From 604d37d102a8158637627916fd223d02a5932be2 Mon Sep 17 00:00:00 2001
From: Matt Edholm <football2801@me.com>
Date: Mon, 4 May 2026 19:10:44 -0400
Subject: [PATCH] fix: trust Traefik reverse proxy so Symfony generates
 https:// redirects

Traefik terminates TLS and forwards X-Forwarded-Proto: https to Nginx,
which forwards it to PHP-FPM. Without trusted_proxies, Symfony ignored
this header and generated http:// redirect URLs after login/register,
causing session cookie loss on mobile (Secure cookie not sent over HTTP).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 config/packages/framework.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 7e1ee1f..6252e5b 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -5,6 +5,16 @@ framework:
     # Note that the session will be started ONLY if you read or write from it.
     session: true
 
+    # Trust the Traefik reverse proxy that terminates TLS before Nginx.
+    # REMOTE_ADDR = trust whatever IP is connecting to PHP-FPM (always Nginx in Docker).
+    trusted_proxies: 'REMOTE_ADDR'
+    trusted_headers:
+        - 'x-forwarded-for'
+        - 'x-forwarded-host'
+        - 'x-forwarded-proto'
+        - 'x-forwarded-port'
+        - 'x-forwarded-prefix'
+
     #esi: true
     #fragments: true