r/gitea: Enable PROXY protocol

Using the PROXY protocol allows the publicly-facing reverse proxy to pass through the original source address of the client, without doing TLS termination. Clients on the internal network will not go through the proxy, though, so we have to disable the PROXY protocol for those addresses. Unfortunately, the syntax for this is kind of cumbersome, because Apache only has a deny list, not an allow list, so we have to enumerate all of the possible internal addresses _except_ the proxy.
2025-11-19 07:43:29 -06:00
parent 25d813144c
commit 8aa1e986d4
2 changed files with 17 additions and 1 deletions
--- a/group_vars/dch-proxy.yml
+++ b/group_vars/dch-proxy.yml
@@ -89,7 +89,7 @@ dch_proxy_backends:
    servers:
    - name: gitea
      host: 'git0.pyrocufflink.blue:443'
-      options: check
+      options: check send-proxy

  jellyfin:
    servers:
--- a/roles/gitea/templates/gitea.httpd.conf.j2
+++ b/roles/gitea/templates/gitea.httpd.conf.j2
@@ -22,6 +22,22 @@ AllowEncodedSlashes NoDecode
 <VirtualHost _default_:443>
    ServerName {{ gitea_http_domain }}

+    RemoteIPProxyProtocol On
+    RemoteIPProxyProtocolExceptions \
+        172.30.0.1/32 \
+        172.30.0.2/32 \
+        172.30.0.3/32 \
+        172.30.0.4/32 \
+        172.30.0.5/32 \
+        172.30.0.7/32 \
+        172.30.0.8/29 \
+        172.30.0.16/28 \
+        172.30.0.32/27 \
+        172.30.0.160/27 \
+        172.30.0.192/29 \
+        172.30.0.200/29 \
+        172.31.1.0/24
+
    SSLCertificateFile {{ gitea_ssl_certificate }}
    SSLCertificateKeyFile {{ gitea_ssl_certificate_key }}
    SSLCertificateChainFile {{ gitea_ssl_certificate }}