feat: add standard proxy headers with backward compatibility

Add X-Real-IP, X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers to all proxy hosts for proper client IP detection, HTTPS enforcement, and logging.

- New feature flag: enable_standard_headers (default: true for new hosts, false for existing)
- UI: Checkbox in proxy host form and bulk apply modal for easy migration
- Security: Always configure trusted_proxies when headers enabled
- Backward compatible: Existing hosts preserve legacy behavior until explicitly enabled

BREAKING CHANGE: New proxy hosts will have standard headers enabled by default. Existing hosts maintain legacy behavior. Users can opt-in via UI.

Backend: 98.7% coverage, 8 new tests
Frontend: 87.7% coverage, full TypeScript support
Docs: Comprehensive migration guide and troubleshooting

Closes #<issue-number> (FileFlows WebSocket fix)
This commit is contained in:
GitHub Actions
2025-12-19 20:32:03 +00:00
parent b79af10014
commit 81085ec890
19 changed files with 2921 additions and 164 deletions

View File

@@ -164,10 +164,23 @@ Let's say you have an app running at `192.168.1.100:3000` and you want it availa
- **Forward To:** `192.168.1.100`
- **Port:** `3000`
- **Scheme:** `http` (or `https` if your app already has SSL)
- **Enable Standard Proxy Headers:** ✅ (recommended — allows your app to see the real client IP)
4. **Click "Save"**
**Done!** When someone visits `myapp.example.com`, they'll see your app.
### What Are Standard Proxy Headers?
By default (and recommended), Charon adds special headers to requests so your app knows:
- **The real client IP address** (instead of seeing Charon's IP)
- **Whether the original connection was HTTPS** (for proper security and redirects)
- **The original hostname** (for virtual host routing)
**When to disable:** Only turn this off for legacy applications that don't understand these headers.
**Learn more:** See [Standard Proxy Headers](features.md#-standard-proxy-headers) in the features guide.
---
## Step 3: Get HTTPS (The Green Lock)