mirror of
https://github.com/RayLabsHQ/gitea-mirror.git
synced 2026-03-25 15:17:42 +03:00
0000a03ad6
* fix: improve reverse proxy support for subdomain deployments (#63) - Add X-Accel-Buffering: no header to SSE endpoint to prevent Nginx from buffering the event stream - Auto-detect trusted origin from Host/X-Forwarded-* request headers so the app works behind a proxy without manual env var configuration - Add prominent reverse proxy documentation to advanced docs page explaining BETTER_AUTH_URL, PUBLIC_BETTER_AUTH_URL, and BETTER_AUTH_TRUSTED_ORIGINS are mandatory for proxy deployments - Add reverse proxy env var comments and entries to both docker-compose.yml and docker-compose.alt.yml - Add dedicated reverse proxy configuration section to .env.example * fix: address review findings for reverse proxy origin detection - Fix x-forwarded-proto multi-value handling: take first value only and validate it is "http" or "https" before using - Update comment to accurately describe auto-detection scope: helps with per-request CSRF checks but not callback URL validation - Restore startup logging of static trusted origins for debugging * fix: handle multi-value x-forwarded-host in chained proxy setups x-forwarded-host can be comma-separated (e.g. "proxy1.example.com, proxy2.example.com") in chained proxy setups. Take only the first value, matching the same handling already applied to x-forwarded-proto. * test: add unit tests for reverse proxy origin detection Extract resolveTrustedOrigins into a testable exported function and add 11 tests covering: - Default localhost origins - BETTER_AUTH_URL and BETTER_AUTH_TRUSTED_ORIGINS env vars - Invalid URL handling - Auto-detection from x-forwarded-host + x-forwarded-proto - Multi-value header handling (chained proxy setups) - Invalid proto rejection (only http/https allowed) - Deduplication - Fallback to host header when x-forwarded-host absent
66 lines
2.4 KiB
YAML
66 lines
2.4 KiB
YAML
# Minimal Gitea Mirror deployment
|
|
# Only includes what CANNOT be configured via the Web UI
|
|
# Everything else can be set up through the web interface after deployment
|
|
|
|
services:
|
|
gitea-mirror:
|
|
image: ghcr.io/raylabshq/gitea-mirror:latest
|
|
container_name: gitea-mirror
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${PORT:-4321}:4321"
|
|
user: ${PUID:-1000}:${PGID:-1000}
|
|
volumes:
|
|
- ./data:/app/data
|
|
environment:
|
|
# === ABSOLUTELY REQUIRED ===
|
|
# This MUST be set and CANNOT be changed via UI
|
|
- BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET} # Min 32 chars, required for sessions
|
|
- BETTER_AUTH_URL=${BETTER_AUTH_URL:-http://localhost:4321}
|
|
- BETTER_AUTH_TRUSTED_ORIGINS=${BETTER_AUTH_TRUSTED_ORIGINS:-http://localhost:4321}
|
|
# REVERSE PROXY: If accessing via a reverse proxy, set all three to your external URL:
|
|
# BETTER_AUTH_URL=https://gitea-mirror.example.com
|
|
# PUBLIC_BETTER_AUTH_URL=https://gitea-mirror.example.com
|
|
# BETTER_AUTH_TRUSTED_ORIGINS=https://gitea-mirror.example.com
|
|
|
|
# === CORE SETTINGS ===
|
|
# These are technically required but have working defaults
|
|
- NODE_ENV=production
|
|
- DATABASE_URL=file:data/gitea-mirror.db
|
|
- HOST=0.0.0.0
|
|
- PORT=4321
|
|
- PUBLIC_BETTER_AUTH_URL=${PUBLIC_BETTER_AUTH_URL:-http://localhost:4321}
|
|
# Optional concurrency controls (defaults match in-app defaults)
|
|
# If you want perfect ordering of issues and PRs, set these at 1
|
|
- MIRROR_ISSUE_CONCURRENCY=${MIRROR_ISSUE_CONCURRENCY:-3}
|
|
- MIRROR_PULL_REQUEST_CONCURRENCY=${MIRROR_PULL_REQUEST_CONCURRENCY:-5}
|
|
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=3", "--spider", "http://localhost:4321/api/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 5
|
|
start_period: 15s
|
|
|
|
# === QUICK START ===
|
|
#
|
|
# 1. Create a .env file with only ONE required variable:
|
|
# BETTER_AUTH_SECRET=your-32-character-minimum-secret-key-here
|
|
#
|
|
# 2. Run:
|
|
# docker-compose -f docker-compose.alt.yml up -d
|
|
#
|
|
# 3. Access at http://localhost:4321
|
|
#
|
|
# 4. Sign up for an account (first user becomes admin)
|
|
#
|
|
# 5. Configure everything else through the web UI:
|
|
# - GitHub credentials
|
|
# - Gitea credentials
|
|
# - Mirror settings
|
|
# - Scheduling options
|
|
# - Auto-import settings
|
|
# - Cleanup preferences
|
|
#
|
|
# That's it! Everything else can be configured via the web interface.
|