xiaji/diary-news
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d1bf5ea2dfb3200020c46679c9873e5290523ca4
diary-news/docker-compose.yml
xiaji d1bf5ea2df fix(auth): Caddy 显式写入 X-Forwarded-For + uvicorn 信任 docker 网络 
根因(在 smoke test 中定位):
- Caddy reverse_proxy 默认会覆盖客户端的 X-Forwarded-For 头,
  写入它自己识别的 client IP(防伪造)
- uvicorn --forwarded-allow-ips 默认只信任 127.0.0.1,
  docker 网络 172.18.0.x 不在白名单
- 结果: api 端读 X-Forwarded-For 时,看到的是 Caddy 替换后的值
  (Caddy 识别的真实 client IP),不是客户端伪造的值 — 这其实是正确的!
  但 uvicorn 不会用这个值更新 client scope

修法:
- Caddyfile: header_up X-Forwarded-For {remote_host}
  显式让 Caddy 把自己识别的 client IP 写入 X-Forwarded-For
- docker-compose api command: 加 --forwarded-allow-ips 172.18.0.0/16
  信任 docker 网络(让 uvicorn 采用 X-Forwarded-For 的值)
- api 端 get_client_ip 不变,读 X-Forwarded-For 拿真实 client IP

效果: X-Forwarded-For 在代理链中始终代表真实 client IP,
不再被任何中间件覆盖或丢弃
2026-06-13 19:47:11 +08:00

136 lines
3.1 KiB
YAML
Raw Blame History

name: news-aggregator
services:
postgres:
image: postgres:16-alpine
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB}
TZ: ${TZ}
volumes:
- pg_data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
interval: 10s
timeout: 5s
retries: 5
# 不暴露到宿主机
expose:
- "5432"
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
redis:
image: redis:7-alpine
restart: unless-stopped
command: ["redis-server", "--requirepass", "${REDIS_PASSWORD}", "--maxmemory", "256mb", "--maxmemory-policy", "allkeys-lru"]
volumes:
- redis_data:/data
healthcheck:
test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "ping"]
interval: 10s
timeout: 3s
retries: 5
expose:
- "6379"
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
api:
build:
context: ./backend
dockerfile: Dockerfile
restart: unless-stopped
env_file: .env
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
expose:
- "8000"
volumes:
- ./backend/app:/app/app
- ./backend/alembic:/app/alembic
- ./backend/alembic.ini:/app/alembic.ini
# --forwarded-allow-ips 信任 docker 网络(让 Caddy 写入的 X-Forwarded-For 被采用)
# 生产部署可改成 Caddy 容器的具体 IP(动态 IP 用子网)
command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--forwarded-allow-ips", "172.18.0.0/16"]
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
worker:
build:
context: ./backend
dockerfile: Dockerfile
restart: unless-stopped
env_file: .env
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
volumes:
- ./backend/app:/app/app
- ./backend/alembic:/app/alembic
- ./backend/alembic.ini:/app/alembic.ini
command: ["python", "-m", "app.workers"]
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
caddy:
image: caddy:2-alpine
restart: unless-stopped
env_file: .env
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy_data:/data
- caddy_config:/config
depends_on:
- api
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
frontend:
build:
context: ./frontend
dockerfile: Dockerfile
args:
VITE_API_BASE: ${VITE_API_BASE:-/api/v1}
restart: unless-stopped
expose:
- "80"
depends_on:
- api
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
volumes:
pg_data:
redis_data:
caddy_data:
caddy_config:
Reference in New Issue View Git Blame Copy Permalink