bug: APISIX sends wrong redirect to browser when upstream is HTTP (SSL termination)

[ronnybremer]

Current Behavior

Configured SSL on APISIX and using HTTP for an upstream node. The upstream server (Apache 2.4) is sending back a redirect, when the user omits the trailing "/" slash on an url, like http://backend.demo.org/blog will be redirected to http://backend.demo.org/blog/ with a status code of 301 (moved permanently).

APISIX is sending the redirect to the client with the wrong scheme, http://demo.org:9443/blog/ will be sent instead of https://demo.org:9443/blog/ causing further communication to fail.

Expected Behavior

When acting as an SSL termination proxy, APISIX should return the correct scheme, independent of the backend's response. The redirect should be https://demo.org:9443/blog/ even for HTTP only upstream nodes.

Error Logs

No response

Steps to Reproduce

1. Run APISIX via Docker image
2. configure standalone mode (I am no sure if it also occurs in traditional mode)
3. set SSL certificate for APISIX and listen on port 9443
4. configure a route for URIs "/blog" and "/blog/*" to point to a HTTP only node
5. use Apache 2.4 as the upstream HTTP only node, listening on port 80
6. make a directory called "blog" and touch a file "1.html" inside
7. access https://demo.org:9443/blog/1.html and verify that the page is retrieved
8. access https://demo.org:9443/blog and see the returned redirect as http://demo.org:9443/blog/

Environment

• APISIX version (run apisix version): 3.9.1 official docker image
• Operating system (run uname -a): Rocky Linux 8
• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):