From 3f5697e6b3cd69ea5e42c774c9cf0426e179b6d3 Mon Sep 17 00:00:00 2001
From: tchapi <regbasket@gmail.com>
Date: Sun, 14 Sep 2025 14:22:56 +0200
Subject: [PATCH 1/4] chore

---
 .env                           | 3 +++
 config/packages/framework.yaml | 2 ++
 config/services.yaml           | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/.env b/.env
index e4ec418..3c49317 100644
--- a/.env
+++ b/.env
@@ -93,3 +93,6 @@ WEBDAV_HOMES_DIR=
 # By default, it will log in the standard Symfony directory: var/log/prod.log (for production)
 # You can use /dev/null here if you want to discard logs entirely
 LOG_FILE_PATH="%kernel.logs_dir%/%kernel.environment%.log"
+
+# By default, we trust '127.0.0.1,REMOTE_ADDR'
+TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
\ No newline at end of file
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 575e2f1..f28c391 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -5,6 +5,8 @@ framework:
     #csrf_protection: true
     http_method_override: false
 
+    trusted_proxies: '%trusted_proxies%'
+
     # Enables session support. Note that the session will ONLY be started if you read or write from it.
     # Remove or comment this section to explicitly disable session support.
     session:
diff --git a/config/services.yaml b/config/services.yaml
index c20afdf..46bb956 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -13,6 +13,8 @@ parameters:
     default_birthday_reminder_offset: "PT9H"
     caldav_enabled: "%env(bool:CALDAV_ENABLED)%"
     carddav_enabled: "%env(bool:CARDDAV_ENABLED)%"
+    trusted_proxies: '%env(default:default_trusted_proxies:TRUSTED_PROXIES)%'
+    default_trusted_proxies: '127.0.0.1,REMOTE_ADDR'
 
 services:
     # default configuration for services in *this* file

From 21897bca05fa25da8827c2274bf1855720d5b5b0 Mon Sep 17 00:00:00 2001
From: tchapi <regbasket@gmail.com>
Date: Sun, 14 Sep 2025 14:23:46 +0200
Subject: [PATCH 2/4] chore

---
 .env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.env b/.env
index 3c49317..785c5d6 100644
--- a/.env
+++ b/.env
@@ -95,4 +95,4 @@ WEBDAV_HOMES_DIR=
 LOG_FILE_PATH="%kernel.logs_dir%/%kernel.environment%.log"
 
 # By default, we trust '127.0.0.1,REMOTE_ADDR'
-TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
\ No newline at end of file
+TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR

From 1588ff439e7e71492c827b312234fcbbabeec1f6 Mon Sep 17 00:00:00 2001
From: tchapi <regbasket@gmail.com>
Date: Sun, 14 Sep 2025 17:04:40 +0200
Subject: [PATCH 3/4] chore

---
 config/packages/framework.yaml  | 2 --
 config/services.yaml            | 2 --
 docker/configurations/Caddyfile | 8 +++++++-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index f28c391..575e2f1 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -5,8 +5,6 @@ framework:
     #csrf_protection: true
     http_method_override: false
 
-    trusted_proxies: '%trusted_proxies%'
-
     # Enables session support. Note that the session will ONLY be started if you read or write from it.
     # Remove or comment this section to explicitly disable session support.
     session:
diff --git a/config/services.yaml b/config/services.yaml
index 46bb956..c20afdf 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -13,8 +13,6 @@ parameters:
     default_birthday_reminder_offset: "PT9H"
     caldav_enabled: "%env(bool:CALDAV_ENABLED)%"
     carddav_enabled: "%env(bool:CARDDAV_ENABLED)%"
-    trusted_proxies: '%env(default:default_trusted_proxies:TRUSTED_PROXIES)%'
-    default_trusted_proxies: '127.0.0.1,REMOTE_ADDR'
 
 services:
     # default configuration for services in *this* file
diff --git a/docker/configurations/Caddyfile b/docker/configurations/Caddyfile
index 996beac..c28aaf0 100644
--- a/docker/configurations/Caddyfile
+++ b/docker/configurations/Caddyfile
@@ -8,7 +8,13 @@
 	redir /.well-known/carddav /dav/
 
         root * /var/www/davis/public
-        php_fastcgi unix//var/run/php-fpm/php-fpm.sock
+        php_fastcgi unix//var/run/php-fpm/php-fpm.sock {
+                # Preserve the original X-Forwarded-Proto from upstream, as it might be HTTPS
+                header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
+                header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
+                header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
+        }
+
         file_server {
                 # Safety net, just in case
                 hide .git .gitignore

From fa17716432ab91243dd1583763b85ced94bf8afc Mon Sep 17 00:00:00 2001
From: tchapi <regbasket@gmail.com>
Date: Sun, 14 Sep 2025 17:05:10 +0200
Subject: [PATCH 4/4] chore

---
 .env | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.env b/.env
index 785c5d6..e4ec418 100644
--- a/.env
+++ b/.env
@@ -93,6 +93,3 @@ WEBDAV_HOMES_DIR=
 # By default, it will log in the standard Symfony directory: var/log/prod.log (for production)
 # You can use /dev/null here if you want to discard logs entirely
 LOG_FILE_PATH="%kernel.logs_dir%/%kernel.environment%.log"
-
-# By default, we trust '127.0.0.1,REMOTE_ADDR'
-TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR