refactor(web-app-shopware): externalize trusted proxy and host configuration with mounted framework.yaml

- added new file roles/web-app-shopware/files/framework.yaml defining trusted_proxies and trusted_headers for Symfony - mounted framework.yaml into /var/www/html/config/packages/ in docker-compose - exposed new role vars SHOPWARE_FRAMEWORK_HOST/DOCKER for mounting path - rendered framework.yaml via Ansible copy task with proper permissions - adjusted env.j2 to set TRUSTED_PROXIES and TRUSTED_HOSTS dynamically from domains and networks - added SHOPWARE_DOMAIN var to vars/main.yml - removed inline framework.yaml creation from Dockerfile (now managed via mount) - updated proxy template (html.conf.j2) to include X-Forwarded-Ssl header - improved init.sh permission handling for shared volumes See ChatGPT conversation for implementation details and rationale: https://chatgpt.com/share/690d4fe7-2830-800f-8b6d-b868e7fe0e97
2025-11-11 07:36:37 +00:00 · 2025-11-07 02:48:49 +01:00
parent 2fcbae8fc7
commit 493d5bbbda
8 changed files with 34 additions and 11 deletions
--- a/roles/web-app-shopware/templates/env.j2
+++ b/roles/web-app-shopware/templates/env.j2
@@ -1,13 +1,16 @@
 # DOMAIN/URL
-DOMAIN={{ domains | get_domain(application_id) }}
+DOMAIN={{ SHOPWARE_DOMAIN }}
 APP_URL="{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
 APP_DEBUG="{{ MODE_DEBUG | ternary(1, 0) }}"

 # Shopware
 APP_ENV={{ 'dev' if (ENVIRONMENT | lower) == 'development' else 'prod' }}
-TRUSTED_PROXIES=*
 INSTANCE_ID={{ application_id }}

+# Proxy
+TRUSTED_PROXIES="{{ networks.internet.values() | select | join(',') }},127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+TRUSTED_HOSTS="{{ SHOPWARE_DOMAIN }}"
+
 # Database
 DATABASE_URL="mysql://{{ database_username }}:{{ database_password }}@{{ database_host }}:{{ database_port }}/{{ database_name }}"