feat(haproxy): X-Forwarded-Proto + X-Real-IP an alle Backends weiterleiten

User-Frage: „Werden via haproxy die echten IPs durchgereicht?". Antwort: X-Forwarded-For ja (option forwardfor), aber Apps wie WordPress/Mailcow brauchen zusätzlich X-Forwarded-Proto=https um Redirect-Loops zu vermeiden, und X-Real-IP ist die bequeme single-value-Variante die viele Tools out-of-the-box lesen (ohne die XFF-Chain parsen zu müssen). Beide Frontends (public_https + mgmt_https) emittieren jetzt: http-request set-header X-Forwarded-Proto https http-request set-header X-Real-IP %[src] Was Backends sehen: X-Forwarded-For: <client-ip> (defaults: option forwardfor) X-Forwarded-Proto: https (NEW) X-Real-IP: <client-ip> (NEW, single value) PROXY-Protocol-Toggle pro Backend kommt nicht in diesem Release — der Operator hat „nur Header-Variante" gewählt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 19:28:41 +02:00
parent a2d08eaa47
commit 3178e25e78
7 changed files with 20 additions and 5 deletions
--- a/internal/haproxy/haproxy.cfg.tpl
+++ b/internal/haproxy/haproxy.cfg.tpl
@@ -53,6 +53,13 @@ frontend public_https

    http-response set-header Strict-Transport-Security "max-age=31536000"

+    # Client-IP-Weiterleitung an Backends. `option forwardfor` (defaults)
+    # setzt X-Forwarded-For; wir ergänzen Proto + RealIP damit Apps
+    # erkennen können (a) dass der Client HTTPS sprach und (b) die
+    # echte Source-IP ohne XFF-Chain-Parsing brauchen.
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header X-Real-IP %[src]
+
    {{- range $d := .Domains}}
    {{- range $r := $d.Routes}}
    use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
@@ -70,6 +77,8 @@ frontend public_https
 frontend mgmt_https
    bind :3443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=31536000"
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header X-Real-IP %[src]
    default_backend api_backend

 # ── Internal stats ─────────────────────────────────────────────────────