Improve security and deployment flexibility for external access

Update README and application configurations to support reverse proxy setups, including TLS termination and proper cookie handling, and add an option to seed demo meetings.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 77cfe984-2c65-4152-bb7a-0df28274fe66
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: c15da2be-cee7-4cbb-8d58-f9fcc3c38ed7
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/c3c252e4-c83d-40ca-9fff-99a3ea60701e/77cfe984-2c65-4152-bb7a-0df28274fe66/FvHcc7z
Replit-Helium-Checkpoint-Created: true
This commit is contained in:
riyadhafraa
2026-05-15 10:38:44 +00:00
parent fa31fb6374
commit 77f8096deb
5 changed files with 126 additions and 10 deletions
+26 -2
View File
@@ -22,11 +22,30 @@ MOCKUP_PORT=8081
# In compose this is set automatically; required when running natively.
PORT=8080
# Public base URL the SPA + API are reachable at. Used to build absolute
# upload URLs for the local-FS storage driver and to validate CORS origins.
# upload URLs for the local-FS storage driver and to derive whether the
# session cookie should be marked `secure`. Match the URL operators
# actually open in the browser (e.g. https://tx.example.com).
PUBLIC_BASE_URL=http://localhost:3000
# Comma-separated list of origins allowed by the API server's CORS layer.
# Must include PUBLIC_BASE_URL and any additional reverse-proxy domains.
# MUST include every URL the SPA can be reached at — the public domain,
# any reverse-proxy hostnames, the LAN IP for tablets/phones, and any
# tunneled URL (Tailscale `*.ts.net`, ngrok, Cloudflare Tunnel, etc).
# Examples:
# ALLOWED_ORIGINS=http://localhost:3000
# ALLOWED_ORIGINS=https://tx.example.com,https://it-demo.tail70b2bc.ts.net
# ALLOWED_ORIGINS=http://localhost:3000,http://192.168.1.42:3000
ALLOWED_ORIGINS=http://localhost:3000
# Set to `true` when Tx OS sits behind a TLS-terminating proxy that
# does NOT forward `X-Forwarded-Proto: https` (notably `tailscale serve`,
# the ngrok free tier, and some Cloudflare Tunnel setups). Without this,
# the session cookie is silently dropped and login bounces back to the
# login screen even on a successful POST /auth/login. Leave unset for
# direct localhost access or when your proxy forwards the header.
# SECURITY: only enable when the API is not reachable directly over plain
# HTTP from outside — i.e. only your TLS edge proxy can hit it. Otherwise
# anyone on the same network can submit plain-HTTP requests that the app
# trusts as HTTPS.
TRUST_PROXY_HTTPS=false
# pino log level: trace | debug | info | warn | error | fatal
LOG_LEVEL=info
# 32+ random bytes. Generate with `openssl rand -hex 32`. REQUIRED.
@@ -125,6 +144,11 @@ LOCAL_STORAGE_SIGNING_SECRET=
# the first-run wizard at /setup.
SEED_ADMIN_PASSWORD=
SEED_USER_PASSWORD=
# Set to `true` to populate the Executive Meetings module with a full
# day of realistic-looking demo meetings on first boot (useful for
# screenshots, sales demos, and UI walkthroughs). Leave unset on real
# self-hosted installs — the module should start empty.
SEED_DEMO_MEETINGS=false
# -----------------------------------------------------------------------------
# Email (optional)