feat(haproxy): X-Forwarded-Proto + X-Real-IP an alle Backends weiterleiten

User-Frage: „Werden via haproxy die echten IPs durchgereicht?". Antwort:
X-Forwarded-For ja (option forwardfor), aber Apps wie WordPress/Mailcow
brauchen zusätzlich X-Forwarded-Proto=https um Redirect-Loops zu
vermeiden, und X-Real-IP ist die bequeme single-value-Variante die viele
Tools out-of-the-box lesen (ohne die XFF-Chain parsen zu müssen).

Beide Frontends (public_https + mgmt_https) emittieren jetzt:
  http-request set-header X-Forwarded-Proto https
  http-request set-header X-Real-IP %[src]

Was Backends sehen:
  X-Forwarded-For:  <client-ip>             (defaults: option forwardfor)
  X-Forwarded-Proto: https                  (NEW)
  X-Real-IP:        <client-ip>             (NEW, single value)

PROXY-Protocol-Toggle pro Backend kommt nicht in diesem Release — der
Operator hat „nur Header-Variante" gewählt.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

This commit is contained in:

Debian

2026-05-13 19:28:41 +02:00

parent a2d08eaa47

commit 3178e25e78

7 changed files with 20 additions and 5 deletions

									
										2

cmd/edgeguard-scheduler/main.go
									
												View File
												
				@@ -32,7 +32,7 @@ import (

					"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"

				)

				var version = "1.0.77"

				var version = "1.0.78"

				const (

					// renewTickInterval — how often we re-evaluate expiring certs.

feat(haproxy): X-Forwarded-Proto + X-Real-IP an alle Backends weiterleiten

2 cmd/edgeguard-scheduler/main.go Unescape Escape View File

2

cmd/edgeguard-scheduler/main.go

View File