[SOLVED] Neos behind a reverse proxy

(Tom Ole) #1

I have a running neos instance behind an nginx reverse proxy. But for some reason I get crossorigin errors because the scripts and stylesheets are loaded over http://.

Why {f:uri.resource(path: 'style.css', package: 'My.Package')} doesn’t use https even though there is an existing domain entry with mypackage-mydomain-com | https://my-domain.com | active?

(Michael Gerdemann) #2

You have to set the environment variable FLOW_HTTP_TRUSTED_PROXIES to *, then it should work.

(Tom Ole) #3

Thanks a lot. This is working. But probably not production ready with wildcard? Its better to provide proxy ip?!


(Alexander Berl) #4

Yes. If you know the IP of the reverse proxy, always specify it either via the FLOW_HTTP_TRUSTED_PROXIES environment variable, or via the Neos.Flow.Http.TrustedProxies.* setting. This makes sure, that no other proxy (or malicious adversary) can override your request headers. See https://flowframework.readthedocs.io/en/stable/TheDefinitiveGuide/PartIII/Http.html#trusted-proxies for more information.