Hi,

The client IP problem is a longstanding issue in podman’s virtual bridge networks.

As a workaround I’d run HAProxy rootless, using the pasta networking mode as that one allows seeing native client IP. With pasta’s -T flag (see docs) I’d forward traffic to another caddy container binding to 127.0.0.1:8080 or something similar.

This would coincide with your firewalld/HAProxy port-forwarding setup, but it has more rootlessness to it. It’s still not perfect, but I hope it may be useful