Reverse proxies in container-based production environments
Warning
This section is experimental and under active development. Content is incomplete and may change as best practices evolve.
Want to help improve this section? TYPO3 documentation contributions are welcome! If you have deployment experience, examples, or corrections, please consider submitting a pull request or opening an issue on GitHub.
Container-based production environments frequently require reverse proxy configurations for TYPO3 to run properly.
Containerized environments typically involve a dynamic or wide range of IP addresses, making it impractical to rely on a single IP for reverse proxy configuration.
Refer to the documentation of the hosting company or to their support hotline to find out the concrete ranges.
You can use the CIDR notation, for example 10. or a wildcard. If the
hosting provider can promise no range at all you can use wildcard *, be sure
this is safe for the hosting environment being used.
Note
Always test your configuration in a staging environment before deploying to production to avoid disruptions.
Configure the reverse proxy settings in your custom Docker image
If you maintain the config/ within your
project-specific docker image, you can use
Application Context
or environment variables to activate the reverse proxy settings on production
only. For example:
<?php
use TYPO3\CMS\Core\Core\Environment;
if (Environment::getContext()->isProduction()) {
$customChanges = [
// Database Credentials and other production settings
'SYS' => [
'reverseProxySSL' => '192.0.2.1,192.168.0.0/16',
],
];
$GLOBALS['TYPO3_CONF_VARS'] = array_replace_recursive($GLOBALS['TYPO3_CONF_VARS'], (array)$customChanges);
}
Configure the reverse proxy in a mounted volume
If you have mounted config/ or a path above to a
persistent volume on the host you can edit this file directly.
Incorrect reverse proxy settings can unfortunately render the TYPO3 backend and Install Tool inaccessible (See Bug #106797 Missing reverse Proxy leads to perpetual loading Install tool login).
Therefore you need to edit the config/ or add a
config/ for the reverse proxy settings.
The linux environment inside a container that is run on production is usually very
reduced. For example tools like nano and vim might not be installed.
You can however edit the config/ locally and upload it via
SCP:
scp additional.php user@example.org:/var/www/html/typo3conf/system/If your host supports this you can use SSH or SFTP to edit the file.
If your host does not support SSH directly into the container you can run a
container that allows you to edit files like
filebrowser/filebrowser
or run a one-time container job to adjust the settings like
linawolf/typo3-nexaa-reverse-proxy-copier
to override the config/. This container is
designed to copy reverse proxy settings into a live system and should be
used with caution.