From 7b8600e5ecdc993dffc2819641870d35c2a21c6b Mon Sep 17 00:00:00 2001
From: Christine Elisabeth Koppel <kuutruu@posteo.net>
Date: Sat, 14 Feb 2026 00:26:41 +0100
Subject: [PATCH] Try to investigate excessive soul weighing.

---
 nix-system-configs/modules/system/traefik.nix | 41 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index d66236b..a53ea75 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -212,6 +212,8 @@ in {
             rule = "Host(`git.prg-radio.org`)";
             service = "forgejo";
             entryPoints = ["websecure"];
+            # Ensure upstream receives standard proxy headers
+            middlewares = ["anubis-proxy-headers-forgejo"];
             tls = {};
           };
 
@@ -236,23 +238,59 @@ in {
             rule = "Host(`partdb.prg-radio.org`)";
             service = "partdb";
             entryPoints = ["websecure"];
+            # Ensure upstream receives standard proxy headers
+            middlewares = ["anubis-proxy-headers-partdb"];
             tls = {};
           };
         };
 
+        # Middlewares that inject proxy-style headers (per service)
+        http.middlewares = {
+          anubis-proxy-headers-forgejo = {
+            headers = {
+              customRequestHeaders = {
+                # Indicate original scheme; the TLS termination at Traefik is HTTPS
+                "X-Forwarded-Proto" = "https";
+                # Tell the backend which host the client used
+                "X-Forwarded-Host" = "git.prg-radio.org";
+                # Original destination port
+                "X-Forwarded-Port" = "443";
+                # Common nginx-style proxy headers for parity testing
+                "Host" = "git.prg-radio.org";
+                "X-Real-IP" = "${X-Forwarded-For}"; # placeholder - will be literal if not supported
+                "X-Http-Version" = "HTTP/2";
+              };
+            };
+          };
+
+          anubis-proxy-headers-partdb = {
+            headers = {
+              customRequestHeaders = {
+                "X-Forwarded-Proto" = "https";
+                "X-Forwarded-Host" = "partdb.prg-radio.org";
+                "X-Forwarded-Port" = "443";
+                "Host" = "partdb.prg-radio.org";
+                "X-Real-IP" = "${X-Forwarded-For}"; # placeholder - will be literal if not supported
+                "X-Http-Version" = "HTTP/2";
+              };
+            };
+          };
+        };
+
         http.services = {
           # Anubis service (challenge UI / redirect endpoint)
           anubis.loadBalancer = {
             servers = [
               {url = "http://127.0.0.1:8090";}
             ];
-            #passHostHeader = true;
+            passHostHeader = true;
           };
 
           forgejo.loadBalancer = {
             servers = [
               {url = "http://127.0.0.1:8092";}
             ];
+            passHostHeader = true;
           };
           matrix.loadBalancer = {
             servers = [
@@ -269,6 +307,7 @@ in {
             servers = [
               {url = "http://127.0.0.1:8094";}
             ];
+            passHostHeader = true;
           };
         };