Update docker image

[parkervcp]

Add BEHIND_PROXY to compose
Move TRUSTED_PROXIES and added default values
Added notes on what to do when running behind a proxy.

Update entrypoint and caddyfile for better proxy support.

Add a full stack compose file with database and redis containers for more advanced setups.

resolves #1000

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

📥 Commits

Reviewing files that changed from the base of the PR and between 6503a2c and 18b2d92.

📒 Files selected for processing (2)

• docker/Caddyfile (1 hunks)
• docker/entrypoint.sh (3 hunks)

 ________________________________________________________________________________________________________________________________
< Some things are better done than described. Don't fall into the specification spiral - at some point you need to start coding. >
 --------------------------------------------------------------------------------------------------------------------------------
  \
   \   \
        \ /\
        ( )
      .( o ).

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure reviews.tools.github-checks in your project's settings in CodeRabbit to adjust the time to wait for GitHub Checks to complete.

📝 Walkthrough

Walkthrough

Adds a new full-stack Docker Compose file and updates compose, Caddyfile, and entrypoint to support proxy-aware startup by exporting PARSED_LE_EMAIL, PARSED_APP_URL, and APP_ASSET; removes the DB migration step from the entrypoint.

Changes

Cohort / File(s)	Summary
New full-stack Compose compose-full-stack.yml	Added a complete Docker Compose defining services database (mariadb:10.11), cache (redis:alpine), and panel (ghcr.io/pelican-dev/panel:latest), shared YAML anchors (panel-environment, mail-environment, db-environment, db-password, db-database, db-username), volumes pelican-data, pelican-logs, pelican-db, and default network with IPAM subnet 172.20.0.0/16.
Compose adjustments compose.yml	Replaced ADMIN_EMAIL with LE_EMAIL in x-common.panel-environment; added commented BEHIND_PROXY and TRUSTED_PROXIES examples; removed TRUSTED_PROXIES from services.panel.environment; added commented alternative port mapping - "81:80".
Entrypoint changes docker/entrypoint.sh	Removed database migration step (php artisan migrate --force). Added exports/initialization for PARSED_LE_EMAIL, PARSED_APP_URL, and APP_ASSET; when BEHIND_PROXY="true" sets PARSED_LE_EMAIL="", PARSED_APP_URL=":80", and sets APP_ASSET from APP_URL; retained remaining startup and proxy handling.
Caddy configuration docker/Caddyfile	Replaced placeholder values to use parsed variables: {$PARSED_LE_EMAIL} for admin email and {$PARSED_APP_URL} for site/App URL blocks.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Reverse Proxy / Client
    participant Panel as Panel Container (Entrypoint → Caddy & App)
    participant Caddy as Caddy Server (inside Panel)

    rect rgb(250,250,255)
    Note over Panel: Container startup (docker/entrypoint.sh)
    Panel->>Panel: Read env: APP_URL, LE_EMAIL, BEHIND_PROXY
    Panel->>Panel: Export PARSED_APP_URL, PARSED_LE_EMAIL, APP_ASSET
    alt BEHIND_PROXY = "true"
        Panel->>Panel: PARSED_APP_URL = ":80"
        Panel->>Panel: PARSED_LE_EMAIL = ""
        Panel->>Panel: APP_ASSET set from APP_URL
    else
        Panel->>Panel: PARSED_* derived from APP_URL/LE_EMAIL
    end
    Panel->>Caddy: Render Caddyfile with {$PARSED_APP_URL}, {$PARSED_LE_EMAIL}
    Caddy-->>Panel: Start listening on configured addresses
    end

    rect rgb(235,255,235)
    Note over Client,Caddy: Request handling
    Client->>Caddy: HTTP request (port 80) or HTTPS (port 443)
    Caddy->>Panel: Proxy/request routing to app as configured
    Panel-->>Client: HTTP/HTTPS response
    end

Loading

Pre-merge checks

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update docker image' is vague and does not clearly convey the main changes: proxy support improvements and addition of a full-stack compose file.	Consider revising the title to be more specific, such as 'Add proxy support and full-stack compose configuration' to better reflect the scope of changes.
Out of Scope Changes check	❓ Inconclusive	The addition of the full-stack compose-full-stack.yml file is slightly out of scope relative to the core issue #1000 (proxy fix), though it is mentioned in the PR description and objectives.	Consider clarifying whether the full-stack compose file is essential to issue #1000 or if it should be in a separate PR focused on compose examples.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is related to the changeset and covers the main objectives: proxy configuration, entrypoint updates, and a full-stack compose file.
Linked Issues check	✅ Passed	The PR addresses issue #1000 by implementing proxy support through BEHIND_PROXY configuration, updating the Caddyfile with parsed URL variables, and modifying the entrypoint to handle proxy scenarios correctly.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a195b56 and 42d9c51.

