You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The nginx template sets the X-Forwarded-Proto header to $scheme, which is HTTP when Nginx is used as a HTTP frontend while Traefik does TLS termination.
This renders some URLs (like password resets and OpenID connections redirect URIs) being HTTP instead of HTTPS as intended.
There are probably some workarounds to this, however the core issue seems to be that wrong information is given to the backend in nginx-template.conf.
When Nginx is used standalone, passing $scheme is correct
When running it in HTTP mode behind Traefik, it needs to be set to $http_x_forwarded_proto;
Context information (for bug reports)
Here's a patch that I have only tested in HTTPS (so it may break HTTP):
I've already included a patch, but my understanding is that my fix would break other configurations (Like ones without a frontend proxy). So I'm leaving this here for maintainers to consider it (or not).
Description of the issue
The nginx template sets the
X-Forwarded-Proto
header to$scheme
, which is HTTP when Nginx is used as a HTTP frontend while Traefik does TLS termination.This renders some URLs (like password resets and OpenID connections redirect URIs) being HTTP instead of HTTPS as intended.
There are probably some workarounds to this, however the core issue seems to be that wrong information is given to the backend in
nginx-template.conf
.$scheme
is correct$http_x_forwarded_proto;
Context information (for bug reports)
Here's a patch that I have only tested in HTTPS (so it may break HTTP):
Steps to reproduce the issue
Observed result
Some URIs like password resets and OpenID redirects are HTTP
Expected result
Those URIs should be using the same protocol as the frontend, which could (but isn't necessarily!) HTTPS.
The text was updated successfully, but these errors were encountered: