This fixes several issues where services would see the internal IP of
the proxy and not that of the client.
It works by first unsetting any proxy-related headers that arrive from
the internet, then setting those as seen by HAProxy's entrypoint
frontend.
And finally making sure that neither WAF when enabled nor other
HAProxy backends touch these headers, while they are actually used by
the final services.
Services affected: Netcloud, Keycloak, Moodle
8f5de8af6a