Add force_forwarded_ssl_header vhost/location option
This is a workaround for running an application behind two layers of reverse proxies with the outer one terminating ssl. In this case the inner proxy receives requests with plain http and sets X-Forwarded-Proto, X-Forwarded-Ssl and X-Url-Scheme to "http", although the original requests used https. This breaks some applications. Ideally we would use a mechanism similar to real_ip_from and just forward the proto/ssl/scheme headers if the request came from a trusted proxy, but this workaround is much simpler.
This commit is contained in:
Julian Rother
parent
1a90bb657a
commit
5a3a51e1be
2 changed files with 7 additions and 0 deletions
|
|
@ -46,6 +46,7 @@ nginx_vhosts_defaults:
|
|||
hide_proxy_headers: {}
|
||||
backend: ~
|
||||
disallow_dotfiles: True
|
||||
force_forwarded_ssl_header: False
|
||||
|
||||
nginx_streams_defaults:
|
||||
listen:
|
||||
|
|
|
|||
|
|
@ -53,9 +53,15 @@ server {
|
|||
proxy_set_header Host {{ location.host|d(vhost.host) }};
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
{% if not location.force_forwarded_ssl_header|d(vhost.force_forwarded_ssl_header) %}
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Ssl $https;
|
||||
proxy_set_header X-Url-Scheme $scheme;
|
||||
{% else %}
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Url-Scheme https;
|
||||
{% endif %}
|
||||
|
||||
# add custom proxy headers
|
||||
{% for header in vhost.add_proxy_headers if header %}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue