allow enabling proxy protocol seperate for http and https

Author: Zoey2936

backend/templates/_common.conf

@@ -3,15 +3,15 @@ server_name {{ server_names | join: " " }};
 listen unix:/run/nginx.sock;
 
 {% if env.DISABLE_HTTP == "false" %}
-  listen {{ env.IPV4_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};
-  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};{% endif %}
+  listen {{ env.IPV4_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL_HTTP == "true" %} proxy_protocol{% endif %};
+  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL_HTTP == "true" %} proxy_protocol{% endif %};{% endif %}
 {% endif %}
 
 {% if certificate and certificate_id > 0 %}
-  listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};
-  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};{% endif %}
+  listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL_HTTPS == "true" %} proxy_protocol{% endif %};
+  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL_HTTPS == "true" %} proxy_protocol{% endif %};{% endif %}
 
-  {% if env.DISABLE_H3_QUIC == "false" and env.LISTEN_PROXY_PROTOCOL == "false" %}
+  {% if env.DISABLE_H3_QUIC == "false" %}
     listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} quic;
     {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} quic;{% endif %}
     {% if npmplus_http3_support %}more_set_headers 'Alt-Svc: h3=":$alt_svc_port"; ma=86400';{% endif %}

backend/templates/default.conf

@@ -7,14 +7,14 @@ server {
   listen unix:/run/nginx.sock;
 
   {% if env.DISABLE_HTTP == "false" %}
-    listen {{ env.IPV4_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};
-    {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};{% endif %}
+    listen {{ env.IPV4_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL_HTTP == "true" %} proxy_protocol{% endif %};
+    {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTP_PORT }}{% if env.LISTEN_PROXY_PROTOCOL_HTTP == "true" %} proxy_protocol{% endif %};{% endif %}
   {% endif %}
 
-  listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};
-  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};{% endif %}
+  listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL_HTTPS == "true" %} proxy_protocol{% endif %};
+  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} ssl{% if env.LISTEN_PROXY_PROTOCOL_HTTPS == "true" %} proxy_protocol{% endif %};{% endif %}
 
-  {% if env.DISABLE_H3_QUIC == "false" and env.LISTEN_PROXY_PROTOCOL == "false" %}
+  {% if env.DISABLE_H3_QUIC == "false" and env.LISTEN_PROXY_PROTOCOL_HTTPS == "false" %}
     listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} quic;
     {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} quic;{% endif %}
     more_set_headers 'Alt-Svc: h3=":$alt_svc_port"; ma=86400';
@@ -29,14 +29,14 @@ server {
   listen unix:/run/nginx.sock default_server;
 
   {% if env.DISABLE_HTTP == "false" %}
-    listen {{ env.IPV4_BINDING }}:{{ env.HTTP_PORT }} reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};
-    {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTP_PORT }} reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};{% endif %}
+    listen {{ env.IPV4_BINDING }}:{{ env.HTTP_PORT }} reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL_HTTP == "true" %} proxy_protocol{% endif %};
+    {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTP_PORT }} reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL_HTTP == "true" %} proxy_protocol{% endif %};{% endif %}
   {% endif %}
 
-  listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} ssl reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};
-  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} ssl reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL == "true" %} proxy_protocol{% endif %};{% endif %}
+  listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} ssl reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL_HTTPS == "true" %} proxy_protocol{% endif %};
+  {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} ssl reuseport deferred so_keepalive=on default_server{% if env.LISTEN_PROXY_PROTOCOL_HTTPS == "true" %} proxy_protocol{% endif %};{% endif %}
 
