Support multi proxies between TLS termination proxy and hydra

[sawadashota]

Is your feature request related to a problem? Please describe.

Hydra seems to support only following architecture.

Client -> TLS termination proxy -> hydra

Then, set TLS termination proxy's CIRDER address as HTTPS_ALLOW_TERMINATION_FROM.

But how about following case?

Client -> TLS termination proxy -> proxy -> hydra

Set TLS termination proxy's CIRDER address then it doesn't work.
Set proxy's CIRDER address then it works but is it best way?

Describe the solution you'd like

I think it's the best setting TLS termination proxy's CIDER address as HTTPS_ALLOW_TERMINATION_FROM even if there proxies between TLS termination proxy and hydra.

[aeneasr]

Why wouldn't you just set HTTPS_ALLOW_TERMINATION_FROM to the IP of proxy?

[sawadashota]

Yes, it works but I think this is not better in the sense of HTTPS_ALLOW_TERMINATION_FROM option.
This option seems to mean "set TLS termination proxy's IP then trust it and check X-Forwarded-Proto header".
Therefore, I think it better to ensure TLS termination proxy's IP.

hydra/cmd/serve.go

Lines 186 to 190 in aa6ab26

	- HTTPS_ALLOW_TERMINATION_FROM: Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections.
	Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but
	your proxy / gateway / load balancer. Supports ipv4 and ipv6.
	Hydra serves http instead of https when this option is set.
	Example: HTTPS_ALLOW_TERMINATION_FROM=127.0.0.1/32,192.168.178.0/24,2620:0:2d0:200::7/32

In addition my case, using AWS, TLS termination proxy and proxy are different subnet.
When I set HTTPS_ALLOW_TERMINATION_FROM to the IP of nginx, it works but I want to change to ALB IP.

Client -> ALB (TLS termination) -> nginx on ECS -> hydra on ECS