Merge pull request #5260 from jerry-yuan/develop

Add trust_forwarded_proto option for SSL redirect handling in r…

frontend/src/api/backend/models.ts

@@ -127,6 +127,7 @@ export interface ProxyHost {
 	locations?: ProxyLocation[];
 	hstsEnabled: boolean;
 	hstsSubdomains: boolean;
+	trustForwardedProto: boolean;
 	// Expansions:
 	owner?: User;
 	accessList?: AccessList;

frontend/src/components/Form/SSLOptionsFields.tsx

@@ -5,17 +5,18 @@ import { T } from "src/locale";
 
 interface Props {
 	forHttp?: boolean; // the sslForced, http2Support, hstsEnabled, hstsSubdomains fields
+	forProxyHost?: boolean; // the advanced fields
 	forceDNSForNew?: boolean;
 	requireDomainNames?: boolean; // used for streams
 	color?: string;
 }
-export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomainNames, color = "bg-cyan" }: Props) {
+export function SSLOptionsFields({ forHttp = true, forProxyHost = false, forceDNSForNew, requireDomainNames, color = "bg-cyan" }: Props) {
 	const { values, setFieldValue } = useFormikContext();
 	const v: any = values || {};
 
 	const newCertificate = v?.certificateId === "new";
 	const hasCertificate = newCertificate || (v?.certificateId && v?.certificateId > 0);
-	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, meta } = v;
+	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, trustForwardedProto, meta } = v;
 	const { dnsChallenge } = meta || {};
 
 	if (forceDNSForNew && newCertificate && !dnsChallenge) {
@@ -115,6 +116,34 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain
 		</div>
 	);
 
+	const getHttpAdvancedOptions = () =>(
+		<div>
+			<details>
+				<summary className="mb-1"><T id="domains.advanced" /></summary>
+				<div className="row">
+					<div className="col-12">
+						<Field name="trustForwardedProto">
+							{({ field }: any) => (
+								<label className="form-check form-switch mt-1">
+									<input
+										className={trustForwardedProto ? toggleEnabled : toggleClasses}
+										type="checkbox"
+										checked={!!trustForwardedProto}
+										onChange={(e) => handleToggleChange(e, field.name)}
+										disabled={!hasCertificate || !sslForced}
+									/>
+									<span className="form-check-label">
+										<T id="domains.trust-forwarded-proto" />
+									</span>
+								</label>
+							)}
+						</Field>
+					</div>
+				</div>
+			</details>
+		</div>
+	);
+
 	return (
 		<div>
 			{forHttp ? getHttpOptions() : null}
@@ -140,6 +169,7 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain
 					{dnsChallenge ? <DNSProviderFields showBoundaryBox /> : null}
 				</>
 			) : null}
+			{forProxyHost && forHttp ? getHttpAdvancedOptions() : null}
 		</div>
 	);
 }

frontend/src/hooks/useProxyHost.ts

@@ -24,6 +24,7 @@ const fetchProxyHost = (id: number | "new") => {
 			enabled: true,
 			hstsEnabled: false,
 			hstsSubdomains: false,
+			trustForwardedProto: false,
 		} as ProxyHost);
 	}
 	return getProxyHost(id, ["owner"]);

frontend/src/locale/src/en.json

@@ -347,6 +347,9 @@
 	"domain-names.wildcards-not-supported": {
 		"defaultMessage": "Wildcards not supported for this CA"
 	},
+	"domains.advanced": {
+		"defaultMessage": "Advanced"
+	},
 	"domains.force-ssl": {
 		"defaultMessage": "Force SSL"
 	},
@@ -359,6 +362,9 @@
 	"domains.http2-support": {
 		"defaultMessage": "HTTP/2 Support"
 	},
+	"domains.trust-forwarded-proto": {
+		"defaultMessage": "Trust Upstream Forwarded Proto Headers"
+	},
 	"domains.use-dns": {
 		"defaultMessage": "Use DNS Challenge"
 	},

frontend/src/locale/src/zh.json

@@ -275,6 +275,9 @@
 	"domain-names.wildcards-not-supported": {
 		"defaultMessage": "此 CA 不支持通配符"
 	},
+	"domains.advanced": {
+		"defaultMessage": "高级选项"
+	},
 	"domains.force-ssl": {
 		"defaultMessage": "强制 SSL"
 	},
@@ -287,6 +290,9 @@
 	"domains.http2-support": {
 		"defaultMessage": "HTTP/2 支持"
 	},
+	"domains.trust-forwarded-proto": {
+		"defaultMessage": "信任上游代理传递的协议类型头"
+	},
 	"domains.use-dns": {
 		"defaultMessage": "使用DNS验证"
 	},

frontend/src/modals/ProxyHostModal.tsx

@@ -88,6 +88,7 @@ const ProxyHostModal = EasyModal.create(({ id, visible, remove }: Props) => {
 							http2Support: data?.http2Support || false,
 							hstsEnabled: data?.hstsEnabled || false,
 							hstsSubdomains: data?.hstsSubdomains || false,
+							trustForwardedProto: data?.trustForwardedProto || false,
 							// Advanced tab
 							advancedConfig: data?.advancedConfig || "",
 							meta: data?.meta || {},
@@ -339,7 +340,7 @@ const ProxyHostModal = EasyModal.create(({ id, visible, remove }: Props) => {
 													label="ssl-certificate"
 													allowNew
 												/>
-												<SSLOptionsFields color="bg-lime" />
+												<SSLOptionsFields color="bg-lime" forProxyHost={true} />
 											</div>
 											<div className="tab-pane" id="tab-advanced" role="tabpanel">
 												<NginxConfigField />