-  {% if env.DISABLE_H3_QUIC == "false" and env.LISTEN_PROXY_PROTOCOL == "false" %}
+  {% if env.DISABLE_H3_QUIC == "false" %}
     listen {{ env.IPV4_BINDING }}:{{ env.HTTPS_PORT }} quic reuseport default_server;
     {% if env.DISABLE_IPV6 == "false" %}listen {{ env.IPV6_BINDING }}:{{ env.HTTPS_PORT }} quic reuseport default_server;{% endif %}
     more_set_headers 'Alt-Svc: h3=":$alt_svc_port"; ma=86400';

compose.yaml

@@ -56,9 +56,11 @@ services:
 #      - "HTTP_PORT=8080" # tcp port to use for http traffic, changing this may break certbot http challenge, default 80
 #      - "HTTPS_PORT=8443" # udp and tcp port to use for https traffic, changing this may break certbot http challenge, default 443
 #      - "DISABLE_HTTP=true" # prevents nginx from listening on port 80, default false
-#      - "LISTEN_PROXY_PROTOCOL=true" # should listeners of http(s) hosts (proxy/redirect/dead and default) use proxy protocol instead of http(s)? default false, overrides DISABLE_H3_QUIC to true
+#      - "LISTEN_PROXY_PROTOCOL=true" # should listeners of http(s) hosts (proxy/redirect/dead and default) use proxy protocol instead of http(s)? default false, overrides DISABLE_H3_QUIC, LISTEN_PROXY_PROTOCOL_HTTP and LISTEN_PROXY_PROTOCOL_HTTPS to true
+#      - "LISTEN_PROXY_PROTOCOL_HTTP=true" # should listeners of http hosts (proxy/redirect/dead and default) use proxy protocol instead of http? default false
+#      - "LISTEN_PROXY_PROTOCOL_HTTPS=true" # should listeners of https hosts (proxy/redirect/dead and default) use proxy protocol instead of https? default false, overrides DISABLE_H3_QUIC to true
 #      - "DISABLE_H3_QUIC=true" # prevents nginx from listening on port 443 udp for default host and all your hosts, this will fully disable HTTP/3 and QUIC, even if you enable it inside the UI, not recommended, default false
-#      - "NGINX_QUIC_BPF=true" # enables nginx's quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you must also add caps to the NPMplus container (see cap_add of this compose file) to use this, recommended, default false
+#      - "NGINX_QUIC_BPF=true" # enables nginx's quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you must also add caps to the NPMplus container (see cap_add of this compose file) to use this, default false
 #      - "NGINX_LOG_NOT_FOUND=true" # Log 404 errors to the docker logs, unrelated to access logs, default false
 #      - "NGINX_WORKER_PROCESSES=8" # value of worker_processes, default and recommended: auto
 #      - "NGINX_WORKER_CONNECTIONS=1024" # value of worker_connections, default: 512

rootfs/usr/local/bin/envs.sh

@@ -99,6 +99,8 @@ export HTTP_PORT="${HTTP_PORT:-80}"
 export HTTPS_PORT="${HTTPS_PORT:-443}"
 export DISABLE_HTTP="${DISABLE_HTTP:-false}"
 export LISTEN_PROXY_PROTOCOL="${LISTEN_PROXY_PROTOCOL:-false}"
+export LISTEN_PROXY_PROTOCOL_HTTP="${LISTEN_PROXY_PROTOCOL_HTTP:-false}"
+export LISTEN_PROXY_PROTOCOL_HTTPS="${LISTEN_PROXY_PROTOCOL_HTTPS:-false}"
 export DISABLE_H3_QUIC="${DISABLE_H3_QUIC:-false}"
 export NGINX_QUIC_BPF="${NGINX_QUIC_BPF:-false}"
 export NGINX_LOG_NOT_FOUND="${NGINX_LOG_NOT_FOUND:-false}"
@@ -439,6 +441,16 @@ if ! echo "$LISTEN_PROXY_PROTOCOL" | grep -q "^true$\|^false$"; then
     sleep inf
 fi
 
