docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon wallabag

nginx as reverse proxy: X-Forwarded-Proto not working

Open matthjes opened this issue 7 years ago • 4 comments

Hi, I'm having the following setup:

  1. Synology NAS, acting as a reverse proxy.
  2. Server running wallabag and nginx inside containers.

The NAS forwards HTTPS requests to my server as HTTP requests. The nginx container should forward the HTTP requests to the wallabag container.

This is my nginx configuration:

server {
    listen       80;
    server_name  example.com;

    location / {
        proxy_pass http://wallabag;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

I can access the login page from my browser via https://example.com/login, however, when I enter the credentials and press "Login", a POST is made to https://example.com/login_check, which results in a redirect to http://example.com instead of https://example.com. It looks like the X-Forwarded-Proto header is ignored...

This is the response:

HTTP/1.1 302 Found
Cache-Control: private, must-revalidate
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, 24 Mar 2018 20:30:41 GMT
expires: -1
Keep-Alive: timeout=20
Location: http://holmes.matthjes.de/
pragma: no-cache
Server: nginx
Set-Cookie: PHPSESSID=f73b856e467ac7c31e855a749c4c4544; path=/; HttpOnly
Set-Cookie: REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpkMkZzYkdGaVlXYz06MTU1MzQ1OTQ0MTpiOGEyNDg3MDIzYzllOTQ5ZjliYjljMDFmNGYzNzEyY2FkMTllYzAzZjk3YzFlODE5OWM1ZWFjNjU3NmZlYzk2; expires=Sun, 24-Mar-2019 20:30:41 GMT; Max-Age=31536000; path=/; HttpOnly
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Powered-By: PHP/7.1.15

matthjes avatar Mar 24 '18 20:03 matthjes

Very similar problem, I have issues with RealIP headers.

RomkaLTU avatar Jul 24 '18 19:07 RomkaLTU

same here....

917huB avatar Jul 31 '18 05:07 917huB

the same problem, almost the same setup. synology is reverse proxy and raspberry with port based apache vhost

bunkerman avatar Aug 10 '18 13:08 bunkerman

The symphony framework changes its treatment of X-Forwarded headers 0

wallabag/wallabag#2273 gave me the clues to band-aid.

Inside the docker container, I modified /var/www/wallabag/web/app.php. First, I added line to output the requests IP: $request->server->get('REMOTE_ADDR') and triggered a request. Next, I looked at the outputted IP (e.g. 172.17.0.1). Then, I added the setTrustedProxies after the $request variable is created (Request::setTrustedProxies(['172.17.0.1'], Request::HEADER_X_FORWARDED_PROTO);)

I haven't figured out my long-term solution yet. The docker container might be able to trust all incoming requests, but I'm not sure. Another alternative is the docker container detecting the proxy IP (which I am pretty sure is an IP internal to docker), and modifying app.php on startup.

burkemw3 avatar Oct 01 '18 14:10 burkemw3