From 6e2bcc79324e02094449154b707a26e543a4ef9c Mon Sep 17 00:00:00 2001
From: Ed Geraghty <edg@privacyinternational.org>
Date: Fri, 2 Feb 2024 20:09:21 +0000
Subject: [PATCH] Add upstream `proxy_protocol` instructions to traefik (#3150)

* Add upstream `proxy_protocol` instructions to traefik

* Fix YAML indentation to use spaces

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
---
 docs/configuring-playbook-traefik.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md
index 5f4753891..dc4d88cf6 100644
--- a/docs/configuring-playbook-traefik.md
+++ b/docs/configuring-playbook-traefik.md
@@ -137,3 +137,25 @@ Changing the `url` to one with an `http://` prefix would allow to connect to the
 With these changes, all TCP traffic will be reverse-proxied to the target system. 
 
 **WARNING**: This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```. 
+
+
+## Traefik behind a `proxy_protocol` reverse-proxy
+
+If you run a reverse-proxy which speaks `proxy_protocol`, add the following to your configuration file:
+
+```yaml
+devture_traefik_configuration_extension_yaml: |
+  entryPoints:
+    web-secure:
+      proxyProtocol:
+        trustedIPs:
+          - "127.0.0.1/32"
+          - "<proxy internal IPv4>/32"
+          - "<proxy IPv6>/128"
+    matrix-federation:
+        proxyProtocol:
+          trustedIPs:
+            - "127.0.0.1/32"
+            - "<proxy internal IPv4>/32"
+            - "<proxy IPv6>/128"
+```