From 469fcbcbe8a007140be8c8708529bb07da900a17 Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Fri, 4 Jul 2025 09:21:57 +0200
Subject: [PATCH] TLS SNI: Use proxy protocol

---
 hosts/tls_sni.nix | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/hosts/tls_sni.nix b/hosts/tls_sni.nix
index be9ce62..b870e92 100644
--- a/hosts/tls_sni.nix
+++ b/hosts/tls_sni.nix
@@ -9,7 +9,7 @@
             }
 
             upstream rupert {
-                server rupert.gvfr.de:443;
+                server rupert.gvfr.de:4431;
             }
 
             upstream localserv {
@@ -18,16 +18,42 @@
 
             server {
                 listen 443;
+                ssl_preread on;
 
                 # proxy_connect_timeout 1s;
                 # proxy_timeout 3s;
                 # resolver 1.1.1.1;
 
                 proxy_pass $target_backend;
-                ssl_preread on;
+                proxy_next_upstream off;
+
+                proxy_protocol on;
             }
         '';
 
-        defaultSSLListenPort = 4431;
+        defaultListen = [
+            {
+                addr = "0.0.0.0";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "[::0]";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "0.0.0.0";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+            {
+                addr = "[::0]";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+        ];
     };
 }