Proxy
Configuring Baby Buddy to run behind a proxy may require some additional configuration depending on the individual proxy configuration. Baby Buddy's environment variables for configuration should allow most proxy setups to work, but it may require some testing and tweaking of settings.
Important configuration
CSRF_TRUSTED_ORIGINS
Cross Site Request Forgery protection is an important way to prevent malicious users from sending fake requests to Baby Buddy to read, alter, or destroy data.
To protect against this threat Baby Buddy checks the Origin
header of certain requests
to ensure that it matches a "trusted" origin for the application. If the origin and host
are the same CSRF will pass without any extra configuration but if the two are different
the origin must be in CSRF_TRUSTED_ORIGINS
to pass.
For example if Baby Buddy is configured in a container with a private network and a host
babybuddy
that is exposed publicly by a proxy (e.g., nginx) at the address
https://baby.example.com
then form submissions from browsers will have an Origin
of
https://baby.example.com
that does not match the host babybudy
. This will cause a
CSRF error and the request will be rejected with a 403 Forbidden
error. To support
this example configuration the environment variable CSRF_TRUSTED_ORIGINS
should be set
to the full public address (including the scheme): https://baby.example.com
for CSRF
protected requests to succeed.
Note: multiple origins can be added by separating origins with commas. E.g.:
CSRF_TRUSTED_ORIGINS=https://baby.example.com,https://baby.example.org
SECURE_PROXY_SSL_HEADER
If Baby Buddy is configured behind a standard HTTP proxy requests will always been seen as insecure even if the exposed public connection uses HTTPS between the client and proxy.
To address this most proxies can be configured to pass a special header to Baby Buddy
indicating the scheme used by the original request. X-Forwarded-Proto
is a common standard header for this feature and it is currently the only header
supported by Baby Buddy. To use this feature the SECURE_PROXY_SSL_HEADER
environment
variable to True
and Baby Buddy will consider the scheme indicated by the
X-Forwarded-Proto
header to be the scheme used for the request.
Additional Resources
- Caddy Reverse Proxy Defaults
- NGINX - Using the
Forwarded
Header (Note: NGINX treatsX-Forwarded-Proto
as legacy. See the bottom of this resource for relevant information.) - Redirect HTTP to HTTPS with HAProxy
- Traefik Routing - EntryPoints - Forwarded Headers