From 993ce372b213b0ce17aacb6063d7add7ae3a3e71 Mon Sep 17 00:00:00 2001 From: Seyed Mansour Mirbehbahani Date: Sun, 29 Dec 2024 09:41:42 +0330 Subject: [PATCH 1/2] :arrow_up_small: added $resolved_proto map to ensure that the X-Forwarded-Proto and X-Forwarded-Scheme headers reflect the most accurate protocol. The resolved_proto variable prioritizes the X-Forwarded-Proto header (set by sources like Cloudflare or AWS) and falls back to $scheme when unavailable, then this value is used to set Scheme and Proto instead of $scheme --- backend/templates/_location.conf | 4 ++-- backend/templates/_resolved_proto_map.conf | 7 +++++++ backend/templates/proxy_host.conf | 2 ++ docker/rootfs/etc/nginx/conf.d/include/proxy.conf | 5 ++--- 4 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 backend/templates/_resolved_proto_map.conf diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf index a2ecb166d..1b6d32dac 100644 --- a/backend/templates/_location.conf +++ b/backend/templates/_location.conf @@ -2,8 +2,8 @@ {{ advanced_config }} proxy_set_header Host $host; - proxy_set_header X-Forwarded-Scheme $scheme; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Scheme $resolved_proto; + proxy_set_header X-Forwarded-Proto $resolved_proto; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; diff --git a/backend/templates/_resolved_proto_map.conf b/backend/templates/_resolved_proto_map.conf new file mode 100644 index 000000000..82d5708fd --- /dev/null +++ b/backend/templates/_resolved_proto_map.conf @@ -0,0 +1,7 @@ +# Resolve the effective protocol: use X-Forwarded-Proto if set +# (e.g., from proxies like Cloudflare or AWS) +# otherwise fall back to the current scheme. +map $http_x_forwarded_proto $resolved_proto { + default $scheme; + ~.+ $http_x_forwarded_proto; +} diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index d23ca46fa..13131a84d 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -4,6 +4,8 @@ {% include "_hsts_map.conf" %} +{% include "_resolved_proto_map.conf" %} + server { set $forward_scheme {{ forward_scheme }}; set $server "{{ forward_host }}"; diff --git a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf index d346c4ef3..2cf0f657b 100644 --- a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf +++ b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf @@ -1,8 +1,7 @@ add_header X-Served-By $host; proxy_set_header Host $host; -proxy_set_header X-Forwarded-Scheme $scheme; -proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Scheme $resolved_proto; +proxy_set_header X-Forwarded-Proto $resolved_proto; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_pass $forward_scheme://$server:$port$request_uri; - From 6c5dbf54e7bb29a4aae04b98730b386398c01e7c Mon Sep 17 00:00:00 2001 From: Seyed Mansour Mirbehbahani Date: Sun, 29 Dec 2024 14:49:31 +0330 Subject: [PATCH 2/2] :arrow_up_small: Since `resolved_progo_map.conf` doesn't change content per host, we should put it in `/docker/rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf` instead. --- backend/templates/proxy_host.conf | 2 +- .../rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename backend/templates/_resolved_proto_map.conf => docker/rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf (100%) diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index 13131a84d..f57db26e6 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -4,7 +4,7 @@ {% include "_hsts_map.conf" %} -{% include "_resolved_proto_map.conf" %} +include conf.d/include/resolved_proto_map.conf; server { set $forward_scheme {{ forward_scheme }}; diff --git a/backend/templates/_resolved_proto_map.conf b/docker/rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf similarity index 100% rename from backend/templates/_resolved_proto_map.conf rename to docker/rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf