From b32393c9de2daa05a37cc9dea135d572ef9fd182 Mon Sep 17 00:00:00 2001
From: shodan <thrawn235@gmail.com>
Date: Thu, 12 Mar 2026 15:56:44 +0000
Subject: [PATCH] .

---
 ingress-external-devices/coreswitch.yaml | 12 +++++++++++-
 ingress-external-devices/firewall.yaml   | 17 +++++++++--------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/ingress-external-devices/coreswitch.yaml b/ingress-external-devices/coreswitch.yaml
index a3f3163..44b3882 100644
--- a/ingress-external-devices/coreswitch.yaml
+++ b/ingress-external-devices/coreswitch.yaml
@@ -30,7 +30,17 @@ metadata:
     kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: letsencrypt
     nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+
+    # keep browser on HTTPS
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_set_header X-Forwarded-Port 443;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 spec:
   tls:
   - hosts: [coreswitch.apps.undercloud.dev]
diff --git a/ingress-external-devices/firewall.yaml b/ingress-external-devices/firewall.yaml
index a3f7512..a22aa98 100644
--- a/ingress-external-devices/firewall.yaml
+++ b/ingress-external-devices/firewall.yaml
@@ -35,17 +35,18 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-ssl-name: "firewall.undercloud.local"
     nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
 
-    # rewrite absolute redirects and cookies from Sophos
     nginx.ingress.kubernetes.io/proxy-redirect-from: "https://firewall.undercloud.local:4444/"
-    nginx.ingress.kubernetes.io/proxy-redirect-to:   "https://firewall-admin.apps.undercloud.dev/"
+    nginx.ingress.kubernetes.io/proxy-redirect-to: "https://firewall-admin.apps.undercloud.dev/"
     nginx.ingress.kubernetes.io/proxy-cookie-domain: "firewall.undercloud.local firewall-admin.apps.undercloud.dev"
+    nginx.ingress.kubernetes.io/proxy-cookie-path: "/ /"
 
-    # long polls/websockets tolerance
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-
-    # optional: lock down by source IP(s)
-    # nginx.ingress.kubernetes.io/whitelist-source-range: "<your-IP>/32"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header Host firewall.undercloud.local;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_set_header X-Forwarded-Port 443;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 spec:
   tls:
   - hosts: [firewall-admin.apps.undercloud.dev]