feat: add standard proxy headers with backward compatibility

Add X-Real-IP, X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers to all proxy hosts for proper client IP detection, HTTPS enforcement, and logging. - New feature flag: enable_standard_headers (default: true for new hosts, false for existing) - UI: Checkbox in proxy host form and bulk apply modal for easy migration - Security: Always configure trusted_proxies when headers enabled - Backward compatible: Existing hosts preserve legacy behavior until explicitly enabled BREAKING CHANGE: New proxy hosts will have standard headers enabled by default. Existing hosts maintain legacy behavior. Users can opt-in via UI. Backend: 98.7% coverage, 8 new tests Frontend: 87.7% coverage, full TypeScript support Docs: Comprehensive migration guide and troubleshooting Closes #<issue-number> (FileFlows WebSocket fix)
2025-12-19 20:32:03 +00:00
parent b79af10014
commit 81085ec890
19 changed files with 2921 additions and 164 deletions
--- a/frontend/src/components/ProxyHostForm.tsx
+++ b/frontend/src/components/ProxyHostForm.tsx
@@ -102,6 +102,7 @@ export default function ProxyHostForm({ host, onSubmit, onCancel }: ProxyHostFor
    hsts_subdomains: host?.hsts_subdomains ?? true,
    block_exploits: host?.block_exploits ?? true,
    websocket_support: host?.websocket_support ?? true,
+    enable_standard_headers: host?.enable_standard_headers ?? true,
    application: (host?.application || 'none') as ApplicationPreset,
    advanced_config: host?.advanced_config || '',
    enabled: host?.enabled ?? true,
@@ -944,8 +945,36 @@ export default function ProxyHostForm({ host, onSubmit, onCancel }: ProxyHostFor
                <CircleHelp size={14} />
              </div>
            </label>
+            <label className="flex items-center gap-3">
+              <input
+                type="checkbox"
+                checked={formData.enable_standard_headers ?? true}
+                onChange={e => setFormData({ ...formData, enable_standard_headers: e.target.checked })}
+                className="w-4 h-4 text-blue-600 bg-gray-900 border-gray-700 rounded focus:ring-blue-500"
+              />
+              <span className="text-sm text-gray-300">Enable Standard Proxy Headers</span>
+              <div title="Adds X-Real-IP, X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers to help backend applications detect client IPs, enforce HTTPS, and generate correct URLs. Recommended for all proxy hosts. Existing hosts: disabled by default for backward compatibility." className="text-gray-500 hover:text-gray-300 cursor-help">
+                <CircleHelp size={14} />
+              </div>
+            </label>
          </div>

+          {/* Legacy Headers Warning Banner */}
+          {host && (formData.enable_standard_headers === false) && (
+            <div className="bg-yellow-900/20 border border-yellow-600 rounded-lg p-3">
+              <div className="flex items-start gap-2">
+                <Info className="w-5 h-5 text-yellow-500 flex-shrink-0 mt-0.5" />
+                <div className="text-sm">
+                  <p className="font-medium text-yellow-400">Standard Proxy Headers Disabled</p>
+                  <p className="text-yellow-300/80 mt-1">
+                    This proxy host is using the legacy behavior (headers only with WebSocket support).
+                    Enable this option to ensure backend applications receive client IP and protocol information.
+                  </p>
+                </div>
+              </div>
+            </div>
+          )}
+
          {/* Advanced Config */}
          <div>
            <label htmlFor="advanced-config" className="block text-sm font-medium text-gray-300 mb-2">