Commonly suggested Docker configuration fails to take into account Traefik TLS termination, leads to HTTP URLs being shown to users

[gparent]

Description of the issue

The nginx template sets the X-Forwarded-Proto header to $scheme, which is HTTP when Nginx is used as a HTTP frontend while Traefik does TLS termination.

This renders some URLs (like password resets and OpenID connections redirect URIs) being HTTP instead of HTTPS as intended.

There are probably some workarounds to this, however the core issue seems to be that wrong information is given to the backend in nginx-template.conf.

• When Nginx is used standalone, passing $scheme is correct
• When running it in HTTP mode behind Traefik, it needs to be set to $http_x_forwarded_proto;

Context information (for bug reports)

Here's a patch that I have only tested in HTTPS (so it may break HTTP):

diff --git a/resources/nginx-template.conf b/resources/nginx-template.conf
index e6d796a..f982ecb 100644
--- a/resources/nginx-template.conf
+++ b/resources/nginx-template.conf
@@ -25,6 +25,8 @@ server {
        real_ip_header ${UPSTREAM_REAL_IP_HEADER};
        real_ip_recursive ${UPSTREAM_REAL_IP_RECURSIVE};

+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+
        location /assets {
                try_files $uri =404;
        }
@@ -61,7 +63,6 @@ server {
        location @webserver {
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $remote_addr;
-               proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frappe-Site-Name ${FRAPPE_SITE_NAME_HEADER};
                proxy_set_header Host $host;
                proxy_set_header X-Use-X-Accel-Redirect True;

Steps to reproduce the issue

1. Follow https://github.com/frappe/frappe_docker/blob/main/docs/single-server-example.md and make a working instance with TLS
2. Configure email and request a password reset
3. Notice the password reset URI is HTTP

Observed result

Some URIs like password resets and OpenID redirects are HTTP

Expected result

Those URIs should be using the same protocol as the frontend, which could (but isn't necessarily!) HTTPS.

[revant]

Send PR if it solves the issue

[gparent]

I've already included a patch, but my understanding is that my fix would break other configurations (Like ones without a frontend proxy). So I'm leaving this here for maintainers to consider it (or not).

[sudhegan]

recently i came accross an bug in frappe builder where the browser blocks some js and css of the webpage build in builder as it uses http instead of https (bug related to these
https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content?utm_source=mozilla&utm_medium=firefox-console-errors&utm_campaign=default

https://stackoverflow.com/questions/33507566/mixed-content-blocked-when-running-an-http-ajax-operation-in-an-https-page)

the fix mentioned in this issue fixed it