Commit Graph

35 Commits

Author SHA1 Message Date
LeoGomide
b24dbc7611 fix(plane): tighten proxy TRUSTED_PROXIES to private_ranges (no IP spoofing)
Defaulting TRUSTED_PROXIES to 0.0.0.0/0 makes Caddy trust X-Forwarded-For /
X-Real-IP from any peer, allowing client-IP spoofing (CWE-348 / CWE-290) that
poisons rate-limiting and audit logs. In Dokploy the only upstream is Traefik on
the private dokploy-network, so trust Caddy's built-in `private_ranges` token
instead. Legitimate forwarded client IPs (Traefik is a private peer) still
resolve correctly; XFF from public-IP peers is rejected if the proxy is ever
exposed directly. Overridable via env for custom topologies.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 10:17:09 -03:00
LeoGomide
34501dd8b5 fix(plane): set proxy SITE_ADDRESS and TRUSTED_PROXIES to fix Caddyfile crash
The plane-proxy Caddyfile.ce ends with a `{$SITE_ADDRESS} { import plane_proxy }`
block. SITE_ADDRESS has no inline default upstream, so when it is unset the block
becomes keyless and Caddy aborts with:

  adapting config using caddyfile: server block without any key is global
  configuration, and if used, it must be first

Expose SITE_ADDRESS (:80, matching the proxy `expose: ["80"]` + domain port 80,
since Dokploy terminates TLS upstream) and TRUSTED_PROXIES (0.0.0.0/0, matching
the Caddyfile inline default) on the proxy env, and document both in template.toml
so they render into the generated env. Reported and verified by @RDeluxe in #912.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 10:13:39 -03:00
LeoGomide
11bc16ea36 docs(plane): translate top-of-file comment to English 2026-05-28 12:27:07 -03:00
LeoGomide
9c29df415c fix(plane): rename services + add proxy links to avoid DNS collision
The plane-proxy image has hardcoded `reverse_proxy web:3000`/`api:8000`
in its Caddyfile with generic service names. In multi-stack Dokploy
deployments, those names collide with other stacks' containers (Next.js
apps frequently have a `web` service) on the shared dokploy-network —
the Plane domain ends up serving content from unrelated stacks.

Two-step fix:
  1. Rename internal services with `plane-*` prefix (unique cluster-wide):
     web/space/admin/live/api/worker/beat-worker/migrator → plane-*
  2. Add `links:` block to the `proxy` service mapping the new names back
     to the generic ones the Caddyfile expects (`plane-web:web` etc.).
     Docker injects these into /etc/hosts, which has absolute priority
     over DNS — Caddy resolves `web`/`api`/etc. directly to our renamed
     containers, ignoring any collision on dokploy-network.

Also updates `API_BASE_URL` in template.toml and the `x-live-env` anchor
from `http://api:8000` → `http://plane-api:8000`.

No `networks:` declarations added (repo validator rejects them; Dokploy
manages networking automatically).
2026-05-28 12:22:37 -03:00
LeoGomide
669ad4a257 chore(plane): update template to v1.3.1 with healthchecks and bug fixes
- Bump makeplane/* images v0.27.1 -> v1.3.1
- Pin minio to RELEASE.2025-04-22T22-12-26Z (last release with full admin
  console before community-edition feature removal)
- Add YAML anchors (x-*-env) for env reuse across backend services
- Add healthchecks for postgres, valkey, rabbitmq
- api/worker/beat-worker wait for migrator via service_completed_successfully
  (fixes race where backend booted before schema was migrated)
- Add restart policies (unless-stopped for long-running, on-failure for migrator)
- Migrate env_file -> inline environment (matches repo convention)
- Expose APP_RELEASE in template.toml [variables] for UI override

Bug fixes in template.toml:
- RABBITMQ_DEFAULT_USER was the literal string "rabbitmq_user" instead of
  a variable reference; AMQP_URL was inconsistent with the broker user
- WEB_URL was missing the https:// scheme (broke OAuth/email links)
- DATABASE_URL/AMQP_URL referenced inline vars that Dokploy does not
  resolve inside [config.env]; now use [variables] directly
- Remove dead vars: NGINX_PORT (Plane v1.x uses Caddy), SENTRY_DSN,
  SENTRY_ENVIRONMENT
- Add WEBHOOK_ALLOWED_IPS/WEBHOOK_ALLOWED_HOSTS (SSRF guard default
  introduced in Plane v1.x)
2026-05-28 11:14:59 -03:00
Ragil Burhanudin Pamungkas
fbd6e78bf5 chore(blueprint): update plane services to v0.27.1 (#250)
* chore(blueprint): update plane services to v0.27.1

- Bumped all makeplane service images from v0.25.3 to v0.27.1
- Updated web, space, admin, live, api, worker, beat-worker, migrator and proxy services
- Version alignment for all plane components in docker-compose blueprint

* chore(blueprint): update plane version to v0.27.1
2025-07-27 22:58:32 -06:00
Scan
55cc6ca8d7 Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:44:47 -08:00
Scan
5abff0c8f6 Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:44:34 -08:00
Scan
467d0b81b8 Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:44:10 -08:00
Scan
dd2041ee66 Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:44:01 -08:00
Scan
03248f37a1 Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:41:42 -08:00
Scan
4be40767ad Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:41:16 -08:00
Scan
75d77725be Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:41:03 -08:00
Scan
b41e7518c7 Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:40:50 -08:00
Scan
837087c29a Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:31:53 -08:00
Scan
bac178d39b Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:31:43 -08:00
Scan
7b017a1b26 Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:31:29 -08:00
Scan
b38494571c Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:31:14 -08:00
Scan
65f905a20e Update blueprints/plane/docker-compose.yml
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
2025-04-05 22:31:04 -08:00
naterfute
1c74db3b93 fix: plane nginx binding to port 80 on host 2025-04-05 19:58:31 -07:00
naterfute
d8ff8b7d33 fix: complete rework of plane template 2025-04-04 23:08:15 -07:00
naterfute
9403d32703 fix(plane): entrypoint commands 2025-04-02 23:48:54 -07:00
naterfute
431785eb86 fix: changed to pre-built proxy image 2025-04-02 22:56:07 -07:00
naterfute
d19aa4cd2f fix(plane): entrypoint path 2025-04-02 20:20:49 -07:00
naterfute
8efd3531e1 fix(plane): point entrypoints to the correct spot 2025-04-02 20:13:26 -07:00
naterfute
3c0006d7de fix: renambed nginx container to proxy 2025-04-02 19:56:36 -07:00
naterfute
2277a1c0ac feat: added proxy to plane and fixed minor issues 2025-04-02 19:54:06 -07:00
naterfute
4d37936413 fix: postgres data \ndifferencen 2025-04-02 18:45:55 -07:00
naterfute
52a4934c8a fix: psotgres environment variables 2025-04-02 18:34:13 -07:00
naterfute
3e2d974ef7 fix: env file in plane docker 2025-04-02 18:00:46 -07:00
naterfute
49f172f843 added environment files to all containers 2025-04-02 17:53:23 -07:00
naterfute
32bd26c430 added environment files to all containers 2025-04-02 17:47:32 -07:00
naterfute
030132e0f0 fix: postgresql variables 2025-04-02 17:41:51 -07:00
naterfute
73e056ae2e fix: entrypoint paths 2025-04-02 16:41:48 -07:00
naterfute
2ff4627daf add plane 2025-04-02 15:22:28 -07:00