Create haproxy-moonfire-tls-client.conf

[Bobberty]

Added a folder for config examples. And added a config example for using HAProxy using IPv6, TLS, and Client Certs. This also provides for local users without client certs.

[scottlamb]

Thanks for sharing your config! A couple comments below.

Also, what are you thoughts on putting it here vs on the wiki? I started the latter as an easy place to add stuff that's not tied to a specific version of the software. Hardware recommendations, general system setup, etc. I'd already written the "Securing Moonfire NVR" guide when I set up the wiki, or I might have added it there instead. It kind of straddles the distinction I set; it refers to some commandline flags and expected headers that might change in a future version, but much of it is about general concepts and software other than Moonfire NVR. We leave it alone, move the whole guide to the wiki, or move just the both examples (my nginx one and your haproxy one).

[scottlamb]

Moonfire NVR doesn't pay any attention to X-Forwarded-Host at the moment. Is haproxy changing the original Host header? If not, you shouldn't need anything like this. You can check what it looks like via the /api/request endpoint.

[Bobberty]

This is me learning about how Moonfire works. This was my first attempt (borrowed from another situation) and it seemed to work.

[scottlamb]

Yeah, that's totally cool. I think with just a couple changes it'll exactly match what Moonfire NVR expects, and we just need to decide between putting it in the repository or the wiki. I'm leaning toward putting it in the wiki, and moving the my nginx example config there too.

[scottlamb]

case in point: necessity has one c. ;-)

[Bobberty]

I live in a world where AI smell checking and flying cars already happened.

[scottlamb]

It looks like you can do something similar here to pass the original IP address also:

option forwardfor header X-Real-IP

http://cbonte.github.io/haproxy-dconv/2.5/configuration.html#4-option%20forwardfor