From 8aa1e986d42096cb89e4ae1938afd7c7ffdb9102 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 19 Nov 2025 07:43:29 -0600 Subject: [PATCH] r/gitea: Enable PROXY protocol Using the PROXY protocol allows the publicly-facing reverse proxy to pass through the original source address of the client, without doing TLS termination. Clients on the internal network will not go through the proxy, though, so we have to disable the PROXY protocol for those addresses. Unfortunately, the syntax for this is kind of cumbersome, because Apache only has a deny list, not an allow list, so we have to enumerate all of the possible internal addresses _except_ the proxy. --- group_vars/dch-proxy.yml | 2 +- roles/gitea/templates/gitea.httpd.conf.j2 | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/group_vars/dch-proxy.yml b/group_vars/dch-proxy.yml index 0e8efed..0ba6ab5 100644 --- a/group_vars/dch-proxy.yml +++ b/group_vars/dch-proxy.yml @@ -89,7 +89,7 @@ dch_proxy_backends: servers: - name: gitea host: 'git0.pyrocufflink.blue:443' - options: check + options: check send-proxy jellyfin: servers: diff --git a/roles/gitea/templates/gitea.httpd.conf.j2 b/roles/gitea/templates/gitea.httpd.conf.j2 index dd0044f..f6bc306 100644 --- a/roles/gitea/templates/gitea.httpd.conf.j2 +++ b/roles/gitea/templates/gitea.httpd.conf.j2 @@ -22,6 +22,22 @@ AllowEncodedSlashes NoDecode ServerName {{ gitea_http_domain }} + RemoteIPProxyProtocol On + RemoteIPProxyProtocolExceptions \ + 172.30.0.1/32 \ + 172.30.0.2/32 \ + 172.30.0.3/32 \ + 172.30.0.4/32 \ + 172.30.0.5/32 \ + 172.30.0.7/32 \ + 172.30.0.8/29 \ + 172.30.0.16/28 \ + 172.30.0.32/27 \ + 172.30.0.160/27 \ + 172.30.0.192/29 \ + 172.30.0.200/29 \ + 172.31.1.0/24 + SSLCertificateFile {{ gitea_ssl_certificate }} SSLCertificateKeyFile {{ gitea_ssl_certificate_key }} SSLCertificateChainFile {{ gitea_ssl_certificate }}