Fix IP ACLs for proxy_protocol

When --enable-ssl-passthrough is enabled, proxy protocol is enabled in nginx. Nginx was set to
pull the IP from proxy_protocol for HTTP and HTTPS. This change uses proxy_protocol only when
proxy_protocol is enabled or the request is coming in from SSLProxy port.

rootfs/etc/nginx/template/nginx.tmpl

@@ -32,12 +32,8 @@ events {
 }
 
 http {
-    {{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
-    {{ if $cfg.UseProxyProtocol }}
-    real_ip_header      proxy_protocol;
-    {{ else }}
-    real_ip_header      {{ $cfg.ForwardedForHeader }};
-    {{ end }}
+
+    real_ip_header      $real_ip_header;
 
     real_ip_recursive   on;
     {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
@@ -168,13 +164,19 @@ http {
         ''               close;
     }
 
-    map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
-    {{ if $cfg.UseProxyProtocol }}
+    map $pass_server_port $real_ip_header {
+        {{ $all.ListenPorts.SSLProxy }} proxy_protocol;
+        default                         X-Forwarded-For;
+    }
+
+    map $real_ip_header $the_real_ip {
         # Get IP address from Proxy Protocol
+        proxy_protocol   $proxy_protocol_addr;
+        {{ if $all.Cfg.UseProxyProtocol }}
         default          $proxy_protocol_addr;
-    {{ else }}
+        {{ else }}
         default          $remote_addr;
-    {{ end }}
+        {{ end }}
     }
 
     # trust http_x_forwarded_proto headers correctly indicate ssl offloading