📒 Files selected for processing (4)

• compose-full-stack.yml (1 hunks)
• compose.yml (2 hunks)
• docker/Caddyfile (1 hunks)
• docker/entrypoint.sh (3 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

docker/entrypoint.sh

[error] 17-17: In dash, echo flags besides -n not supported.

(SC3036)

---

[error] 45-45: In dash, [[ ]] is not supported.

(SC3010)

---

[error] 45-45: In dash, == in place of = is not supported.

(SC3014)

🔇 Additional comments (4)

docker/entrypoint.sh (1)

36-37: Verify removal of database migrations is intentional.

The database migration step was removed from the entrypoint. This change should be verified to ensure migrations are handled elsewhere (e.g., manually by operators or in a separate initialization step), as skipping migrations could lead to schema mismatches.

Please confirm:

1. Are migrations now expected to be run manually?
2. Is there documentation or a separate process for running migrations in the updated workflow?

docker/Caddyfile (1)

9-12: LGTM! Proxy-aware configuration correctly implemented.

The use of PARSED_ADMIN_EMAIL and PARSED_APP_URL correctly aligns with the entrypoint changes. When BEHIND_PROXY=true, PARSED_APP_URL will be set to :80, which prevents Caddy from forcing HTTPS redirects and resolves the core issue described in #1000.

compose-full-stack.yml (1)

1-97: Well-structured full-stack configuration.

The new compose file provides a complete setup with database, cache, and panel services using environment anchors effectively. The configuration aligns well with the proxy support objectives and provides clear templates for users to customize.

compose.yml (1)

9-10: Good addition of proxy configuration templates.

The commented BEHIND_PROXY and TRUSTED_PROXIES variables provide clear guidance for users running behind a reverse proxy. The default IPs align with the network subnet defined in the file.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

docker/entrypoint.sh (1)

41-51: Fix typos and use portable shell syntax for ash compatibility.

The proxy-aware logic correctly implements the PR objectives, but has unresolved issues flagged in previous reviews:

1. Line 46 typo: "behin" should be "behind"
2. Line 50 typo: "APP_ASSETT" should be "APP_ASSET"
3. Line 45 syntax: [[ ]] is bash-specific; use [ ] for ash/POSIX compatibility (also fixes Shellcheck SC3010/SC3014)

Apply this diff to fix all three issues:

-# when running behind a proxy
-if [[ ${BEHIND_PROXY} == "true" ]]; then
-  echo "running behin proxy"
+# when running behind a proxy
+if [ "${BEHIND_PROXY}" = "true" ]; then
+  echo "running behind proxy"
   echo "listening on port 80 internally"
   export PARSED_ADMIN_EMAIL=""
   export PARSED_APP_URL=":80"
-  export APP_ASSETT=${APP_URL}
+  export APP_ASSET=${APP_URL}
 fi

Note: Rmartinoscar already provided these exact suggestions in previous review comments.

🧹 Nitpick comments (2)

docker/entrypoint.sh (2)

12-18: Use portable echo syntax for ash compatibility.

The script uses #!/bin/ash -e, but lines 12, 14, 15, 17, and 18 rely on echo -e, which Shellcheck flags as unsupported in ash/dash (SC3036). To improve portability and silence shell linting warnings, use printf instead, which is POSIX-compliant:

   if [ -z $APP_KEY ]; then
-    echo -e "Generating key."
+    printf "Generating key.\n"
     APP_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
-    echo -e "Generated app key: $APP_KEY"
-    echo -e "APP_KEY=$APP_KEY" > /pelican-data/.env
+    printf "Generated app key: %s\n" "$APP_KEY"
+    printf "APP_KEY=%s\n" "$APP_KEY" > /pelican-data/.env
   else
-    echo -e "APP_KEY exists in environment, using that."
-    echo -e "APP_KEY=$APP_KEY" > /pelican-data/.env
+    printf "APP_KEY exists in environment, using that.\n"
+    printf "APP_KEY=%s\n" "$APP_KEY" > /pelican-data/.env
   fi

---

54-66: Use portable conditional syntax for ash compatibility.

Lines 54 and 62 use [[ ]] conditionals (bash-specific), which Shellcheck flags as unsupported in ash/dash. Replace with portable [ ] syntax:

 ## disable caddy if SKIP_CADDY is set
-if [[ "${SKIP_CADDY:-}" == "true" ]]; then
+if [ "${SKIP_CADDY:-}" = "true" ]; then
   echo "Starting PHP-FPM only"
 else
   echo "Starting PHP-FPM and Caddy"
   export SUPERVISORD_CADDY=true

   # handle trusted proxies for caddy
-  if [[ ! -z ${TRUSTED_PROXIES} ]]; then
+  if [ -n "${TRUSTED_PROXIES}" ]; then
     export CADDY_TRUSTED_PROXIES=$(echo "trusted_proxies static ${TRUSTED_PROXIES}" | sed 's/,/ /g')
     export CADDY_STRICT_PROXIES="trusted_proxies_strict"
   fi
 fi

Note: [ -n VAR ] is more portable and idiomatic than [ ! -z VAR ].

