From 681cc9527a5abb95b1e20f6e0c04b7be2a594076 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Noco=C5=84?= <mnocon@users.noreply.github.com>
Date: Mon, 26 Oct 2020 14:53:16 +0100
Subject: [PATCH] EZP-31804: [Docker] Added fixed IP to varnish container to
 workaround TRUSTED_PROXIES setting (#592)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Changed purge_type to varnish from http

Co-authored-by: André R. <289757+andrerom@users.noreply.github.com>

* [Docker] Set SYMFONY_TRUSTED_PROXIES to trust all IP addresses

Co-authored-by: André R. <289757+andrerom@users.noreply.github.com>
---
 doc/docker/varnish.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/docker/varnish.yml b/doc/docker/varnish.yml
index 1c66ae32a..90b6877b7 100644
--- a/doc/docker/varnish.yml
+++ b/doc/docker/varnish.yml
@@ -9,9 +9,11 @@ services:
   app:
     environment:
      - SYMFONY_HTTP_CACHE=0
-     - SYMFONY_TRUSTED_PROXIES=varnish
+     # Never do this in production if the app container is accesible for the public as well
+     # See https://ezplatform.com/security-advisories/ezsa-2020-002-unauthorised-cache-purge-with-misconfigured-fastly for more details how it could be abused
+     - SYMFONY_TRUSTED_PROXIES=TRUST_REMOTE 
      - HTTPCACHE_PURGE_SERVER=http://varnish
-     - HTTPCACHE_PURGE_TYPE=http
+     - HTTPCACHE_PURGE_TYPE=varnish
 
   varnish:
     build: