projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(haproxy): X-Forwarded-Proto + X-Real-IP an alle Backends weiterleiten

Browse Source 
User-Frage: „Werden via haproxy die echten IPs durchgereicht?". Antwort:
X-Forwarded-For ja (option forwardfor), aber Apps wie WordPress/Mailcow
brauchen zusätzlich X-Forwarded-Proto=https um Redirect-Loops zu
vermeiden, und X-Real-IP ist die bequeme single-value-Variante die viele
Tools out-of-the-box lesen (ohne die XFF-Chain parsen zu müssen).

Beide Frontends (public_https + mgmt_https) emittieren jetzt:
  http-request set-header X-Forwarded-Proto https
  http-request set-header X-Real-IP %[src]

Was Backends sehen:
  X-Forwarded-For:  <client-ip>             (defaults: option forwardfor)
  X-Forwarded-Proto: https                  (NEW)
  X-Real-IP:        <client-ip>             (NEW, single value)

PROXY-Protocol-Toggle pro Backend kommt nicht in diesem Release — der
Operator hat „nur Header-Variante" gewählt.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
2026-05-13 19:28:41 +02:00
parent a2d08eaa47
commit 3178e25e78
7 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@@ -1 +1 @@
1.0.77 1.0.78

2
cmd/edgeguard-api/main.go
View File

@@ -54,7 +54,7 @@ import (
wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard" wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
) )
var version = "1.0.77" var version = "1.0.78"
func main() { func main() {
addr := os.Getenv("EDGEGUARD_API_ADDR") addr := os.Getenv("EDGEGUARD_API_ADDR")

2
cmd/edgeguard-ctl/main.go
View File

@@ -11,7 +11,7 @@ import (
"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup" "git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
) )
var version = "1.0.77" var version = "1.0.78"
const usage = `edgeguard-ctl — EdgeGuard CLI const usage = `edgeguard-ctl — EdgeGuard CLI

2
cmd/edgeguard-scheduler/main.go
View File

@@ -32,7 +32,7 @@ import (
"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts" "git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
) )
var version = "1.0.77" var version = "1.0.78"
const ( const (
// renewTickInterval — how often we re-evaluate expiring certs. // renewTickInterval — how often we re-evaluate expiring certs.

9
internal/haproxy/haproxy.cfg.tpl
View File

@@ -53,6 +53,13 @@ frontend public_https
http-response set-header Strict-Transport-Security "max-age=31536000" http-response set-header Strict-Transport-Security "max-age=31536000"
# Client-IP-Weiterleitung an Backends. `option forwardfor` (defaults)
# setzt X-Forwarded-For; wir ergänzen Proto + RealIP damit Apps
# erkennen können (a) dass der Client HTTPS sprach und (b) die
# echte Source-IP ohne XFF-Chain-Parsing brauchen.
http-request set-header X-Forwarded-Proto https
http-request set-header X-Real-IP %[src]
{{- range $d := .Domains}} {{- range $d := .Domains}}
{{- range $r := $d.Routes}} {{- range $r := $d.Routes}}
use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} } use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
@@ -70,6 +77,8 @@ frontend public_https
frontend mgmt_https frontend mgmt_https
bind :3443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1 bind :3443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
http-response set-header Strict-Transport-Security "max-age=31536000" http-response set-header Strict-Transport-Security "max-age=31536000"
http-request set-header X-Forwarded-Proto https
http-request set-header X-Real-IP %[src]
default_backend api_backend default_backend api_backend
# ── Internal stats ───────────────────────────────────────────────────── # ── Internal stats ─────────────────────────────────────────────────────

6
internal/haproxy/haproxy_test.go
View File

@@ -43,6 +43,12 @@ func TestRender_BaselineHasFrontendsAndApiBackend(t *testing.T) {
"bind :443 ssl crt /etc/edgeguard/tls/", "bind :443 ssl crt /etc/edgeguard/tls/",
"path_beg /.well-known/acme-challenge/", "path_beg /.well-known/acme-challenge/",
"http-request redirect scheme https", "http-request redirect scheme https",
// Client-IP-Weiterleitung an Backends — XFF kommt aus
// defaults (option forwardfor), Proto + RealIP setzen wir
// pro public-Frontend explizit.
"option forwardfor",
"http-request set-header X-Forwarded-Proto https",
"http-request set-header X-Real-IP %[src]",
} { } {
if !strings.Contains(out, w) { if !strings.Contains(out, w) {
t.Errorf("missing %q in baseline output:\n%s", w, out) t.Errorf("missing %q in baseline output:\n%s", w, out)

2
management-ui/src/components/Layout/Sidebar.tsx
View File

@@ -85,7 +85,7 @@ const NAV: NavSection[] = [
}, },
] ]
const VERSION = '1.0.77' const VERSION = '1.0.78'
// Sidebar-Pattern 1:1 aus netcell-webpanel (enconf) übernommen: // Sidebar-Pattern 1:1 aus netcell-webpanel (enconf) übernommen:
// - <nav> als root, dunkler Gradient + Teal/Blue-Accent // - <nav> als root, dunkler Gradient + Teal/Blue-Accent