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 42d9c51 and 98c45c4.

📒 Files selected for processing (1)

• docker/entrypoint.sh (3 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

docker/entrypoint.sh

[error] 12-12: In dash, echo flags besides -n not supported.

(SC3036)

---

[error] 14-14: In dash, echo flags besides -n not supported.

(SC3036)

---

[error] 15-15: In dash, echo flags besides -n not supported.

(SC3036)

---

[error] 45-45: In dash, [[ ]] is not supported.

(SC3010)

---

[error] 45-45: In dash, == in place of = is not supported.

(SC3014)

🔇 Additional comments (1)

docker/entrypoint.sh (1)

41-42: PARSED_ export approach is sound.*

The introduction of PARSED_ADMIN_EMAIL and PARSED_APP_URL exports enables runtime configuration of Caddy based on deployment context. When BEHIND_PROXY=true, setting PARSED_APP_URL to :80 prevents Caddy from enforcing external redirects, which correctly addresses PR objectives. The logic aligns well with the related Caddyfile changes.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker/entrypoint.sh (1)

62-62: Same portability issue on line 62.

Line 62 uses [[ ]] and the -z test operator, which is fine, but should use [ ] for consistency.

Apply this diff:

-  if [[ ! -z ${TRUSTED_PROXIES} ]]; then
+  if [ -n "${TRUSTED_PROXIES}" ]; then

Note: Using -n (string is not empty) is clearer than ! -z (not zero length) and properly quotes the variable.

🧹 Nitpick comments (1)

compose-full-stack.yml (1)

26-27: Emphasize the critical security requirement to change database passwords.

While "SUPERNEEDSTOCHANGE" and "NEEDSTOCHANGE" are obviously placeholders, consider adding a more prominent warning in the comment block above (lines 24-25) to stress that these passwords must be changed before deployment to production.

Example enhancement:

-    # Do not remove the "&db-password" from the end of the line below, it is important
-    # for Panel functionality.
+    # IMPORTANT: Change these passwords before deploying to production!
+    # Do not remove the "&db-password" from the end of the line below, it is important
+    # for Panel functionality.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98c45c4 and f85216e.

📒 Files selected for processing (4)

• compose-full-stack.yml (1 hunks)
• compose.yml (2 hunks)
• docker/Caddyfile (1 hunks)
• docker/entrypoint.sh (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• compose.yml

🧰 Additional context used

🪛 Shellcheck (0.11.0)

docker/entrypoint.sh

[error] 12-12: In dash, echo flags besides -n not supported.

(SC3036)

---

[error] 14-14: In dash, echo flags besides -n not supported.

(SC3036)

---

[error] 15-15: In dash, echo flags besides -n not supported.

(SC3036)

---

[error] 45-45: In dash, [[ ]] is not supported.

(SC3010)

---

[error] 45-45: In dash, == in place of = is not supported.

(SC3014)

🔇 Additional comments (4)

compose-full-stack.yml (2)

40-51: LGTM!

The database and cache service configurations are well-structured. Using mariadb:10.11 with explicit mysql_native_password authentication ensures compatibility, and redis:alpine provides a lightweight caching solution.

---

76-78: Environment variable names are correct.

The verification confirms that CACHE_STORE, SESSION_DRIVER, and QUEUE_CONNECTION are the correct variable names currently used throughout the application. These are referenced in the Laravel configuration files (config/cache.php, config/session.php) and are actively used in installer steps and console commands. The compose-full-stack.yml configuration is accurate.

docker/Caddyfile (2)

9-9: LGTM!

Using {$PARSED_LE_EMAIL} correctly supports the proxy-aware deployment model. When BEHIND_PROXY=true, this variable is set to empty (in docker/entrypoint.sh line 48), which disables automatic HTTPS certificate requests and prevents redirect loops when the panel is behind a TLS-terminating proxy.

---

12-12: LGTM!

Using {$PARSED_APP_URL} correctly addresses the PR objective to fix HTTP serving when SITE_URL is HTTPS. When behind a proxy, this variable is set to :80 (in docker/entrypoint.sh line 49), ensuring Caddy listens on port 80 without forcing redirects to 443, resolving issue #1000.

[rmartinoscar]

Error: adapting config using caddyfile: parsing caddyfile tokens for 'email': wrong argument count or unexpected line ending after 'email', at /etc/caddy/Caddyfile:9