# configuration.yaml SNIPPET  --  paste into ./config/configuration.yaml on the HOME box
# ----------------------------------------------------------------------------
# WHY this is required:
# HA refuses proxied requests by default (anti-spoofing). When ha-proxy forwards
# from Hetzner over the tailnet, the request reaches HA with a SOURCE IP equal to
# the Hetzner node's tailnet IP (after the host masquerades it out tailscale0).
# You must whitelist that IP, or every page load fails with HTTP 400
# "received from untrusted proxy / IP address not allowed".
#
# If you hit a 400, check the HA log -- it prints the exact rejected IP. Put THAT
# IP in trusted_proxies (it should be 100.75.128.45, your Hetzner tailnet IP).

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 100.75.128.45     # Hetzner (manohar-ubuntu) tailnet IP = the proxy's source
    - 127.0.0.1
    - ::1