Try to investigate excessive soul weighing.

2026-02-14 00:26:41 +01:00 · 2026-02-14 00:26:41 +01:00 · 7b8600e5ec
commit 7b8600e5ec
parent 3c19a950a7
1 changed files with 40 additions and 1 deletions
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -212,6 +212,8 @@ in {
            rule = "Host(`git.prg-radio.org`)";
            service = "forgejo";
            entryPoints = ["websecure"];
+            # Ensure upstream receives standard proxy headers
+            middlewares = ["anubis-proxy-headers-forgejo"];
            tls = {};
          };

@ -236,23 +238,59 @@ in {
            rule = "Host(`partdb.prg-radio.org`)";
            service = "partdb";
            entryPoints = ["websecure"];
+            # Ensure upstream receives standard proxy headers
+            middlewares = ["anubis-proxy-headers-partdb"];
            tls = {};
          };
        };

+        # Middlewares that inject proxy-style headers (per service)
+        http.middlewares = {
+          anubis-proxy-headers-forgejo = {
+            headers = {
+              customRequestHeaders = {
+                # Indicate original scheme; the TLS termination at Traefik is HTTPS
+                "X-Forwarded-Proto" = "https";
+                # Tell the backend which host the client used
+                "X-Forwarded-Host" = "git.prg-radio.org";
+                # Original destination port
+                "X-Forwarded-Port" = "443";
+                # Common nginx-style proxy headers for parity testing
+                "Host" = "git.prg-radio.org";
+                "X-Real-IP" = "${X-Forwarded-For}"; # placeholder - will be literal if not supported
+                "X-Http-Version" = "HTTP/2";
+              };
+            };
+          };
+
+          anubis-proxy-headers-partdb = {
+            headers = {
+              customRequestHeaders = {
+                "X-Forwarded-Proto" = "https";
+                "X-Forwarded-Host" = "partdb.prg-radio.org";
+                "X-Forwarded-Port" = "443";
+                "Host" = "partdb.prg-radio.org";
+                "X-Real-IP" = "${X-Forwarded-For}"; # placeholder - will be literal if not supported
+                "X-Http-Version" = "HTTP/2";
+              };
+            };
+          };
+        };
+
        http.services = {
          # Anubis service (challenge UI / redirect endpoint)
          anubis.loadBalancer = {
            servers = [
              {url = "http://127.0.0.1:8090";}
            ];
-            #passHostHeader = true;
+            passHostHeader = true;
          };

          forgejo.loadBalancer = {
            servers = [
              {url = "http://127.0.0.1:8092";}
            ];
+            passHostHeader = true;
          };
          matrix.loadBalancer = {
            servers = [
@ -269,6 +307,7 @@ in {
            servers = [
              {url = "http://127.0.0.1:8094";}
            ];
+            passHostHeader = true;
          };
        };