[PR #237] [MERGED] fix: improve reverse proxy support for subdomain deployments #1855

New Issue

Closed

opened 2026-04-27 19:13:46 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-27 19:13:46 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/237
Author: @arunavo4
Created: 3/18/2026
Status: ✅ Merged
Merged: 3/18/2026
Merged by: @arunavo4

Base: main ← Head: fix/63-reverse-proxy-support

---

📝 Commits (4)

• 470be29 fix: improve reverse proxy support for subdomain deployments (#63)
• 9b99e5e fix: address review findings for reverse proxy origin detection
• 60034c5 fix: handle multi-value x-forwarded-host in chained proxy setups
• 2e2b420 test: add unit tests for reverse proxy origin detection

📊 Changes

7 files changed (+268 additions, -46 deletions)

View changed files

📝 .env.example (+18 -1)
📝 docker-compose.alt.yml (+4 -0)
📝 docker-compose.yml (+7 -0)
➕ src/lib/auth-origins.test.ts (+119 -0)
📝 src/lib/auth.ts (+71 -42)
📝 src/pages/api/sse/index.ts (+1 -0)
📝 src/pages/docs/advanced.astro (+48 -3)

📄 Description

Summary

Fixes #63 — app doesn't work when accessed via a reverse proxy subdomain (e.g., gitea-mirror.mydomain.tld). Pages show no content and users can't sign in.

Root cause

Better Auth's trustedOrigins only included http://localhost:4321 by default. When the browser sends Origin: https://gitea-mirror.mydomain.tld, it was rejected as "invalid origin". Additionally, SSE streams were buffered by Nginx, breaking real-time updates.

Changes

Auto-detect origin from request headers (src/lib/auth.ts)

• Changed trustedOrigins from a static IIFE to an async function that receives the incoming request
• Auto-detects origin from X-Forwarded-Host/Host + X-Forwarded-Proto headers for per-request CSRF validation
• Handles multi-value X-Forwarded-Host and X-Forwarded-Proto (chained proxy setups) — takes first value only
• Validates proto is strictly "http" or "https"
• Restores startup logging of static trusted origins for debugging

SSE buffering fix (src/pages/api/sse/index.ts)

• Added X-Accel-Buffering: no response header to prevent Nginx from buffering the SSE stream

Documentation (src/pages/docs/advanced.astro)

• Added prominent red warning callout: BETTER_AUTH_URL, PUBLIC_BETTER_AUTH_URL, and BETTER_AUTH_TRUSTED_ORIGINS are mandatory for reverse proxy deployments
• Added Docker Compose example with required env vars
• Added X-Forwarded-For, X-Forwarded-Proto, Host headers to Nginx SSE example

Config/Docker (.env.example, docker-compose.yml, docker-compose.alt.yml)

• Added dedicated "REVERSE PROXY CONFIGURATION" section in .env.example
• Added PUBLIC_BETTER_AUTH_URL and BETTER_AUTH_TRUSTED_ORIGINS to docker-compose.yml
• Added reverse proxy comments to docker-compose.alt.yml

