From 70909d1b1306c36b21fcf54baf887aed4c2f6190 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 23 Aug 2025 22:21:54 -0500 Subject: [PATCH] websites: Enable PROXY protocol for HTTPS sites Since the reverse proxy does TLS pass-through instead of termination, the original source address is lost. Since the source address is important for logging, rate limiting, and access control, we need to use the HAProxy PROXY protocol to pass it along to the web server. Since the PROXY protocol works at the TCP layer, _all_ connections must use it. Fortunately, all of the sites hosted by the public web server are in fact public and only accessed through HAProxy. Similarly, enabling it for one named virtual host enables it for all virtual hosts on that port. Thus, we only have to explicitly set it for one site, and all the rest will use it as well. --- group_vars/dch-proxy.yml | 2 +- .../dustin.hatch.name/files/dustin.hatch.name.httpd.conf | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/dch-proxy.yml b/group_vars/dch-proxy.yml index 91d869d..15d0acf 100644 --- a/group_vars/dch-proxy.yml +++ b/group_vars/dch-proxy.yml @@ -136,4 +136,4 @@ dch_proxy_backends: servers: - name: web0 host: 'web0.pyrocufflink.blue:443' - options: check + options: check send-proxy diff --git a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf index f96397a..960312c 100644 --- a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf +++ b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf @@ -11,6 +11,8 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L] ServerName dustin.hatch.name +RemoteIPProxyProtocol On + Include conf.d/ssl.include