websites: Enable PROXY protocol for HTTPS sites

Since the reverse proxy does TLS pass-through instead of termination,
the original source address is lost.  Since the source address is
important for logging, rate limiting, and access control, we need to use
the HAProxy PROXY protocol to pass it along to the web server.

Since the PROXY protocol works at the TCP layer, _all_ connections must
use it. Fortunately, all of the sites hosted by the public web server
are in fact public and only accessed through HAProxy.  Similarly,
enabling it for one named virtual host enables it for all virtual hosts
on that port.  Thus, we only have to explicitly set it for one site, and
all the rest will use it as well.

group_vars/dch-proxy.yml

@@ -136,4 +136,4 @@ dch_proxy_backends:
     servers:
     - name: web0
       host: 'web0.pyrocufflink.blue:443'
-      options: check
+      options: check send-proxy

roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf

@@ -11,6 +11,8 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
 <VirtualHost _default_:443>
 ServerName dustin.hatch.name
 
+RemoteIPProxyProtocol On
+
 Include conf.d/ssl.include
 
 <IfModule mod_headers.c>