From f2ce9ec262a38538d0dfe557838f52cc45255b2e Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 11 Feb 2026 20:51:34 +0100
Subject: [PATCH] fix: ensure correct middleware order and path-based
 gatekeeper origins

---
 .gitea/workflows/deploy.yml | 7 ++++++-
 docker-compose.yml          | 7 +++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index b38258bd..dac3e9a8 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -232,15 +232,20 @@ jobs:
             AUTH_MIDDLEWARE="$STD_MW"
             COMPOSE_PROFILES=""
           else
-            AUTH_MIDDLEWARE="${PROJECT_NAME}-auth,$STD_MW"
+            # Order: Ratelimit -> Forward (Proto) -> Auth -> Compression
+            AUTH_MIDDLEWARE="${PROJECT_NAME}-ratelimit,${PROJECT_NAME}-forward,${PROJECT_NAME}-auth,${PROJECT_NAME}-compress"
             COMPOSE_PROFILES="gatekeeper"
           fi
           AUTH_MIDDLEWARE_UNPROTECTED="$STD_MW"
 
+          # Gatekeeper Origin
+          GATEKEEPER_ORIGIN="$NEXT_PUBLIC_BASE_URL/gatekeeper"
+
           cat > .env.deploy << EOF
           # Generated by CI - $TARGET
           IMAGE_TAG=$IMAGE_TAG
           NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL
+          GATEKEEPER_ORIGIN=$GATEKEEPER_ORIGIN
           SENTRY_DSN=$SENTRY_DSN
           LOG_LEVEL=$LOG_LEVEL
           MAIL_HOST=$MAIL_HOST
diff --git a/docker-compose.yml b/docker-compose.yml
index 29cc777f..04c77d7a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -43,6 +43,7 @@ services:
       # Authentication Middleware (ForwardAuth)
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-auth.forwardauth.address=http://${PROJECT_NAME:-klz-cables}-gatekeeper:3000/gatekeeper/api/verify"
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-auth.forwardauth.authRequestHeaders=X-Forwarded-Host,X-Forwarded-Proto,X-Forwarded-For"
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-auth.forwardauth.authResponseHeaders=X-Auth-User"
 
       # Middleware Definitions
@@ -56,6 +57,7 @@ services:
       start_period: 30s
 
   gatekeeper:
+    profiles: [ "gatekeeper" ]
     image: registry.infra.mintel.me/mintel/gatekeeper:v1.7.10
     restart: always
     networks:
@@ -71,10 +73,11 @@ services:
       COOKIE_DOMAIN: ${COOKIE_DOMAIN}
       AUTH_COOKIE_NAME: ${AUTH_COOKIE_NAME:-klz_gatekeeper_session}
       GATEKEEPER_PASSWORD: ${GATEKEEPER_PASSWORD}
-      NEXT_PUBLIC_BASE_URL: https://gatekeeper.${TRAEFIK_HOST:-testing.klz-cables.com}
+      NEXT_PUBLIC_BASE_URL: ${GATEKEEPER_ORIGIN}
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=(Host(`${TRAEFIK_HOST:-testing.klz-cables.com}`) && PathPrefix(`/gatekeeper`)) || Host(`gatekeeper.${TRAEFIK_HOST:-testing.klz-cables.com}`)"
+      - "traefik.docker.network=infra"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=(Host(`${TRAEFIK_HOST:-testing.klz-cables.com}`) && PathPrefix(`/gatekeeper`))"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls=true"