Giorgio Gilestro
9e058144ec
The app sits behind Nginx Proxy Manager which terminates TLS and forwards plain HTTP. Without --proxy-headers, Starlette's request.url keeps the inbound \`http\` scheme, so url_for() renders the static-CSS \`<link>\` as http://… and the browser blocks it as mixed content under the public https origin. Adds --proxy-headers + --forwarded-allow-ips=* to the prod uvicorn command. The wildcard is fine because the container has no host port — only the intranet bridge (where NPM lives) can reach it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
49 lines
2.3 KiB
YAML
49 lines
2.3 KiB
YAML
# Production overlay. Applied on the VPS with:
|
|
#
|
|
# docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
|
#
|
|
# Drops the host port binding entirely and joins the `intranet` external
|
|
# Docker network so a front-side proxy (Nginx Proxy Manager) on the same
|
|
# network can reach the container directly. The app listens on port 80
|
|
# inside the container so NPM upstreams are uniform across services
|
|
# (always `<container-name>:80`).
|
|
#
|
|
# The local-dev compose (just `docker-compose.yml` alone) still binds to
|
|
# the host port from `.env` / CASSANDRA_PORT — unchanged.
|
|
|
|
services:
|
|
app:
|
|
# --proxy-headers makes Starlette honour X-Forwarded-Proto / -For from
|
|
# NPM, so request.url_for() generates https:// URLs (otherwise static
|
|
# asset links render as http://… and browsers block as mixed content).
|
|
# --forwarded-allow-ips=* is safe here: the container has no host port,
|
|
# only the intranet bridge reaches it.
|
|
command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "80",
|
|
"--workers", "1", "--proxy-headers", "--forwarded-allow-ips=*"]
|
|
expose:
|
|
- "80"
|
|
networks:
|
|
- default
|
|
- intranet
|
|
# The shared `intranet` network has many other containers aliased as
|
|
# `db` and `redis`; Docker's embedded DNS would pick one of those
|
|
# before ours. Use the project-prefixed container names instead —
|
|
# those are globally unique on the daemon.
|
|
environment:
|
|
DATABASE_URL: mysql+aiomysql://${MARIADB_USER:-cassandra}:${MARIADB_PASSWORD:-changeme}@readmarkets-db-1:3306/${MARIADB_DATABASE:-cassandra}
|
|
REDIS_URL: redis://readmarkets-redis-1:6379/0
|
|
|
|
scheduler:
|
|
# Scheduler isn't fronted by NPM, so it doesn't need intranet — but
|
|
# it does share the same DNS-collision problem on `default` (it only
|
|
# joins `default`, where our `db` alias would normally win… except
|
|
# the scheduler too is multi-network if you ever decide to expose
|
|
# its health endpoint via NPM). Future-proofing: use the explicit
|
|
# container names here too.
|
|
environment:
|
|
DATABASE_URL: mysql+aiomysql://${MARIADB_USER:-cassandra}:${MARIADB_PASSWORD:-changeme}@readmarkets-db-1:3306/${MARIADB_DATABASE:-cassandra}
|
|
REDIS_URL: redis://readmarkets-redis-1:6379/0
|
|
|
|
networks:
|
|
intranet:
|
|
external: true
|