I am trying to get microblog working under docker with a proxy server serving micropub at https://t.l.d/blog2. I have the proxy server set up and all links via /blog2 and the .well-known links are redirecting properly to the back end docker server.
However I couldn't log into the instance. The admin link at the bottom of the page shown using /blog2/ didn't include the /blog2/ subpath.
I edited misc/docker-supervisord.conf between config and docker-compose up steps. However unlike in the docs, I had to :
again to get it to take effect. I was able to verify that --root-path was not set before the build step by exec'ing into the container and catting /proc/[0-9]*/cmdline.
Once I rebuilt the image, I saw the change in the admin link to use the subpath.
So the docs need to be changed to require a rebuild after changing the docker-supervisord.conf.
Also I changed docker-compose to use:
so that the docker port was not externally exposed and is bound only to the loopback IP. When using the:
trusted_hosts = ["*"]
you shouldn't permit any host on the local net to access the micropub instance in the docker container.
Sadly this isn't as good as one would want, but better than nothing as the attacker needs to figure out the internal network ip address used.
My employers don't acknowledge my existence much less my opinions.