From 0fdbf8a210721a4a533fa4a4d04b76713331374d Mon Sep 17 00:00:00 2001 From: Jake Moshenko Date: Wed, 3 Feb 2016 13:08:43 -0500 Subject: [PATCH] Trust upstream proxies to specify https scheme --- conf/http-base.conf | 5 +++++ conf/server-base.conf | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/conf/http-base.conf b/conf/http-base.conf index 7f62b51b0..492ce40e4 100644 --- a/conf/http-base.conf +++ b/conf/http-base.conf @@ -29,6 +29,11 @@ map $proxy_protocol_addr $proper_forwarded_for { default $proxy_protocol_addr; } +map $http_x_forwarded_proto $proper_scheme { + default $scheme; + https https; +} + upstream web_app_server { server unix:/tmp/gunicorn_web.sock fail_timeout=0; } diff --git a/conf/server-base.conf b/conf/server-base.conf index df1fed771..795de265e 100644 --- a/conf/server-base.conf +++ b/conf/server-base.conf @@ -5,7 +5,7 @@ server_name _; keepalive_timeout 5; if ($host = "www.quay.io") { - return 301 $scheme://quay.io$request_uri; + return 301 $proper_scheme://quay.io$request_uri; } if ($args ~ "_escaped_fragment_") { @@ -18,7 +18,7 @@ add_header X-Frame-Options DENY; # Proxy Headers proxy_set_header X-Forwarded-For $proper_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Proto $proper_scheme; proxy_set_header Host $host; proxy_redirect off; @@ -57,7 +57,7 @@ location ~ ^/v2 { # Setting ANY header clears all inherited proxy_set_header directives proxy_set_header X-Forwarded-For $proper_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $proper_scheme; proxy_set_header Host $host; proxy_buffering off; @@ -77,7 +77,7 @@ location ~ ^/v2 { location ~ ^/v1 { # Setting ANY header clears all inherited proxy_set_header directives proxy_set_header X-Forwarded-For $proper_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $proper_scheme; proxy_set_header Host $host; proxy_buffering off;