In my experience, putting a PHP application behind two web servers leads to issues. In NixNet's case, a user connects to Caddy running on the host which proxies Caddy inside a container which connects to a PHP FPM process. If the application is built to generate URLs and it adapts the URL scheme based on how it's being accessed, all the generated URLs will be HTTP even if you're really accessing it over HTTPS on the outside.
-
User -> Outer Caddy is HTTPS
-
Outer Caddy -> Inner Caddy is HTTP
To fix this, the outer Caddy needs a trusted_proxies config line in the reverse_proxy directive.
reverse_proxy 10.12.63.1:8080 {
trusted_proxies private_ranges
}And the inner Caddy needs to force PHP to generate URLs with HTTPS
:8080 {
encode zstd gzip
file_server
root * /var/www/application/public
php_fastcgi * unix//run/php/php8.2-fpm.sock {
env HTTPS true # <-- this line
}
}