Forward client Host (with port) and scheme in reverse-proxy templates#81
Open
mikl wants to merge 1 commit into
Open
Forward client Host (with port) and scheme in reverse-proxy templates#81mikl wants to merge 1 commit into
mikl wants to merge 1 commit into
Conversation
The reverse-proxy templates set `proxy_set_header Host $host`, which normalises the Host header and drops any non-standard port, and they never forward the request scheme. Downstream apps that build absolute URLs from the request (e.g. Drupal, Next.js) therefore emit URLs with the wrong port and scheme when the proxy is published on a non-standard host port such as https://app.local:37103 — the generated links point at https://app.local (port 443) and 404. Use $http_host to preserve the exact Host the client sent (including the port), and forward X-Forwarded-Proto $scheme so the backend knows the public scheme. Both listen ports (80/443) share one server block, so $scheme is correct for either. Applied to all four reverse-proxy variants (proxy, nextjs, storybook, vite); the drupal variant already passes HTTP_HOST/HTTPS via fastcgi_params. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
The main difference, For our use-case, the former is better, since we shouldn't have anything accessing the proxy that does not send a proper Host-header. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The reverse-proxy templates use
proxy_set_header Host $hostand don't forward the request scheme.$hostnormalises the Host header and drops any non-standard port.X-Forwarded-Protois sent, so the backend can't tell the public scheme.When the proxy is published on a non-standard host port (e.g.
https://app.local:37103), any backend that builds absolute URLs from the request headers — Drupal, Next.js, etc. — generates them ashttps://app.local/...(i.e. port 443). Those links then 404 because the app is only reachable on:37103.Root cause: Docker NATs the published port down to the container's
:443, so the only place the real public port survives is the client'sHostheader — which$hostdiscards.Fix
proxy_set_header Host $http_host— preserves the exact Host the client sent, including the port. ($host:$server_portwouldn't work:$server_portis nginx's listen port, 443, not the client's port.)proxy_set_header X-Forwarded-Proto $scheme— forwards the real scheme. The server block listens on both 80 and 443, so$schemeis correct either way.Applied to all four reverse-proxy variants:
proxy,nextjs,storybook,vite. Thedrupalvariant is unaffected — it serves via fastcgi and already passesHTTP_HOST/HTTPSfrom the connection.Testing
Verified against the
proxyvariant in a dev stack published on:37103: a request-derived redirect that previously returnedLocation: http://app.local/frontpagenow correctly returnshttps://app.local:37103/frontpage, and Drupal-generated login/image URLs carry the right scheme and port. The other three variants take the identical change to the same directive.🤖 Generated with Claude Code