fix: add X-Forwarded-Proto header to HTTPS frontend for backend connection awareness

ansible/haproxy/haproxy.cfg.j2

@@ -59,7 +59,9 @@ frontend https_frontend
     mode http
     option httplog
     option forwardfor
-    
+    # Tell backends the original connection was HTTPS (TLS terminates here)
+    http-request set-header X-Forwarded-Proto https
+
     # Security headers
     http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
     http-response set-header X-Frame-Options "SAMEORIGIN"