Trust upstream proxies to specify https scheme

conf/http-base.conf

@@ -29,6 +29,11 @@ map $proxy_protocol_addr $proper_forwarded_for {
   default $proxy_protocol_addr;
 }
 
+map $http_x_forwarded_proto $proper_scheme {
+  default $scheme;
+  https   https;
+}
+
 upstream web_app_server {
     server unix:/tmp/gunicorn_web.sock fail_timeout=0;
 }

conf/server-base.conf

@@ -5,7 +5,7 @@ server_name _;
 keepalive_timeout 5;
 
 if ($host = "www.quay.io") {
-    return 301 $scheme://quay.io$request_uri;
+    return 301 $proper_scheme://quay.io$request_uri;
 }
 
 if ($args ~ "_escaped_fragment_") {
@@ -18,7 +18,7 @@ add_header X-Frame-Options DENY;
 
 # Proxy Headers
 proxy_set_header X-Forwarded-For $proper_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Proto $proper_scheme;
 proxy_set_header Host $host;
 proxy_redirect off;
 
@@ -57,7 +57,7 @@ location ~ ^/v2 {
 
     # Setting ANY header clears all inherited proxy_set_header directives
     proxy_set_header X-Forwarded-For $proper_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Proto $proper_scheme;
     proxy_set_header Host $host;
 
     proxy_buffering off;
@@ -77,7 +77,7 @@ location ~ ^/v2 {
 location ~ ^/v1 {
     # Setting ANY header clears all inherited proxy_set_header directives
     proxy_set_header X-Forwarded-For $proper_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Proto $proper_scheme;
     proxy_set_header Host $host;
 
     proxy_buffering off;