+if ! echo "$LISTEN_PROXY_PROTOCOL_HTTP" | grep -q "^true$\|^false$"; then
+    echo "LISTEN_PROXY_PROTOCOL_HTTP needs to be true or false."
+    sleep inf
+fi
+
+if ! echo "$LISTEN_PROXY_PROTOCOL_HTTPS" | grep -q "^true$\|^false$"; then
+    echo "LISTEN_PROXY_PROTOCOL_HTTPS needs to be true or false."
+    sleep inf
+fi
+
 if ! echo "$DISABLE_H3_QUIC" | grep -q "^true$\|^false$"; then
     echo "DISABLE_H3_QUIC needs to be true or false."
     sleep inf
@@ -720,18 +732,36 @@ if [ "$ACME_MUST_STAPLE" = "true" ] && [ "$ACME_OCSP_STAPLING" = "false" ]; then
     export ACME_OCSP_STAPLING="true"
     echo "setting ACME_OCSP_STAPLING to true, since ACME_MUST_STAPLE is set to true."
 fi
+
 if [ "$LISTEN_PROXY_PROTOCOL" = "true" ] && [ "$DISABLE_H3_QUIC" = "false" ]; then
     export DISABLE_H3_QUIC="true"
     echo "setting DISABLE_H3_QUIC to true, since LISTEN_PROXY_PROTOCOL is set to true."
 fi
+
+if [ "$LISTEN_PROXY_PROTOCOL" = "true" ] && [ "$LISTEN_PROXY_PROTOCOL_HTTP" = "false" ]; then
+    export LISTEN_PROXY_PROTOCOL_HTTP="true"
+    echo "setting LISTEN_PROXY_PROTOCOL_HTTP to true, since LISTEN_PROXY_PROTOCOL is set to true."
+fi
+
+if [ "$LISTEN_PROXY_PROTOCOL" = "true" ] && [ "$LISTEN_PROXY_PROTOCOL_HTTPS" = "false" ]; then
+    export LISTEN_PROXY_PROTOCOL_HTTPS="true"
+    echo "setting LISTEN_PROXY_PROTOCOL_HTTPS to true, since LISTEN_PROXY_PROTOCOL is set to true."
+fi
+
+if [ "$LISTEN_PROXY_PROTOCOL_HTTP" != "$LISTEN_PROXY_PROTOCOL_HTTPS" ]; then
+    echo "LISTEN_PROXY_PROTOCOL_HTTP and LISTEN_PROXY_PROTOCOL_HTTPS are different, please note that only the proxy protocol realip header will be read, but not the X-Forwarded-For http header."
+fi
+
 if [ "$NGINX_FORCE_X25519MLKEM768" = "true" ] && [ "$NGINX_DISABLE_TLS12" = "false" ]; then
     export NGINX_DISABLE_TLS12="true"
     echo "setting NGINX_DISABLE_TLS12 to true, since NGINX_FORCE_X25519MLKEM768 is set to true."
 fi
+
 if [ "$NGINX_FORCE_X25519MLKEM768" = "true" ] && [ "$NGINX_TRUST_SECPR1" = "true" ]; then
     export NGINX_TRUST_SECPR1="false"
     echo "setting NGINX_TRUST_SECPR1 to false, since NGINX_FORCE_X25519MLKEM768 is set to true."
 fi
+
 if [ "$GOA" = "true" ] && [ "$LOGROTATE" = "false" ]; then
     export LOGROTATE="true"
     echo "setting LOGROTATE to true, since GOA is set to true."

rootfs/usr/local/bin/start.sh

@@ -388,7 +388,7 @@ if [ "$GOA" = "true" ]; then
     cp -van /usr/local/nginx/conf/conf.d/goaccess.conf.disabled /usr/local/nginx/conf/conf.d/goaccess.conf
 fi
 
-if [ "$LISTEN_PROXY_PROTOCOL" = "true" ]; then
+if [ "$LISTEN_PROXY_PROTOCOL_HTTP" = "true" ] || [ "$LISTEN_PROXY_PROTOCOL_HTTPS" = "true" ]; then
   sed -i "s|real_ip_header.*|real_ip_header proxy_protocol;|g" /usr/local/nginx/conf/nginx.conf
 fi
 if [ "$NGINX_QUIC_BPF" = "true" ]; then