From 7dab63b83cb5d6ef0b37a66b9101ac093ba41222 Mon Sep 17 00:00:00 2001
From: Robert Helewka <r@helu.ca>
Date: Sun, 22 Mar 2026 22:51:43 +0000
Subject: [PATCH] fix: add X-Forwarded-Proto header to HTTPS frontend for
 backend connection awareness

---
 ansible/haproxy/haproxy.cfg.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ansible/haproxy/haproxy.cfg.j2 b/ansible/haproxy/haproxy.cfg.j2
index ee6a1c6..d1ab685 100644
--- a/ansible/haproxy/haproxy.cfg.j2
+++ b/ansible/haproxy/haproxy.cfg.j2
@@ -59,7 +59,9 @@ frontend https_frontend
     mode http
     option httplog
     option forwardfor
-    
+    # Tell backends the original connection was HTTPS (TLS terminates here)
+    http-request set-header X-Forwarded-Proto https
+
     # Security headers
     http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
     http-response set-header X-Frame-Options "SAMEORIGIN"