fix: signature mismatch for telephony

2026-06-19 08:28:10 +02:00 · 2026-06-18 18:56:58 +05:30 · 2026-06-18 18:56:58 +05:30 · 5dfd261930
commit 5dfd261930
parent d60065bf0a
1 changed files with 11 additions and 0 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -164,6 +164,17 @@ services:
      # from this value and nginx load-balances across them with least_conn.
      FASTAPI_WORKERS: "${FASTAPI_WORKERS:-1}"

+      # Trust X-Forwarded-* headers from any peer so uvicorn honors nginx's
+      # `X-Forwarded-Proto: https`. nginx runs as its own container and reaches
+      # uvicorn from a Docker-network IP (not loopback), but uvicorn trusts only
+      # 127.0.0.1 by default — so without this it ignores the header, request.url
+      # comes back as http://…, and inbound webhook signature checks fail for
+      # every provider at once (telephony providers sign the public https URL, so
+      # the recomputed signature won't match). "*" trusts all peers; the api port
+      # (8000) is published, so firewall/harden it at the host — or narrow this
+      # to your Docker bridge subnet — if that exposure matters to you.
+      FORWARDED_ALLOW_IPS: "*"
+
      # Langfuse — credentials can be set here or per-organization via the UI
      # at /settings. Tracing is automatically active when credentials are
      # available; uncomment to set defaults for all organizations.