Test plan

• All 171 tests pass
• Production build succeeds
• Rebased cleanly onto main (after PR #235 and #236 merges)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/237 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 3/18/2026 **Status:** ✅ Merged **Merged:** 3/18/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `fix/63-reverse-proxy-support` --- ### 📝 Commits (4) - [`470be29`](https://github.com/RayLabsHQ/gitea-mirror/commit/470be29d2816f0d5cf446389ccf967f39a503a8b) fix: improve reverse proxy support for subdomain deployments (#63) - [`9b99e5e`](https://github.com/RayLabsHQ/gitea-mirror/commit/9b99e5e63227e06dcbeba70563bd2609dbb770e2) fix: address review findings for reverse proxy origin detection - [`60034c5`](https://github.com/RayLabsHQ/gitea-mirror/commit/60034c5395c8284331669d2fd0ddf744c20db4b3) fix: handle multi-value x-forwarded-host in chained proxy setups - [`2e2b420`](https://github.com/RayLabsHQ/gitea-mirror/commit/2e2b42058473ce155004a337fcc23a2d0f3a451b) test: add unit tests for reverse proxy origin detection ### 📊 Changes **7 files changed** (+268 additions, -46 deletions) <details> <summary>View changed files</summary> 📝 `.env.example` (+18 -1) 📝 `docker-compose.alt.yml` (+4 -0) 📝 `docker-compose.yml` (+7 -0) ➕ `src/lib/auth-origins.test.ts` (+119 -0) 📝 `src/lib/auth.ts` (+71 -42) 📝 `src/pages/api/sse/index.ts` (+1 -0) 📝 `src/pages/docs/advanced.astro` (+48 -3) </details> ### 📄 Description ## Summary Fixes #63 — app doesn't work when accessed via a reverse proxy subdomain (e.g., `gitea-mirror.mydomain.tld`). Pages show no content and users can't sign in. ### Root cause Better Auth's `trustedOrigins` only included `http://localhost:4321` by default. When the browser sends `Origin: https://gitea-mirror.mydomain.tld`, it was rejected as "invalid origin". Additionally, SSE streams were buffered by Nginx, breaking real-time updates. ### Changes **Auto-detect origin from request headers** (`src/lib/auth.ts`) - Changed `trustedOrigins` from a static IIFE to an async function that receives the incoming request - Auto-detects origin from `X-Forwarded-Host`/`Host` + `X-Forwarded-Proto` headers for per-request CSRF validation - Handles multi-value `X-Forwarded-Host` and `X-Forwarded-Proto` (chained proxy setups) — takes first value only - Validates proto is strictly `"http"` or `"https"` - Restores startup logging of static trusted origins for debugging **SSE buffering fix** (`src/pages/api/sse/index.ts`) - Added `X-Accel-Buffering: no` response header to prevent Nginx from buffering the SSE stream **Documentation** (`src/pages/docs/advanced.astro`) - Added prominent red warning callout: `BETTER_AUTH_URL`, `PUBLIC_BETTER_AUTH_URL`, and `BETTER_AUTH_TRUSTED_ORIGINS` are mandatory for reverse proxy deployments - Added Docker Compose example with required env vars - Added `X-Forwarded-For`, `X-Forwarded-Proto`, `Host` headers to Nginx SSE example **Config/Docker** (`.env.example`, `docker-compose.yml`, `docker-compose.alt.yml`) - Added dedicated "REVERSE PROXY CONFIGURATION" section in `.env.example` - Added `PUBLIC_BETTER_AUTH_URL` and `BETTER_AUTH_TRUSTED_ORIGINS` to `docker-compose.yml` - Added reverse proxy comments to `docker-compose.alt.yml` ## Test plan - [x] All 171 tests pass - [x] Production build succeeds - [x] Rebased cleanly onto main (after PR #235 and #236 merges) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-27 19:13:46 -05:00

GiteaMirror closed this issue 2026-04-27 19:13:48 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/mirror-sync-bugs-262-263-264

v3.15.10

v3.15.9

v3.15.8

v3.15.7

v3.15.6

v3.15.5

v3.15.4

v3.15.3

v3.15.2

v3.15.1

v3.15.0

v3.14.2

v3.14.1

v3.14.0

v3.13.4

v3.13.3

v3.13.2

v3.13.1

v3.13.0

v3.12.5

v3.12.4

v3.12.3

v3.12.2

v3.12.1

v3.12.0

v3.11.0

v3.10.1

v3.10.0

v3.9.6

v3.9.5

v3.9.4

v3.9.3

v3.9.2

v3.9.0

v3.8.11

v3.8.10

v3.8.9

v3.8.8

v3.8.7

v3.8.6

v3.8.5

v3.8.4

v3.8.3

v3.8.2

v3.8.1

v3.8.0

v3-sso

v3.7.2

v3.7.1

v3.7.0

v3.6.0

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.0

v3.3.0

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.1

v3.1.0

v3.0.1

v3.0.0

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.18.0

v2.17.0

v2.16.3

v2.16.2

v2.16.1

v2.16.0

v2.15.0

v2.14.0

v2.13.2

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.1.0

v2.0.0

v1.0.0

Labels

Clear labels

bug

documentation

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

question

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea-mirror#1855