diff --git a/deploy/helm/dograh/templates/web-deployment.yaml b/deploy/helm/dograh/templates/web-deployment.yaml index 5dcaf18c..3afb09c1 100644 --- a/deploy/helm/dograh/templates/web-deployment.yaml +++ b/deploy/helm/dograh/templates/web-deployment.yaml @@ -61,6 +61,10 @@ spec: env: - name: WEB_PORT value: {{ .Values.web.port | quote }} + # Trust proxy headers from these peers so request.url reflects the + # original https scheme — see web.forwardedAllowIps in values.yaml. + - name: FORWARDED_ALLOW_IPS + value: {{ .Values.web.forwardedAllowIps | quote }} {{- include "dograh.dbEnv" . | nindent 12 }} # Distinct probes: readiness flips fast (drain), liveness is # slower (process aliveness). diff --git a/deploy/helm/dograh/values.yaml b/deploy/helm/dograh/values.yaml index 47d08fb8..ef68600a 100644 --- a/deploy/helm/dograh/values.yaml +++ b/deploy/helm/dograh/values.yaml @@ -158,6 +158,16 @@ web: replicaCount: 2 port: 8000 + # Peers uvicorn trusts X-Forwarded-Proto / X-Forwarded-For from (exported + # as FORWARDED_ALLOW_IPS). The ingress proxy reaches the pod from a + # pod-network IP — not loopback — so uvicorn's 127.0.0.1 default ignores + # the headers, request.url reads back as http://, and telephony providers + # that sign their webhook URL (Vobiz, Twilio, Plivo) fail signature + # validation. "*" trusts every peer, which is fine while only the ingress + # can reach the pod; narrow to your proxy/pod CIDR (e.g. "10.42.0.0/16") + # if the pod is reachable from untrusted networks. + forwardedAllowIps: "*" + # Long-lived signaling WebSockets keep per-connection state in process # memory (api/routes/webrtc_signaling.py). A naive pod restart drops every # in-flight call. The two settings below give the gateway time to stop diff --git a/scripts/run_web.sh b/scripts/run_web.sh index 913eb73a..31571e21 100755 --- a/scripts/run_web.sh +++ b/scripts/run_web.sh @@ -10,5 +10,9 @@ fi PORT="${WEB_PORT:-8000}" +# uvicorn trusts X-Forwarded-Proto / X-Forwarded-For only from peers listed +# in the FORWARDED_ALLOW_IPS env var (default 127.0.0.1). Behind a reverse +# proxy it must be set (compose: api service env, helm: web.forwardedAllowIps) +# or request.url stays http:// and URL-signed webhook validation fails. cd "$BASE_DIR" exec uvicorn api.app:app --host 0.0.0.0 --port "$PORT" --workers 1