lower) == 'development' else 'prod' }} -TRUSTED_PROXIES=* INSTANCE_ID={{ application_id }} +# Proxy +TRUSTED_PROXIES="{{ networks.internet.values() | select | join(',') }},127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" +TRUSTED_HOSTS="{{ SHOPWARE_DOMAIN }}" + # Database DATABASE_URL="mysql://{{ database_username }}:{{ database_password }}@{{ database_host }}:{{ database_port }}/{{ database_name }}" diff --git a/roles/web-app-shopware/vars/main.yml b/roles/web-app-shopware/vars/main.yml index bc04f93a..cd8a2a86 100644 --- a/roles/web-app-shopware/vars/main.yml +++ b/roles/web-app-shopware/vars/main.yml @@ -7,6 +7,8 @@ entity_name: "{{ application_id | get_entity_name }}" container_port: "{{ applications | get_app_conf(application_id, 'docker.services.web.port') }}" docker_compose_flush_handlers: true +SHOPWARE_DOMAIN: "{{ domains | get_domain(application_id) }}" + # Shopware container/image vars SHOPWARE_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.shopware.version') }}" SHOPWARE_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.shopware.image') }}" @@ -22,6 +24,8 @@ SHOPWARE_WORKER_CONTAINER: "{{ applications | get_app_conf(application_id, SHOPWARE_SCHED_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.scheduler.name') }}" SHOPWARE_INIT_HOST: "{{ [ docker_compose.directories.volumes, 'init.sh' ] | path_join }}" SHOPWARE_INIT_DOCKER: "/usr/local/bin/init.sh" +SHOPWARE_FRAMEWORK_HOST: "{{ [ docker_compose.directories.config, 'framework.yaml' ] | path_join }}" +SHOPWARE_FRAMEWORK_DOCKER: "/var/www/html/config/packages/framework.yaml" # Entrypoints & replicas SHOPWARE_WORKER_ENTRYPOINT: "{{ applications | get_app_conf(application_id, 'docker.services.worker.entrypoint') }}"