From 67d47e3ec7215eec92108e29197175330902aaf6 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 11 Feb 2026 15:29:30 +0100
Subject: [PATCH] fix(deploy): pin gatekeeper version and add protocol
 normalization

---
 .gitea/workflows/deploy.yml | 4 ++--
 docker-compose.yaml         | 8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index e9637fd..2c36136 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -273,8 +273,8 @@ jobs:
           TRAEFIK_HOST_RULE='$TRAEFIK_RULE'
           EOF
 
-          # AUTH_MIDDLEWARE logic
-          printf "AUTH_MIDDLEWARE=%s\n" "$( [[ "$TARGET" == "production" ]] && echo "compress" || echo "${PROJECT_NAME}-auth,compress" )" >> .env.deploy
+          # TRAEFIK_MIDDLEWARES logic
+          printf "TRAEFIK_MIDDLEWARES=%s\n" "$( [[ "$TARGET" == "production" ]] && echo "${PROJECT_NAME}-forward,compress" || echo "${PROJECT_NAME}-auth,${PROJECT_NAME}-forward,compress" )" >> .env.deploy
 
       - name: 🚀 SSH Deploy
         shell: bash
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 3b3b155..5a92a46 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -13,9 +13,13 @@ services:
       - "traefik.http.routers.${PROJECT_NAME}.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME}.tls=true"
       - "traefik.http.services.${PROJECT_NAME}.loadbalancer.server.port=3000"
-      - "traefik.http.routers.${PROJECT_NAME}.middlewares=${TRAEFIK_MIDDLEWARES:-${PROJECT_NAME}-auth}"
+      - "traefik.http.routers.${PROJECT_NAME}.middlewares=${TRAEFIK_MIDDLEWARES:-${PROJECT_NAME}-auth,${PROJECT_NAME}-forward,compress}"
       - "traefik.docker.network=infra"
 
+      # Forwarded Headers (Protocol Normalization)
+      - "traefik.http.middlewares.${PROJECT_NAME}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.${PROJECT_NAME}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
+
       # Gatekeeper Router (Shared Host + dedicated Subdomain)
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.rule=${GATEKEEPER_RULE:-(Host(`${TRAEFIK_HOST:-mb-grid-solutions.localhost}`) && PathPrefix(`/gatekeeper`)) || Host(`gatekeeper.${TRAEFIK_HOST:-mb-grid-solutions.localhost}`)}"
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.entrypoints=websecure"
@@ -35,7 +39,7 @@ services:
       start_period: 30s
 
   gatekeeper:
-    image: registry.infra.mintel.me/mintel/gatekeeper:latest
+    image: registry.infra.mintel.me/mintel/gatekeeper:v1.7.3
     container_name: ${PROJECT_NAME:-mb-grid-solutions}-gatekeeper
     restart: always
     networks: